Recommended order of operation for deployment of RSA MFA Agent for Windows with Authentication Manager
Originally Published: 2025-10-01
Article Number
Applies To
- Authentication Manager 8.x
- MFA Agent 2.x for Windows
Tasks
RSA recommends the following steps to ensure a successful deployment of a “True Passwordless” experience, extending beyond basic Windows Password Integration (WPI).
- PKI Configuration
- For Microsoft Entra ID, create and configure PKI following the steps in the MFA Agent Installation and Administration Guide for the installed agent version.
- For On-Prem/Active Directory, follow steps to configure the Active Directory Certificate Authority.
- Note: These paths differ significantly, so be mindful of the steps and details here.
- Test Configuration (Optional but Ideal)
- On a handful of test machines, install the appropriate RSA MFA Agent and using the MFA Agent Installation and Administration Guide and/or MFA Agent GPO Template Guide, configure agent and passwordless settings.
- Following Chapter 4 of the MFA Agent Installation and Administration Guide for the installed agent version, complete the correct configuration paths for either Entra ID (see "Enabling RSA MFA Agent on Microsoft Entra ID Joined Machines”) OR for Active Directory (see “Passwordless Prerequisites”).
- Active Directory configuration requirements, including CA settings, are documented in Chapter 5 (Enabling the RSA MFA Agent on Active Directory and Hybrid‑Joined Machines) of the MFA Agent Installation and Administration Guide for the installed agent version.
-
Make any necessary adjustments and retest until the agent is functioning properly before proceeding.
- Finalize and Push Configurations
- Collect final global configuration settings from step 2.
-
Using the MFA Agent Installation and Administration Guide for the installed agent version, configure a strong, complex reserve password for the MFA agent to support emergency (“break‑glass”) access scenarios. Hash the reserve password using the RSA‑provided hashing utility as documented, and securely store the hashed value in an approved password vault with restricted, auditable access. If the reserve password is checked out or used, rotate it promptly. Review and rotate the reserve password periodically in accordance with organizational security and key management policies
- Commit into Entra ID/GPO policies depending on environment.
- Push via Intune (Entra) or GPO (Active Directory).
- Push policies two to three weeks ahead of the agent software rollout to account for user availability (vacation time, sick time, etc.) and endpoint coverage (must be online and able to receive respective updates).
- Reporting/Intune checks should confirm coverage where possible.
- Software Deployment
- Use Intune or a preferred software management solution to deploy RSA MFA binaries.
- Follow a phased rollout; for example, start with technical staff, expand as confidence builds, then release broadly across the organization.
This approach reduces disruption, ensures proper sequencing of the rollout and mitigates avoidable risks.
Related Articles
RSA Identity Governance & Lifecycle email approval macro ValidReplyAnswers orders URL in the wrong order Number of Views RSA Identity Governance & Lifecycle display order and value of report column changes automatically Number of Views How to restart RSA Web Threat Detection services in the proper order Number of Views How to split a large file into smaller chunks in order to provide to RSA Customer Support Number of Views I can't see my token records in my RSA - Contact not on Token Order Number of Views
Trending Articles
Don't see what you're looking for?
