Protect local Windows login per server

Can 2FA be enforced per endpoint? ie…Users 1, 2, & 3 should have 2FA to login to server A. Users 4, 5, & 6 should bypass 2FA on server A. Just the opposite for server B. Users 1, 2, & 3 should bypass 2FA while users 4, 5, & 6 should have 2FA.

You can accomplish something like this with group policy on the application. Here is an example (I have assumed you are installing Duo Authentication for Windows Logon).

  1. Create a Microsoft RDP application for ServerA and apply a group policy to that application that has authentication policy set to bypass 2FA and target a group containing users 4, 5, and 6. Install Duo on ServerA using this application’s keys.

  2. Create another Microsoft RDP application for ServerB and apply a group policy to that application that has authentication policy set to bypass 2FA and target a group containing users 1, 2, and 3. Install Duo on ServerB using this application’s keys.

Net effect: all users that exist in Duo must 2FA at Server A except 4, 5, and 6; all users that exist in Duo must 2FA at ServerB except 1, 2, and 3.