Specify the Multi-Factor Authentication Grace Period

You can use the following two group policies under Windows Settings > MFA Settings to control the multi-factor authentication grace period:

  • Configure multi-factor authentication lock screen grace period
  • Configure multi-factor authentication user privilege elevation grace period

The Configure multi-factor authentication lock screen grace period group policy allows the administrator to configure the multi-factor authentication grace period (in minutes) for the lock screen. If the group policy is set to:

  • Enabled: the grace period for lock screen is enabled and it is configured in the group policy. If this value is configured to 0, it means no grace period for MFA in the lock screen.
  • Disabled: the grace period for lock screen is disabled.
  • Not Configured: the grace period for lock screen is not enabled and a local policy can override the setting.

The Configure multi-factor authentication user privilege elevation grace period group policy allows the administrator to configure the multi-factor authentication grace period for user privilege elevation, such as run with privilege and add new desktop. This per-session grace period starts when the user performs a successful MFA challenge in the session and the grace period is restarted. If the group policy is set to:

  • Enabled: the grace period for privilege elevation is configured in the group policy.
  • Disabled: the grace period for privilege elevation is disabled.
  • Not Configured: the grace period for privilege elevation is not enabled and a local policy can override the setting.

Applying the MFA Lock Screen Grace Period to Remote Sessions

By default, the Configure multi-factor authentication lock screen grace period group policy applies only to console sessions and not to remote sessions. However, you can configure a registry key to apply the grace period to remote sessions too. You can deploy this registry key as an additional policy.

To enable the MFA lock screen grace period for remote sessions

  • Add the following registry entry on each computer where you have installed the Delinea Agent for Windows:

    HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\DirectAuthorize\Agent\ApplyLockScreenGracePeriodToRDPSessions = 1 (REG_DWORD)