Multi-Factor Authentication (2FA/MFA) for Windows Logon and RDP

Last updated on January 20, 2025

Note: If you are looking for a way to integrate Rublon with RDS (Remote Desktop Services), refer to Rublon MFA for Remote Desktop Gateway and Rublon MFA for Remote Desktop Web Access instead.

Overview of MFA for Windows Logon and RDP

Multi-Factor Authentication (MFA) for Windows Logon and RDP is an invaluable security measure that requires users to provide two distinct pieces of authentication to gain access to a Windows machine, either locally or via RDP. In the first step, the user enters their Active Directory / RADIUS username and password for the first factor. Then, the user undergoes secondary authentication by choosing one of several verification methods such as a Mobile Push or Email Link. After both factors are successfully completed, the user is granted access to Windows. Enabling Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for Windows Logon and RDP significantly reduces the risk of malicious hackers gaining access to resources, even if they were to obtain the user’s login credentials.

Rublon MFA for Windows Logon and RDP is a connector that integrates with Microsoft Windows client and server operating systems to add Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) to your Remote Desktop and local logons.

Rublon MFA for Windows Logon and RDP supports the following operating systems:

• Windows 7 SP1
• Windows 8.1 Home & Pro
• Windows 10 Home & Pro
• Windows 11 Home & Pro
• Windows 365 Cloud PC
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022

Demo Video of MFA for Windows Logon and RDP

How does Rublon MFA for Windows Logon and RDP work?

Rublon MFA for Windows Logon and RDP is a connector that adds an additional step of authentication to your everyday log-in flow. Just like the name suggests, this connector works both for Windows Logon and RDP. As a result, you can use the connector for:

• Only RDP logons
• Both local Windows logons and RDP logons

Network Diagrams

The following diagram shows a successful authentication process for RDP logon. Rublon Multi-Factor Authentication for Windows Logon and RDP works exactly the same when logging in to a local Windows machine.

1. Initialize RDP connection.

2. Perform primary authentication against your authentication source.

3. Establish a connection to Rublon API.

4. Perform secondary authentication using one of the authentication methods. 

5. Receive a success response.

6. Log in the user.

The following diagram portrays an RDP login flow along with the names of protocols used in each part of the transaction. 

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	✔	RDP Only
Passcode	✔	N/A
SMS Passcode	✔	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	✔	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Supported Account Types

Rublon Multi-Factor Authentication for Windows Logon and RDP is not an identity provider (IdP). Rublon MFA for Windows Logon and RDP is a connector that validates credentials provided by a user against an existing authentication source, e.g., Active Directory.

Rublon MFA for Windows Logon and RDP supports the following authentication sources:

• Workgroup Accounts (Local Users)
• Microsoft Active Directory Accounts (Domain Accounts, including Entra ID (Azure AD) and Active Directory Protected Users)
• Microsoft (Live) Accounts (Rublon MFA authentication when logging into Windows with a Microsoft account; this includes support for Windows Hello. For example, after entering the Windows Hello PIN, the user must authenticate using Rublon MFA)
• Google Workspace Accounts (Rublon MFA authentication when logging into Windows with a Google account)

Rublon MFA for Windows Logon and RDP supports Microsoft Active Directory, but Microsoft Active Directory is not required. You can use Workgroup Accounts instead.

Your Windows endpoints can be physical or virtual machines (VM). The MFA for Windows connector also supports connections via RDP done using RMM solutions like Datto RMM, N-central RMM, and more.

Basic User Identification

Starting from Windows Logon and RDP 3.0.0, Rublon identifies users by their usernames.

Note that you can enable username normalization to make Rublon treat usernames in different forms (e.g., with an appended domain) as the same user.

Before You Start

You must complete the following steps before installing the Rublon MFA for Windows Logon & RDP connector if your system is listed below. If your system is not listed, you can proceed directly to the Pre-Installation Steps section.

