Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes"
Sometimes Group Policy isn't granular enough to enforce what you need on a server. (If your AuthLite users have on-premises Exchange mailboxes for example, and need ActiveSync access to them.)
So we need a way to enforce only some processes on a machine. This is accomplished by configuring the “Forced 2-Factor Processes” list on the server. Each string you enter will be matched against the command-line of the calling process. If there is a match, then two-factor authentication will be enforced for AuthLite users for that process.
Note: This feature is configured on each member server independently.
Note: You should use Group Policy instead of this feature, in most cases.
To enforce two-factor authentication for the server when Remote Desktop is used, select that checkbox.
Certain services may perform authentication inside the Windows kernel, thus there is a checkbox to force these processes to require 2-factor for AuthLite users.