How to Set Up Multi-Factor Authentication on Windows Server 2019

Introduction to Multi-Factor Authentication

Multi-Factor Authentication (MFA) requires users to provide two or more verification factors before gaining access: something they know (password), something they have (phone, hardware token, smart card), or something they are (biometrics). Implementing MFA on Windows Server 2019 dramatically reduces the risk of credential-based attacks—even if a password is stolen, an attacker cannot authenticate without the second factor. Windows Server 2019 supports MFA through several mechanisms: smart card certificate authentication via Active Directory, Azure AD integration with Windows Hello for Business, and third-party RADIUS-based MFA providers integrated with NPS. This tutorial focuses on implementing MFA using NPS Extension for Azure MFA and smart card authentication.

Smart Card Authentication as MFA

Smart card authentication is a two-factor method built into Windows: the smart card is something you have, and the PIN is something you know. Implementing smart card authentication requires an Enterprise CA, certificate templates for smart card enrollment, smart card middleware on clients, and group policy to enforce smart card logon for specific accounts. This is the most secure on-premises MFA option for Windows Server 2019.

# Configure Smart Card Required logon for privileged accounts
$accounts = @("AdminUser1", "AdminUser2")
foreach ($account in $accounts) {
    Set-ADUser -Identity $account -SmartcardLogonRequired $true
}

# Verify setting
Get-ADUser -Identity "AdminUser1" -Properties SmartcardLogonRequired |
    Select-Object Name, SmartcardLogonRequired

Configuring Certificate Templates for Smart Cards

Create a certificate template for smart card enrollment. In certtmpl.msc, duplicate the Smartcard Logon template. On the Request Handling tab, set Purpose to Signature and smartcard logon. On the Cryptography tab, select a compatible CSP that supports the smart card hardware you use. On the Security tab, grant Read, Enroll, and Autoenroll to the target users or group.

certtmpl.msc
certsrv.msc

After creating and configuring the template, publish it to the CA. Users can then enroll for smart card certificates through the Certificate Enrollment wizard or auto-enrollment.

Azure MFA with NPS Extension

For organizations with Azure AD (Microsoft Entra ID) licenses, the NPS Extension for Azure MFA integrates Azure’s MFA service with any NPS-based authentication flow. When a user authenticates via VPN or 802.1X, NPS handles the primary authentication (username/password), then calls Azure MFA for secondary verification (phone call, Microsoft Authenticator app push notification, or TOTP code). The NPS extension is installed on the NPS server and handles the Azure MFA communication transparently.

# Prerequisites: Azure AD Connect sync and Azure MFA licenses (P1/P2 or standalone)
# Download NPS Extension from Microsoft Download Center

# Install the extension on NPS server
Expand-Archive -Path "C:DownloadsNpsExtnForAzureMfaInstaller.zip" -DestinationPath "C:NPSExt"
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
C:NPSExtNpsExtnForAzureMfa.exe /quiet

Configuring the NPS Extension for Azure MFA

After installing the extension, run the configuration script that creates an Azure AD service principal and grants it the required permissions. You need Global Administrator credentials for your Azure tenant.

cd "C:Program FilesMicrosoftAzureMfaConfig"
.AzureMfaNpsExtnConfigSetup.ps1

The script: installs required Azure AD PowerShell modules, authenticates to your Azure tenant, creates a service principal for the NPS extension, generates a certificate for authentication, and configures the extension registry settings. After completion, restart the NPS service.

Restart-Service IAS

Testing Azure MFA with NPS Extension

After configuration, any authentication request processed by NPS triggers a second factor prompt for Azure MFA-enabled users. Test by initiating a VPN connection with an account that has Azure MFA enrolled. The user receives a push notification on their Authenticator app or a phone call.

# Check NPS Extension event log for MFA activity
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id = @(6272, 6273)
    StartTime = (Get-Date).AddMinutes(-10)
} | Select-Object TimeCreated, Id, Message

# NPS Extension specific logs
Get-WinEvent -FilterHashtable @{
    LogName = 'Application'
    ProviderName = 'AuthZOptCH'
    StartTime = (Get-Date).AddHours(-1)
} | Select-Object TimeCreated, LevelDisplayName, Message | Format-List

Implementing Windows Hello for Business

Windows Hello for Business replaces passwords with strong two-factor authentication using biometrics (fingerprint, face recognition) or a PIN as authentication factors. It is cryptographically tied to the specific device—a Hello credential from one device cannot be used on another. Configure Windows Hello for Business via Group Policy for on-premises deployments.

# Enable Windows Hello for Business via GPO
# Computer Configuration > Policies > Administrative Templates > 
# Windows Components > Windows Hello for Business
# Set "Use Windows Hello for Business" to Enabled

# Or configure via registry for testing
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftPassportForWork" `
    -Name "Enabled" -Value 1 -Type DWord

# Configure PIN complexity
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftPassportForWorkPINComplexity" `
    -Name "MinimumPINLength" -Value 6 -Type DWord
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftPassportForWorkPINComplexity" `
    -Name "RequireDigits" -Value 1 -Type DWord

Configuring MFA for Remote Desktop Gateway

Protect Remote Desktop Gateway (RDGW) access with MFA by integrating NPS with the RDGW’s connection authorization policies. Install NPS on the same or a separate server, install the Azure MFA NPS extension, and configure the RDGW to use NPS for CAP evaluation.

# Install RD Gateway with NPS integration
Install-WindowsFeature RDS-Gateway -IncludeManagementTools

# Configure RD Gateway to use NPS for CAP
# Open RD Gateway Manager > Properties > CAP Store
# Select "Central server running NPS" and specify the NPS server address

Enforcing MFA via Conditional Access (Azure AD)

For hybrid environments with Azure AD Connect, configure Conditional Access policies in Azure AD to require MFA for specific applications, locations, or risk levels. This applies MFA to cloud and on-premises applications that use Azure AD authentication without requiring changes to on-premises RADIUS infrastructure.

# Azure AD Conditional Access is configured through the Azure Portal
# Microsoft Entra Admin Center > Security > Conditional Access
# New policy > Require multi-factor authentication for all users
# Exclude break-glass emergency accounts from MFA policies

# Verify users are registered for MFA
# Microsoft Graph PowerShell
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All"
Get-MgUserAuthenticationMethod -UserId "[email protected]"

Conclusion

Multi-Factor Authentication on Windows Server 2019 can be implemented through multiple approaches depending on your organization’s infrastructure and licensing. Smart card authentication provides the strongest on-premises MFA with hardware security, while the NPS Extension for Azure MFA offers the easiest deployment for organizations already using Azure AD. Windows Hello for Business delivers a passwordless experience that is both more secure and more user-friendly than traditional passwords. Regardless of the method chosen, MFA is the single most effective control for preventing unauthorized access from compromised credentials.