Prerequisites for Windows Server 2008 R2

• Open the Server Manager (SrvMgr.exe) and select Features → Add Features. Then check Desktop Experience, click Install, and restart your PC after the installation completes
• Enable 3D acceleration for Virtual Box
• Enable TLS 1.2:
  1. Open the registry editor by typing regedit in the Run dialog box (Win + R).
  2. Navigate to the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2.
  3. Under the TLS 1.2 key, create two new keys if they do not already exist: Client and Server. These keys control the use of TLS 1.2 on the client and server, respectively.
  4. Inside both the Client and Server keys, create a new DWORD value named DisabledByDefault and set it to 0. This is a flag to disable TLS 1.2 by default. Settling this flag to 0 will enable TLS 1.2 by default.
  5. Inside Client and Server, create another DWORD value named Enabled and set it to 1. This is a flag that controls whether TLS 1.2 is allowed to be used. Setting this flag to 1 will allow the use of TLS 1.2.
• Install Microsoft .NET Framework >=4.5 from the Microsoft Download Center (Note: WMF 4.0 requires Microsoft .NET Framework >=4.5)
• Get PowerShell 4.0 by downloading and installing WMF 4.0 (Windows6.1-KB2819745-x64-MultiPkg.msu) (Note: WMF 4.0 includes PowerShell 4.0)

Prerequisites for Windows Server 2012 (without R2)

• Install Microsoft .NET Framework >=4.5 from the Microsoft Download Center (Note: WMF 4.0 requires Microsoft .NET Framework >=4.5)
• Get PowerShell 4.0 by downloading and installing WMF 4.0 (Windows6.1-KB2819745-x64-MultiPkg.msu) (Note: WMF 4.0 includes PowerShell 4.0)

Prerequisites for Windows 7 (without Service Pack 1)

• Install Windows 7 Service Pack 1. Then, gather all updates using the Windows Update Service. Note: The installation will not work if your Windows 7 does not have Service Pack 1.
• If Windows Updater shows an error or no updates:
  • 1. Execute Windows Updater Troubleshooter
  • 2. Stop Windows Update Service
  • 3. Rename C:\Windows\SoftwareDistribution to C:\Windows\SoftwareDistribution.old
  • 4. Start Windows Update Service
  • 5. Search updates once again. The updater should work now.
• Install Microsoft .NET Framework >=4.5 from the Microsoft Download Center (Note: WMF 4.0 requires Microsoft .NET Framework >=4.5)
• Get PowerShell 4.0 by downloading and installing WMF 4.0 (Windows6.1-KB2819745-x64-MultiPkg.msu) (Note: WMF 4.0 includes PowerShell 4.0)

Pre-Installation Steps

1. Sign in to the Rublon Admin Console.

2. In the panel on the left, click Applications.

3. Click Add Application.

4. Enter a name for your new application, for example, Rublon for Windows.

5. In the Type dropdown, select Windows Logon & RDP.

6. Decide if you want to enable username normalization and the Manage Authenticators view. For more information, look at How to add an application.

7. Click Save to add your new application.

8. Note down the values of System Token and Secret Key. You are going to need these values later during installation.

9.  Download the Rublon MFA for Windows Logon and RDP installer:

• Download the Rublon MFA for Windows installer.

Installation of MFA for Windows Logon and RDP (GUI Installation)

We recommend leaving at least one active session of a logged-in user (preferably a local session) to prevent a situation where incorrect configuration, lack of required libraries in the system, or additional software interfering with the Rublon for Windows connector leads to loss of access to the machine.

1. Run the installer with administrator rights.

2. On the first page of the installer, read about the product you are about to install.

• If this is the first time you are installing the connector, click Next.

• If this is not the first time you are installing the connector on this endpoint, you will be able to either update the current installation or do a clean installation.
  • Update current installation: If you choose to update the current installation, you will not be able to change any old options in the installer. However, if a new option has been introduced in this version of the installer, you will be able to change its value before the installation begins. The Update current installation option is recommended for those who want to update the connector to a newer version but want to keep all current settings.
  • Clean installation: If you choose to do a clean installation, continue with the steps in this section.

3. Enter the API server URL and then enter the API credentials (System Token and Secret Key) from your application of type Windows Logon & RDP in the Applications tab of the Rublon Admin Console and click Next.

Option	Description
API Server	Keep the default value unless you want to explicitly change the Rublon API Server URL.
System Token	System Token of your application in the Rublon Admin Console. Paste the value you noted down before.
Secret Key	Secret Key of your application in the Rublon Admin Console. Paste the value you noted down before.

4. Check the configuration options you want and click Next. Refer to the following image and table.

Option	Description
Prompt for MFA only for RDP logins	When checked, only RDP sessions prompt for MFA, while local system logons are bypassed.Uncheck to enable MFA for both local system logons as well as RDP sessions.
Enable User Account Control (UAC) elevation protection	Check to make Rublon challenge for MFA every time the UAC Elevation prompt appears.
Enable offline authentication	When checked, enables Offline Mode. When checked, the next page after clicking Next will ask you for more details about the Offline Mode. When unchecked, the page that asks for Offline Mode details will not appear.

