RSA ID Plus

RSA SecurID

RSA MFA Agent for Microsoft Windows: v2.3 and later

RSA MFA Agent for Microsoft IIS: v9.0 and later

RSA MFA Agent for Microsoft AD FS: v3.0 and later

RSA MFA Agent for Epic Hyperdrive: v2.0 and later

This article explains how to check which RSA MFA Agent GPO policies have been applied to a Microsoft Windows computer.

On the machine with the RSA MFA Agent that you want to check:

1. From Windows PowerShell (run as Admin):  If it is a domain-attached computer, fetch the most recent GPO settings from the domain controller, and apply them to the local computer.

gpupdate /force

2. From Windows PowerShell (run as Admin):  Generate an HTML report file, showing the current GPO settings applied to the computer.

gpresult /scope computer /h folder\gpresult.html

where folder should be the name of any folder on the machine where the gpresult.html file should be saved, e.g. c:\temp.  If folder has spaces in it, use double-quotes, e.g.

gpresult /scope computer /h "c:\Users\My Name\Downloads\gpresult.html"

3. In Windows File Explorer, navigate to folder, then double-click the gpresult.html file.  The file will open in the default web browser.

4. When viewing the gpresult.html file in a web browser, use the Show and Hide links on the right to expand and close sections in the file.   RSA MFA Agent GPO settings should be under Computer Details > Settings > Policies > Administrative Templates, in a subsection with a name related to the type of MFA Agent, e.g. RSA Desktop, RSA MFA Agent for AD FS, etc.  The Winning GPO column on the right of each setting will show where the machine got that GPO setting from (local or a domain policy) .

5. Click any RSA policy name to see a pop-up help window for the policy

6. To find where the machine is getting all applied GPO settings from, look under Computer Details > Group Policy Objects > Applied GPOs

When requesting RSA Support assistance with Microsoft Windows-based RSA MFA Agent issues, consider sending to Support the gpresult.html file from an affected machine.

The report will show which MFA Agent settings have been applied to the computer and where the settings came from.  Note:

• GPOs include configurations for both computer and user-specific settings.  RSA MFA Agents however only use Computer settings in GPO. 
• The report will include all GPO settings applied to the computer, not just settings for the RSA MFA Agent.
• GPO is not used by Microsoft Entra ID-only joined/registered devices.  RSA MFA Agents running in that environment (where supported) are configured with alternate tools.  Refer your RSA MFA Agent Installation & Configuration Guide.
• RSA MFA Agent settings may not all come from the same GPO.  GPO Policy scope (local, site, domain, organizational unit) and Microsoft's GPO processing rules determine which settings in GPO are applied to a computer.  Microsoft's Group Policy processing page explains that Group Policy Objects (GPO) are applied to a computer in the following order: 

1. The local GPO is applied.
2. GPOs linked to sites are applied.
3. GPOs linked to domains are applied.
4. GPOs linked to organizational units (OUs) are applied. In a nested OU structure, GPOs linked to parent OUs are applied first, followed by GPOs linked to the child OUs.

The sequence of GPO processing is crucial because each subsequent policy application can override settings applied by earlier policies.

As the above processing is applied to each setting in GPO individually, it means that the GPO settings applied to a computer may not all have come from the same GPO source.  So, it is important when troubleshooting unexpected MFA Agent behaviour to generate a GPO Report because it shows not just what is configured but where each setting came from (GPO on the local computer or a site, domain, or organizational unit in Active Directory).

Some Microsoft Group Policy references:

• Group Policy Architecture at https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/group-policy-architecture
• Group Policy overview at https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-policy/group-policy-overview
• gpupdate at https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpupdate
• gpresult at https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult

For information about GPO template deployment and settings for RSA MFA Agents, refer to the RSA MFA Agent Group Policy Object Template Guide manual for your RSA MFA Agent version:

• RSA MFA Agent for Epic Hyperdrive Documentation
• RSA MFA Agent for AD FS Documentation
• RSA MFA Agent for Microsoft IIS Documentation
• RSA MFA Agent for Windows Documentation