Secondary user authentication can be enabled by editing a Windows Client (or a Client group) configuration.
To enable secondary user authentication for a Windows Client (or for all the Clients in a Client group), do the following:
1. Log in to the Management Tool as a user with the Client Configuration Management permission for Clients.
2. Click the Client Management navigation link (on the left).
3. On the Client Management page, find the Windows Client which you want to enable secondary user authentication for, and click on its name in the Client Name column (or select the Client Groups tab, and find the required Client group, and then click on its name in the Client Group Name column).
NOTE: To find specific Clients, the Search box and filters at the top of the Client Management page can be used (or to find specific Client groups, the Search box at the top of the Client Groups page can be used).
4. On the Editing Client (or Editing Client Group) page that opens, select the Authentication Options tab, and in the Two-Factor and Secondary Authentication section, select the Enable secondary user authentication on login checkbox. The text displayed in the Secondary User Authentication login window can also be customized by changing the default text in the text box below this checkbox.
5. To exclude any specific users from needing to log in using secondary user authentication, enter the required user names in the Users to exclude from secondary user authentication field, separated by semicolons (e.g. user1;user2;user3).
NOTE: The "Enable secondary authentication on login" option cannot be enabled at the same time as "Allow the use of one-time passwords" option.
6. Click the Finish button (in the bottom right) to save the changes.
7. If the Client is (or Clients in the Clients group are) installed on Windows Server 2003, the computer must be restarted after enabling or disabling the secondary user authentication option. In other versions of Windows, the secondary user authentication option is enabled immediately.