5. If you checked Enable offline authentication on the previous page, you will see an additional page asking you to adjust the settings for the Passcode authentication method used during offline MFA. After adjusting the settings, click Next. Refer to the following image and table.

Option	Description
Consecutive incorrect attempts limit	The number of unsuccessful login attempts after which the user will have to wait before trying again. Default: 5 Max: 99
Limit exceeded waiting time in seconds	The mandatory waiting time imposed after the user has exceeded the limit of consecutive unsuccessful login attempts. Default: 10 Max: 60

6. The next page asks you to select the username format. The selected format determines how usernames are added to the Rublon Admin Console. If a user does not have a given username format assigned to their account, they may be skipped (bypassed) or blocked (denied) during MFA, depending on the bypass configuration. You can configure the bypass options on one of the next pages of this installer. Refer to the following image and table.

Option	Description
sAMAccountName	A username format used in Windows environments, typically a simple, single name. Username format example: bob
NT LAN Manager (NTLM)	A username format that includes the domain name followed by the username, separated by a backslash. Username format example: rublon.com\bob
User Principal Name (UPN)	An email-like username format that combines the username with the domain, separated by the “@” symbol. Username format example: [email protected] We recommend selecting this option in the following scenarios: 1. Accounts are managed by Entra ID (Azure AD) 2. Accounts from Microsoft (Live) Account are used 3. Accounts from Google Workspace are used (created by GCPW) 4. Accounts are managed by Active Directory and each account has a UPN set (accounts that do not have a UPN will be denied or bypassed, depending on the FailMode option). Otherwise, select NT LAN Manager (NTLM).

7. On the next page:

• If you do not need a proxy, click Next.
• If you want to set up a proxy, check Use proxy, fill in the details, and then click Next. Refer to the following image and table.

Option	Description
Proxy Host	The address of the proxy server.
Proxy Port	The port on which the proxy server is operating.
Proxy Username	The username of the HTTP proxy server user. Optional. Fill in if verification by username is required.
Proxy Password	The password of the HTTP proxy server user. Optional. Fill in if required for verification.

8. Decide whether to allow bypassing MFA and click Next. Refer to the following image and table.

Option

Description

Bypass MFA when it cannot be performed

Check to bypass MFA when the API Server is unreachable (no internet connection) or is reachable but cannot perform MFA (e.g., too many requests). If offline authentication is enabled, checking this option will also allow users to bypass MFA when offline authentication fails (e.g., due to incomplete offline enrollment). We recommend you keep this option checked if you’re installing Rublon for the first time so that you can access your machine in case of any issues (e.g., incorrect System Token/Secret Key or firewall blocks Rublon).

9. Rublon MFA for Windows Logon and RDP is ready to install.

Rublon MFA for Windows Logon and RDP performs the following steps during installation:

• Adds configuration settings to Windows Registry.
• Installs the application on the system in a defined location. It is not possible to change this path.
• Makes registry changes related to the correct operation of Windows Credential Provider.
• Changes the default Credential Provider to a custom solution that supports Rublon MFA for Windows.
• Starts the installer of the required additional packages: Microsoft Visual C++ 2015-2019 Redistributable (x64).

10. Click Install to install Rublon MFA for Windows Logon and RDP.

11. After a successful installation, the installer informs you that your installation is complete. Check Test MFA (and optionally View logs) and click Finish.

12. If you checked Test MFA, a Rublon Prompt will appear where you can test Rublon MFA.

• The username and password of the user currently signed in to Windows are automatically used for the first factor of this MFA test.
• If none of the authentication methods are available on the Rublon Prompt, you must add an authenticator using the Manage Authenticators view.
• After confirming your identity with the selected authentication method, you will either be informed that the authentication was successful or that it failed.
  • If the authentication was successful, it means the installation is complete.
  • If the authentication failed, it may be due to settings in the Rublon Admin Console. Or it may be due to an incorrect configuration of the connector. Look up the log file for more information. For Rublon for Windows Version 4.2.1 or higher (4.X.X series) and Version 5.0.1 or higher (5.X.X series), the log file is located at C:\ProgramData\Rublon\Logon\Logs\rublon-credential-provider.log. For older Versions (below 4.2.1 for 4.X.X and below 5.0.1 for 5.X.X), the log file is located at C:\Program Files\Rublon\Logon\Logs\rublon-credential-provider.log

13. Congratulations! Your installation is complete.

Next time you log out and log in again, you will have to authenticate using Rublon 2FA.

