GreenRADIUS Windows 2FA - GPO Deployment Guide

Prerequisites

You must have the following for the GreenRADIUS two-factor authentication solution for Windows to be deployed properly via GPO.

  • GreenRADIUS v4.3.3.3 or later
  • Active Directory users imported into GreenRADIUS
  • Shared folder on your machine or network containing MSI setups
  • Windows 2FA GPO bundle

Pre-deployment configuration file

  1. Extract the Windows 2FA GPO bundle into a shared folder on your Domain Server:
    • GreenRADIUS 2FA for Windows Logon.msi
    • grs_settings.reg
    • grs_cleaner.reg
  2. Right click on grs_settings.reg. Choose Open With → Notepad and you will see multiple key-value pairs to set in the Windows registry.

Some of the values for the given keys need to be changed depending on your desired configuration. Please see the following list of parameters (keys), what they mean, and when you should modify (or not) the values corresponding to these keys.

Legend

  • grsAddress
    This points to your GreenRADIUS server, and it can be an IP address or hostname.
  • grsDomain
    This points to your target domain in GreenRADIUS.
  • grsErrorLevel
    This is used to set the verbosity level of logging, and the default value is dword:00000004. It is advised to leave it as is.
  • enabled
    This is the flag that decides whether Windows two-factor authentication (Win2FA) must be enabled or not on your machine. Set it to dword:00000001 to enable Windows two-factor authentication on your machine.
  • byPassAdministrators
    This is the flag that decides if Windows 2FA should be enabled for users that fall under the Administrator role. If enabled, administrative accounts won’t be prompted for two-factor authentication. It is set by default and we recommend to leave it as is.
  • safemodeEnabled
    This is the flag that decides if two-factor authentication should happen when a user boots into safe mode on a Windows machine. By default it is set to (0) and we recommend to leave it as is.
  • safemodeBypassAdmin
    This is the flag that decides if an Administrative account will be prompted for a two-factor authentication on a Windows machine. By default it is set and we recommend to leave it as is.

Group Policy Objects

GreenRADIUS 2FA settings and custom preferences

If custom settings will be configured (such as custom policies for particular AD groups or users), a GPO can be used for these custom settings.

Create a GPO for grs_settings.reg:

  1. In your Domain Server, open Server Manager, click Tools, and open Group Policy Management.

  2. Right click the target Domain/OU/Group and click “Create a GPO in this domain, and link it here...”

Group Policy Manager with "Create a GPO in this domain, and Link it here..." highlighted in the context menu

  1. In the New GPO window, type any name for this new policy e.g. “GRS 2FA config” and then click OK.

"New GPO" dialog with OK highlighted

  1. On the Group Policy Management console, right click the new “GRS 2FA config” GPO and click Edit.

In the Group Policy Manager, "Edit" highlighted in the context menu

  1. In the Group Policy Management Editor, under Computer Configuration, expand Policies, and then expand Windows Settings.

  2. Choose Scripts (Startup/Shutdown) and click Startup.

In the Group Policy Management Editor, "Scripts (Startup/Shutdown)" is highlighted in the left pane, and "Startup" is highlighted in the right pane

  1. Click on Show Files and copy/paste “grs_settings.reg” from your shared folder.

"Show Files" highlighted in the Startup Properties dialog

  1. In the Startup Properties window, click on Add and apply the following:
    • Script Name: regedit.exe
    • Script Parameters: /s grs_settings.reg

Add a Script dialog

  1. Click OK.

  2. In the Startup Properties window, click OK and close this Group Policy Management Editor.

GreenRADIUS 2FA installer

Create a GPO for software installation:

  1. In your Domain Server, open Server Manager, click Tools, and open Group Policy Management.

  2. Right click the target Domain/OU/Group and click “Create a GPO in this domain, and link it here…”.

Group Policy Manager with "Create a GPO in this domain, and Link it here..." highlighted in the context menu

  1. In the New GPO window, type any name for this new policy e.g. “GRS 2FA installer 64bit” and then click OK.

"New GPO" dialog with OK highlighted

  1. On the Group Policy Management console, right click the new “GRS 2FA installer 64bit” GPO and click Edit.

In the Group Policy Manager, "Edit" highlighted in the context menu

  1. In the Group Policy Management Editor, under Computer Configuration, expand Policies, and then expand Software Settings.

  2. Right click Software installation. From the context menu, click New, and then click Package.

New -> Package" highlighted in the context menu

  1. In the Open dialog box, browse to \your_server_ip\shared_folder, click on “GreenRADIUS 2FA for Windows Logon.msi”, and then click Open.

Open dialog with \192.168.10.57\share in the Address bar

  1. On Select deployment method, select Advanced. If you select another option, you won't be able to apply the MST file you created.

  2. Open Modifications tab.

  3. Select your MST file from the network share.
    Note: Again it is very important to use a UNC to the file (to the network share), rather than a local / network drive path.

  4. Click OK to complete the setup.

  5. Wait for a few seconds and verify that GreenRADIUS 2FA for Windows Logon is listed in the Group Policy Management Editor.

Group Policy Management Editor with "Software Installation" selected in the left pane

  1. Close this Group Policy Management Editor

Group Policy Link Order

Click on your target Domain/OU/Group, the GPOs should reflect the following link order:

Group Policy Management window with "GRSOU" selected in the left pane, and the "Linked Group Policy Objects" tab open in the right pane

  1. GRS 2FA cleaner (optional – needed when updating from 1.0.8 or below)
  2. GRS Offline token unassignment (optional)
  3. GRS 2FA config
  4. GRS 2FA installer 64bit

The installer looks for the GRS 2FA config provided, however a system reboot is required to fully enable GreenRADIUS 2FA for Windows.

GRS Offline Token Unassignment

GreenRADIUS offline U2F token assignments can unassigned via GPO. (This can be done per user to multiple machines.) Create a GPO for offline U2F token unassignment.

  1. On your Domain Controller, open Server Manager, click Tools, and open Group Policy Management.

  2. Right click the target Domain/OU/Group and click “Create a GPO in this domain, and link it here…”.

Group Policy Manager with "Create a GPO in this domain, and Link it here..." highlighted in the context menu

  1. On the Group Policy Management console, right click the newly created GPO and click Edit.

In the Group Policy Manager, "Edit" highlighted in the context menu

  1. In the Group Policy Management Editor, under Computer Configuration, expand Preferences, and expand Windows Settings then Registry.

  2. Add new entry, Action should be Delete then specify key path accordingly.

Group Policy Management Editor with the following highlighted: the entire Computer Configuration in the left panel, the Registry section in the right panel, and the Delete action for a user open in a dialog view

For Domain Users:
KeyPath: SYSTEM\CurrentControlSet\Software\GRS\OfflineUsers\DomainUsers\username

For Local Users:
KeyPath: SYSTEM\CurrentControlSet\Software\GRS\OfflineUsers\LocalUsers\username

Updated 2024-04-10
© 2024 Green Rocket Security Inc. All rights reserved.