Issue
- Windows 10, build 1709 and later does not require 2FA upon computer restart, or when starting the computer after regular shutdown
Details
Windows 10, from build version 1709, introduced the option to allow automatic sign-in after an update or restart. That option is enabled by default unless the user account belongs to a domain.
With that option enabled, the default setup of Windows Login protection by ESET Secure Authentication (ESA) will not request the second factor to authenticate when logging in to Windows after an OS update or restart because Windows behaves as if the user locked the computer instead of signing off. The same behavior applies if the computer starts after a regular shutdown.
Solution
Disable Automatic Login in Windows 10 or enable the Protect access with 2FA on Windows Lock screen option regarding Windows Login protection in the ESA Web Console.
Disable Automatic Login in Windows 10
- Press the Windows key + R to open the Run box, type netplwiz and click OK.
Figure 1-1
- Select the check box next to Users must enter a username and password to use this computer and click Apply.
Figure 1-2
- Restart your computer and the system will prompt you to enter 2FA authentication at the login screen.
Enable Protect access with 2FA on Windows Lock screen
- Open your ESA Web Console.
- Click Components > Windows Login > Settings.
- Click the toggle next to Protect access with 2FA on Windows Lock screen to enable it.
Figure 2-1