There are some things you may want to do before logging out:

• Refer to the Configuration section in this documentation to learn how to change the settings set during installation.
• Refer to Log in to Windows with Rublon MFA and Log in to RDP with Rublon MFA to learn how logging in to a local Windows and RDP works after Rublon is on.

Installation of MFA for Windows Logon and RDP (Silent Mode Installation)

We recommend leaving at least one active session of a logged-in user (preferably a local session) to prevent a situation where incorrect configuration, lack of required libraries in the system, or additional software interfering with the Rublon for Windows connector leads to loss of access to the machine.

1. Run the installer from a command prompt, for example, cmd or PowerShell.

2. Prepare an installation command based on the following form:

.\RublonForWindows-4.3.0.exe /verysilent /token=TOKEN /key=KEY /offline=1 /rdpOnly=1

Where each option is set in the following way: /<OptionName>=<OptionValue>

For example:

.\RublonForWindows-4.3.0.exe /verysilent /token=9BBD412E91594D39BD6FCB841D396C4X /key=97df2dced39aa615a0235819116893 /offline=1 /rdpOnly=1

Append the /keepConfig option to update the connector while maintaining previously set values ​​in Windows registry.

• If you are not using keepConfig, make sure all required parameters are defined. Otherwise, the installation will not succeed.
• If you are using keepConfig and already have an old installation with all required parameters set in the registry, you do not need to use any other parameter.

Refer to the following table for descriptions of parameters.

Parameter	Description	Required
token	System Token of your application in the Rublon Admin Console. Paste the value you noted down before.	Yes
key	Secret Key of your application in the Rublon Admin Console. Paste the value you noted down before.	Yes
verysilent	Runs the installer without the graphical user interface (GUI). Useful for simultaneous installations on multiple endpoints using automated scripts or tools like PDQ Deploy, Microsoft System Center Configuration Manager (SCCM), or Intune.	Yes, to run the installer in Silent Mode. If the installation command does not include this parameter, the installer will run in GUI mode.
silent	Runs the installer without most of the graphical user interface (GUI) but still displays an installation progress bar. If an error occurs during installation, a graphical message will be displayed requiring user interaction.	No
rdpOnly	Set to 1 to enable MFA only for RDP sessions and bypass local system logons. Set to 0 to enable MFA for both local system logons and RDP sessions.	No
userAccountControlProtect	Set to 1 to make Rublon challenge for MFA every time the UAC prompt appears.	No
keepConfig	This parameter is available in the Silent Mode only and can be used when updating a connector to a newer version. When /keepConfig is appended to the installation command, the installer will try to use the parameters stored in HKEY_LOCAL_MACHINE\SOFTWARE\Rublon\WindowsLogon registry. When /keepConfig is appended to the installation command, you are only allowed to define command line options that do not already exist in the registry. If you set an option that already exists in the registry, it will have no effect. The /keepConfig option protects against unintentional parameter changes.	No
proxyHost	The address of the proxy server.	No
proxyPort	The port on which the proxy server is operating.	No
proxyUsername	The username of the http proxy server user.	No
proxyPassword	The password of the http proxy server user.	No
rublonApiServer	The server of Rublon API.	No
LOG=”filename”	Causes Setup to also create a log file in the specified directory. If no directory is defined, the log file will be created in C:\ProgramData\Rublon\Logon\Logs.	No
NORESTART	Prevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.	No
OfflineAuth	Default: 0 If set to 1, enables offline MFA protection during logins without internet (Offline Mode). Set to 0 to disable Offline Mode.	No
OfflineTOTPMaxAttempts	The number of unsuccessful login attempts after which the user will have to wait before trying again. Default: 5 Max: 99	No
OfflineTOTPTimeBetweenAttempts	The mandatory waiting time imposed after the user has exceeded the limit of consecutive unsuccessful login attempts. Default: 10  Max: 60	No

3. Execute the command you prepared.

4. Congratulations! Your installation is complete.

Next time you log out and log in again, you will have to authenticate using Rublon 2FA.

