Who is this document for?
This document is intended for users of the Windows Logon Manager (WLM) who wish to enable a feature that allows users to bypass multi-factor authentication (MFA) in scenarios where they frequently log on and off within short time intervals.
The WLM Session Manager facilitates this feature by enabling administrators to define the duration, in seconds, that can elapse between a user’s logoff and subsequent login without necessitating multi-factor authentication (MFA). This document provides detailed instructions on configuring the WLM Session Manager to implement this functionality.
It is important to note that this feature should only be used when absolutely essential, as it may introduce potential security vulnerabilities.
Things you will need to get started.
- Determine the duration of MFA forgiveness in seconds, which represents the time that can pass between a user's logoff and their subsequent logon without requiring multi-factor authentication (MFA). For instance, if you choose a forgiveness period of one hour, this would be represented as 3600 seconds (60 seconds/minute multiplied by 60 minutes/hour). This setting will be stored in the registry on each user’s system that requires MFA forgiveness, and it can be customized for individual users or specific groups.
- Download and extract the WLM Session Manager application installer. This installer must be executed on each workstation that will utilize the MFA forgiveness feature. Once the installation is complete, the Session Manager application will be accessible in the system tray. For those planning to deploy the WLM Session Manager across multiple user systems, it is advisable to place the extracted installer on a shared drive for convenient access. You can download the installer from the following link:
WLM Session Manager
After you have downloaded and extracted the files from the archive and run the installer you can move on to the next step.
Configure the Session Manager
Step 1 – Set MFA Forgiveness time setting.
Set the following registry setting to the number of seconds of MFA forgiveness:
- Open Regedt32.exe on the user's system.
- Browse to In Computer\HKEY_LOCAL_MACHINE\SOFTWARE\SurePassId\CredProv
- Set the SessionSeconds value to the desired duration of MFA forgiveness in seconds. For example, if you want to allow a forgiveness period of one hour, you would set this value to 3600 seconds.
Step 2 – Install the WLM Session Manager on each user’s workstation.
Execute the WLM Session Manager installer that you downloaded earlier. This installation will place the application in the system tray on the user's machine. Additionally, ensure that the SessionSeconds value is correctly set in the registry. Both the app installation and registry configuration can be facilitated through deployment methods such as Group Policy Objects (GPO), System Center Configuration Manager (SCCM), or any other preferred package management solution.
Step 3 – Verify the configuration.
- On the user’s system logoff and then logon within the MFA Forgiveness timeframe and verify that MFA is not required.
- On the user’s system logoff and then logon outside (after) the MFA Forgiveness timeframe and verify that MFA is required.