Multi-factor authentication (MFA) against a Windows workstation is possible with the Evo Windows Secure Login agent.

• Download MSI package
• Scripted installation
• Single workstation installation
• Test Connection
• Modify Configuration
• Uninstall

How to download the MSI agent

1. From the left nav menu, select My Company. Alternatively, select Customers and and choose a customer from the list.
2. Select Applications from the left nav menu.
3. Click the Windows Desktop card.
4. Click Download Evo Windows Login Agent.
5. Select the download location for the file, C:/Downloads may be the default location.

How to install the agent with a script

Now that the MSI package has been downloaded there are few ways you can proceed with installing the agent.

• Deploy via Group Policy Objects
• Deploy via PowerShell
• Deploy via Silent Install
• Deploy via VBScript

How to install the agent on a single desktop

Rather than scripting the installation, you can simply complete the installation on a case-by-case basis by following the installation wizard.

These instructions assume:

• Windows Server 2012r2 or higher.
• Windows Desktop 10 or higher.

For this installation you will need the following information handy. (1) Your Evo URL and (2) Evo directory name.

1. From the workstation the agent is to be installed. Open an explorer window and navigate to where the downloaded file was saved (e.g.: C:\Downloads).
2. Double-click the MSI file (EvoCredentialProviderSetup.msi) downloaded.
3. Click More info.
4. Click Run Anyway.
5. Click Next.
6. Check I accept the terms of the License Agreement.
7. Click Next.
8. Optionally, to force all workstation logins go through Evo Secure Login only. Click Evo Login Only.
9. Click Will be installed on local hard drive.
   
10. Click Next.
11. In the Environment URL field, enter your Evo domain. 
    1. Be sure to include the https:// and remove the trailing / at the end of the url. It should look like such - https://yourenvironment.evosecurity.com
12. In the Evo Directory field, enter the associated Evo Directory (For an EvoCloud directory, append '_local' to the directory).
13. In the Fail-safe user field, enter a backup user that can login to the workstation. This is usually a local administrative account, or a privileged account that you know the credentials to. This user will have the capability to by-pass the Evo login.
14. Select the appropriate Authentication Mode.
    1. End User Only > Will only allow for a regular user (non-Elevated) to login.
    2. Elevated Only > Will only allow Elevated users to login.
    3. Both > Will allow for either an end user or elevated user to login. (Recommended option)
15. If you have selected Elevated Only or Both. You will need to enter a an Access token and Secret key (*) as generated within your Evo portal. (Access > Access tokens > Create Access Token> Copy > Done). Copy and paste those new credentials. DO NOTE: The admin must have access to the role that generates the Access Tokens. The role is "Access token". For more information on Access Tokens, please visit this article - https://support.evosecurity.com/hc/en-us/articles/10117446354971

16. Select an MFA Grace Period (optional) for user lockout. More about how the MFA Grace period works here - https://support.evosecurity.com/hc/en-us/articles/5578807994651-Evo-Secure-Login-for-Windows

17. Click Next.

18. Click Install.

19. Click Finish.

(*) If you generate a new shared key, you will need to update the key on the Evo Secure Login app for Windows where it has been previously configured. See How to modify the configuration.

*Windows Server 2012 Differences*

Functionality and User Interface, there is no difference between using 2012 and 2016/19. The limitation appears during the UAC prompt. The 2012 UAC prompt DOES NOT support push notifications, only the Login/unlock. The other difference is during installation. Windows server 2012 enables TLS 1.2 client protocols if they have not been abled before. When uninstalling, this will NOT remove the enabled protocols, so they much be disabled manually. 

How to test the connection

Now that you’ve completed the installation, it is always a good idea to test that things are working as expected.

1. From Windows Explorer, navigate to C:\Program Files\EvoSecurity\EvoSecureLogin.
2. Double-click the EvoSettingsEditor.exe file.
3. Click Test Connection.
4. Enter the username for a user synced with Evo.
5. Click Connect.
6. If test was successful, close the settings editor.
7. If errors were encountered, close the test connect screen. And confirm the settings. Update where appropriate and click Apply.
8. Repeat steps 3-5 to retest the connection.

If the test connection continues to fail, please contact Evo Support for assistance. To ensure that your users aren’t locked out, we recommend uninstalling the agent temporarily and walking through the process with our support team.

How to modify the configuration

Modifying the configuration of the Evo Secure Login for Windows has never been easier.

1. From Windows Explorer, navigate to C:\Program Files\EvoSecurity\EvoSecureLogin.
2. Double-click the exe file.
3. Make the edits you want.
4. Click Apply.

How do uninstall the agent

You can uninstall the application from Add or Remove Programs. Locate Evo Secure Login, click Uninstall.

Or if you still have the MSI package available, you can double-click the package and follow the uninstall wizard (Next > Remove > Remove > OK > Finish).