There are some things you may want to do before logging out:

• Refer to the Configuration section in this documentation to learn how to change the settings set during installation.
• Refer to Log in to Windows with Rublon MFA and Log in to RDP with Rublon MFA to learn how logging in to a local Windows and RDP works after Rublon is on.

Configuration of MFA for Windows Logon and RDP

We recommend leaving at least one active session of a logged-in user (preferably a local session) to prevent a situation where incorrect configuration, lack of required libraries in the system, or additional software interfering with the Rublon for Windows connector leads to loss of access to the machine.

All default values of settings depend on your choices during installation.

To change the settings of Rublon MFA for Windows, go to Windows Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Rublon\WindowsLogon

With binary values, 1 stands for Yes, and 0 for No.

The following table describes all values:

Value	Description
ProxyHost	The address of the proxy server. Optional.
ProxyMode	Default: 0 You need to set at least two parameters for the proxy to work: ProxyHost and ProxyPort. If you add both of these parameters, then the proxy will be automatically activated (and ProxyMode will be set to 1). If you only specify ProxyHost or only specify ProxyPort, registry changes will be made, but ProxyMode will be set to 0, meaning the proxy will not be active. Set ProxyMode to 0 to disable the proxy.
ProxyPassword	The password of the HTTP proxy server user. Optional.
ProxyPort	The port on which the proxy server is operating. Optional.
ProxyUsername	The username of the HTTP proxy server user. Optional.
RublonApiServer	Default: https://core.rublon.net The server of the Rublon API.
RublonRDPOnly	Default: 1 Set to 0 to enable MFA for both local system logons as well as RDP sessions. Set to 1 to enable MFA only for RDP sessions and bypass local system logons.
FailMode	Defines whether the user is to be logged in or denied when the API Server is reachable but MFA authentication cannot be performed. One reason why MFA authentication cannot be performed is when an authentication request to the Rublon API reaches its destination but fails. Possible values: bypass – If the authentication request to the Rublon API fails, the user is bypassed. deny – If the authentication request to the Rublon API fails, the user is denied. If OfflineAuth is set to 1 and all Offline Mode requirements are met, the FailMode option is overridden and the user is challenged with offline MFA. However, if the Offline Mode requirements are not met, then the user will be bypassed or denied, depending on the FailMode option.
SecretKey	Secret Key of your Rublon MFA for Windows application in the Rublon Admin Console.
SystemToken	System Token of your Rublon MFA for Windows application in the Rublon Admin Console.
DebugMode	Default: 0 Set to 1, 2, or 3 to enable additional log file entries. The higher the value, the more detailed the debug logs.
DebugRublonRequests	Default: 0 Set to 1 to enable a debug window (developer tools) next to the Rublon Prompt during each login.
SendUPN	Default: 0 If set to 1, Rublon looks up the Universal Principal Name (UPN) in Active Directory and sends the UPN to the Rublon API as Rublon username (e.g., [email protected]). Suppose you set SendUPN to 1, but Rublon cannot find the User Principal Name (UPN) for a given user in Active Directory. In that case, Rublon either bypasses or denies the user based on the value of FailMode. If FailMode is set to bypass, Rublon bypasses the user. Otherwise, Rublon denies access to the user and adds appropriate information to the logs. Note: If user1 has their UPN assigned as [email protected], they will get user2’s MFA methods. Be careful using such a configuration.
SendNTLM	Default: 1 If set to 1, Rublon sends DOMAIN\username to the Rublon API as a Rublon username. If Rublon cannot find the domain, it sends only the username part. If both SendUPN and SendNTLM are set to 0, Rublon will send just the username (sAMAccountName) to the Rublon API. If both SendUPN and SendNTLM are set to 1, Rublon will act as if SendUPN was set to 1 and SendNTLM was set to 0.
UserAccountControlProtect	Default: 0 Set to 1 to make Rublon challenge for MFA every time the UAC prompt appears.
OfflineAuth	Default: 1 If set to 1, enables offline MFA authentication during logins without internet (Offline Mode). Set to 0 to disable Offline Mode.
OfflineTOTPMaxAttempts	The number of unsuccessful login attempts after which the user will have to wait before trying again. Default: 5 Max: 99
OfflineTOTPTimeBetweenAttempts	The mandatory waiting time imposed after the user has exceeded the limit of consecutive unsuccessful login attempts. Default: 10  Max: 60

Enable/Disable Rublon on selected machine

If you would like to disable Rublon 2FA on a selected machine, run the disableRublon.reg file on that machine.

