Securing Windows-based computers
You can configure Defender to authenticate users when they sign in to their Windows-based computers in your organization.
To secure Windows-based computers, in addition to the required Defender components you need to install and configure the component called the Defender Desktop Login on each computer you want to secure with Defender. For more information about installing and configuring the required Defender components, see Deploying Defender.
- Installing Defender Desktop Login by using a wizard
- Performing an unattended installation of Defender Desktop Login
- Configuring Defender Desktop Login by using a configuration tool
- Configuring Defender Desktop Login by using Group Policy
- Defender Desktop Login Configuration tool reference
Installing Defender Desktop Login by using a wizard
You can use a wizard to install Defender Desktop Login on a local computer.
To install Defender Desktop Login
- Run the DefenderDesktopLogin.exe file supplied in the Defender distribution package.
- Complete the wizard to install Defender Desktop Login.
IMPORTANT: You must configure Defender Desktop Login before restarting the computer. Otherwise, you may not be able to log on after the computer has been restarted.
For instructions, see Configuring Defender Desktop Login by using a configuration tool and Configuring Defender Desktop Login by using Group Policy.
Performing an unattended installation of Defender Desktop Login
You can perform an unattended installation of Defender Desktop Login by using the following .msi files supplied in the Defender distribution package:
- DefenderDesktopLogin_x86.msi Installs Defender Desktop Login on 32-bit systems.
- DefenderDesktopLogin_x64.msi Installs Defender Desktop Login on 64-bit systems.
For example, you can use these files to silently install Defender Desktop Login from a command line or by using Group Policy. For instructions on how to install software by using Group Policy, please refer to Microsoft’s knowledge base article 816102 “How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003”.
When using an .msi file to install Defender Desktop Login, you can use the following command-line parameters:
|
Parameter |
Description |
Example |
|
DSS |
Specifies a list of Defender Security Servers (by IP address or DNS name) and ports for the Defender Desktop Login software to authenticate against. Each IP address or DNS name must have a port which is specified using a colon. For multiple entries, use a semicolon as shown in the example (without a space). |
|
|
SHARED_SECRET |
Specifies the shared secret which is used to securely communicate and authenticate against the Defender Security Server. |
|
|
EXCLUSION_MODE |
Determines how Defender Desktop Login authenticates users. This parameter can take one of the following values:
|
|
|
EXCLUSION_GROUPS |
Specifies the groups whose members must or are not required to authenticate via Defender. Behavior of this parameter depends on the value set in the EXCLUSION_MODE parameter. To specify multiple groups in this parameter, use a semicolon as a separator. |
|
|
ALWAYS_ALLOW_LOCAL_LOGON |
Specifies whether to allow local users to log on to a computer that has Defender Desktop Login installed without authenticating via Defender. This parameter can take one of the following values:
|
ALWAYS_ALLOW_LOCAL_LOGON=1 |
|
ALLOW_OFFLINE_LOGON |
Specifies whether users are allowed to log on if all Defender Security Servers are unavailable. This parameter can take one of the following values:
|
|
|
OFFLINE_LOGON_DAYS |
Specifies the period of time (in days) during which users can log on. This period is counted from the moment when all Defender Security Servers become unavailable. You can only use this parameter if you set the ALLOW_OFFLINE_LOGON parameter value to 1. |
|
|
OFFLINE_LOGON_COUNT |
Specifies the number of times user can log on from the moment when all Defender Security Servers become unavailable. You can only use this parameter if you set the ALLOW_OFFLINE_LOGON parameter value to 2. |
|
|
DISPLAY_NOTIFICATIONS |
Specifies whether to provide the user with information about the remaining number of offline logons or the remaining number of days when the offline logon will be available. This parameter can take one of the following values:
|
|
|
STORE_PASSWORDS |
Specifies whether to store user’s password, so that the user is not prompted to reenter the password during each two-factor login. This parameter can take one of the following values:
|
STORE_PASSWORDS=1 |
|
MANAGE_PASSWORDS |
Specifies whether Defender Desktop Login can change a user’s password when the password has expired. This parameter can take one of the following values: 0 Specifies that Defender Desktop Login can change user’s password.
|
MANAGE_PASSWORDS=1 |
|
WAIT_FOR_NETWORK |
Specifies the time period (in seconds) during which Defender Desktop Login waits for the network to become available at startup. The default value is 60 seconds. |
WAIT_FOR_NETWORK=60 |
|
BLOCK_CREDENTIAL_PROVIDERS |
Specifies credential providers Defender Desktop Login should block. This parameter can take one of the following values:
|
BLOCK_CREDENTIAL_PROVIDERS=0 |
Configuring Defender Desktop Login by using a configuration tool
You can use the Defender Desktop Login configuration tool (GinaConfig.exe) to configure or check the configuration settings of Defender Desktop Login installed on a particular computer. You can find the GinaConfig.exe file in the Defender Desktop Login installation folder (by default, this is %ProgramFiles%\One Identity\Defender\Desktop Login).
To view and configure the Defender Desktop Login settings
- On the computer where Defender Desktop Login installed, run the GinaConfig.exe file.
- Use the dialog box that opens to view and configure the Defender Desktop Login settings.
For more information about these settings, see Defender Desktop Login Configuration tool reference.
- When finished, OK to apply your changes and close the dialog box.