If you would like to enable Rublon 2FA again, run the enableRublon.reg file.

You can find both files in: C:\Program Files\Rublon\Logon\

Enable Rublon MFA for Azure AD credentials

• Enable Rublon MFA for Azure AD credentials for local Windows logons: Install the Rublon MFA for Windows Logon and RDP 4.0.0 or higher (or update your older version to 4.0.0) to immediately enable Multi-Factor Authentication (MFA) for Azure AD credentials when your users log in to local Windows accounts.
• Enable Rublon MFA for Azure AD credentials for RDP connections: While support for AD credentials for Windows Logon works out of the box, you need to disable the authentication function in the RDP client to make Azure AD credential logins work when you RDP into your Azure AD machines. This is because RDP and Azure AD are not compatible out of the box. This issue is present even if you do not use Rublon MFA, but we prepared a step-by-step guide for your convenience: How to RDP Into Azure AD-Joined Machine.

Offline Mode

Offline Mode is a Rublon for Windows feature that allows for offline MFA protection of users who log in to their Windows machines. When enabled, users will be challenged for Multi-Factor Authentication (MFA) even when the machine they are trying to log in to does not have an internet connection. This is particularly useful in scenarios where the user is in a remote location or the internet service is temporarily unavailable.

Offline Mode MFA Workflow

An Offline Mode MFA flow can look as follows:

1. Initiation: When a user attempts to log in to an offline Windows machine by entering the correct login and password, Rublon will recognize that the machine is not connected to the internet and initiate Offline Mode. (In some cases the Offline Mode will not be initiated. Take a look at Offline Mode and Other Options in Rublon For Windows for all possible scenarios. For the sake of simplicity, this example assumes that all requirements for Offline Mode are met.)
2. Authentication: The user will be prompted to authenticate using a method that does not require an internet connection, for example, a Passcode generated by the Rublon Authenticator mobile app.
3. Verification: After the user enters the Passcode, Rublon verifies it against the locally stored data. If the Passcode matches, the user is granted access.
4. Sync: The next time the machine is online, Rublon will sync the authentication and organization data to ensure it is up-to-date.

Offline Mode and Other Options in Rublon for Windows

• OfflineAuth: 1 and FailMode: deny – The user must complete offline MFA unless the Offline Mode requirements are not met in which case the user is denied access
• OfflineAuth: 1 and FailMode: bypass – The user must complete offline MFA unless the Offline Mode requirements are not met in which case the user is bypassed
• The Offline Mode requirements are as follows:
  • The user has the Status set to Active in the Rublon Admin Console
  • The user has enrolled Rublon Authenticator
  • After installing version 4.2.0 or higher, the user has logged in online at least once using Rublon MFA. It does not matter which method was used for the login as long as the login was performed with an active internet connection.

Organization Data Update

Organization data from the Rublon Admin Console such as organization logo, organization name, application name, and organization customization messages are set during Rublon for Windows installation. This is because the Rublon for Windows installer requires an active internet connection.

Organization data is updated at the first online login by any user after reboot. If the internet connection is restored during the authentication process, the organization data will not be updated until the Windows machine reboots.

Recovery Codes

Offline Mode does not support Bypass Codes generated in the Rublon Admin Console at this time. As an alternative, you can use Recovery Codes. However, keep in mind that Recovery Codes are not a replacement for Bypass Codes and should not be understood as such. 

Recovery Code is an emergency solution in case the user cannot access the device with the Rublon Authenticator mobile app (e.g., they lost their phone), the Windows machine has no internet connectivity, and there is no way to access the machine in any other way (e.g., running it in safe mode is infeasible).

Here’s how the Recovery Code works:

1. Click Need Help? at the bottom of the Rublon Prompt to expand the footer and display the Recovery Code.

2. Send the Recovery Code to the Rublon Support.

3. You will receive a Passcode. Enter it during offline MFA to gain access to Windows.

Known Limitations

• Passcodes from third-party authentication apps like Google Authenticator and Microsoft Authenticator are not supported yet
• Bypass Codes are not supported yet – you can use Recovery Codes instead
• Recovery Codes require contact with the Rublon Support. We are planning to improve the feature to allow organization’s administrators to handle Recovery Codes without help from Rublon Support.
• Recovery Codes cannot be copied. While this might be inconvenient, keep in mind that Recovery Code is an option that will be used rarely in a very specific emergency situation.

Known Issue Fixes

• If the Passcode you enter is not recognized as correct, ensure the date and time set on the Windows machine matches the date and time set on the device with the Rublon Authenticator mobile app.

Log in to Windows with MFA for Windows Logon and RDP

This example depicts the process of logging in to Windows after Rublon 2FA for Windows Logon and RDP has been installed. This example shows logging in to a local machine.

1. Log out if you are logged in.

2. Provide your credentials. Windows displays the user’s account picture. In this example, the user had set the logo of Rublon as their account picture in Windows, but you can use any other picture of your choice.

3. A Rublon Prompt appears with a selection of authentication methods.

4. Choose one of the authentication methods. Let’s choose Mobile Push.

5. You will be sent a push notification. Tap APPROVE.

6. You will be successfully logged in to Windows.

Log in via RDP with MFA for Windows Logon and RDP

This example depicts the process of logging in to RDP after Rublon MFA for Windows and RDP has been installed.

1. Run Remote Desktop Connection.

2. Enter the name or the IP address of the machine you would like to connect to.

3. Click Connect.

4. A Rublon Prompt appears with a selection of authentication methods.

5. Choose one of the authentication methods. Let’s choose Mobile Push.

6. You will be sent a push notification. Tap APPROVE.

7. You will be successfully logged in to your machine.

Updating MFA for Windows Logon and RDP

To update your Rublon 2FA for Windows Logon and RDP connector, download and install the new version on the machine where you have installed the old version before.

GUI Update

You can simply run the installer and select Update current installation.

If the new installer introduces a new option that was not available in previous versions of the connector, you will be able to change that option after clicking Next. Otherwise, your update will start right away.

Silent Mode Update

To update the connector to a newer version, run the installer in Silent Mode with the /keepConfig parameter (administrator privileges on the machine are required).

Example:

.\RublonForWindows-4.3.0.exe /verysilent /keepConfig

For more information about Silent Mode installation, see Installing the Rublon MFA Connector for Windows (Installation in Silent Mode).

It is also possible to automatically update the connector on multiple endpoints at the same time using remote software installation tools such as:

• SCCM
• PDQ Deploy
• Intune

Uninstallation of MFA for Windows Logon and RDP

To uninstall Rublon MFA for Windows Logon:

• Run C:\Program Files\Rublon\Logon\unins000.exe as administrator.

Alternatively, you can manually delete the following entries in Windows Registry (the way you installed Rublon MFA for Windows Logon does not matter in this case):

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{BD0A5367-C3AF-46B1-9F44-D10406EB7CC1}]

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{BD0A5367-C3AF-46B1-9F44-D10406EB7CC1}"]

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\{ExcludedCredentialProviders}]

• [HKEY_CLASSES_ROOT\CLSID{BD0A5367-C3AF-46B1-9F44-D10406EB7CC1}]

• [HKEY_CLASSES_ROOT\CLSID{BD0A5367-C3AF-46B1-9F44-D10406EB7CC1}InprocServer32]

In order to restore Rublon MFA for Windows, you must add the previously deleted registry entry again.

Troubleshooting MFA for Windows Logon and RDP

If you have a problem or question, refer to Rublon MFA for Windows Logon and RDP – FAQ first.

In case you did not find a solution for your problem in our FAQ, look up your log file and send this log file to Rublon Support along with the description of your problem.

For Rublon for Windows Version 4.2.1 or higher (4.X.X series):

Log file location: C:\ProgramData\Rublon\Logon\Logs\rublon-credential-provider.log

For Rublon for Windows Version 5.0.1 or higher (5.X.X series):

Log file location: C:\ProgramData\Rublon\Logon\Logs\rublon-credential-provider.log

For Older Versions (below 4.2.1 for 4.X.X and below 5.0.1 for 5.X.X):

Log file location: C:\Program Files\Rublon\Logon\Logs\rublon-credential-provider.log

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon MFA for Windows Logon and RDP – Release Notes

Rublon MFA for Windows Logon and RDP – FAQ

Rublon MFA for Windows Logon and RDP – Download

How to Enable Username Normalization?

How to deploy Rublon MFA for Windows Logon & RDP on multiple endpoints using PDQ Deploy

How to deploy Rublon MFA for Windows Logon & RDP on many endpoints at once using Microsoft System Center Configuration Manager (SCCM)

How to deploy Rublon for Windows Logon & RDP on many endpoints at once using Intune