Knowledge Base

Bitte , um Beiträge und Themen zu erstellen.

Duo Authentication for Windows Logon and RDP - FAQ

https://duo.com/docs/rdp-faq

General

Are there any issues installing Duo for Windows Logon on Active Directory domain controllers?

There was an issue seen with Duo Authentication for Windows Logon and RDversion 4.1.0, on Active Directory domain controllers that may trigger user lockouts. Version 4.1.1, released July 13, 2020, first corrected this issue and is suitable for installation on domain controllers, member servers, and workstations. We recommend first updating any domain controllers with 4.1.0 installed to 4.1.1 before then attempting to install the latest available version of Duo for Windows Logon.

Does Duo Authentication for Windows Logon support offline multifactor authentication?

Yes, MFA using a Duo Mobile passcode or supported U2F security key while a Windows system is unable to reach Duo's service is supported in version 4.0 and later. Learn more about offline access.

Which security keys are compatible with offline access with MFA?

Offline access for Windows Logon works with these security keys:

  • Yubico brand keys supporting U2F/FIDO2
  • Google Titan
  • Feitian ePass FIDO
  • Thetis FIDO

HyperFIDO tokens are not supported for offline access activation, nor are simple OTP passcode tokens or Duo D-100 hardware tokens.

Is it possible to use the same authentication device for both online and offline Windows Logon?

Yes, you may use these authentication devices for both online and offline access with a single device:

  • An Android or iOS device with Duo Mobile activated for both online and offline 2FA.
  • A hardware token that supports both OTP and U2F (like the YubiKey 5 series).

Learn more.

Does Duo support Windows 11 and Windows Server 2022?

Yes, Duo for Windows Logon version 4.2.0 and later support Windows 11 64-bit clients and Windows Server 2022 full desktop GUI and core installs.

Nano (headless) installs remain unsupported.

Does Duo support Windows 10?

Duo Authentication for Windows Logon versions 1.2 and later support Windows 10.

We strongly recommend that you either uninstall Duo version 1.1.8 and older from your Windows PC or upgrade Duo to version 1.2 or later before upgrading your PC to Windows 10. If you do not update or remove Duo first you may not be able to log in to your computer after the OS upgrade completes.

If you find yourself unable to log in to Windows 10 with Duo installed, you can boot into Safe Mode and uninstall the Duo Credential Provider.

Does Duo support Windows Server 2016 or 2019?

Yes, Server 2016 full desktop GUI and core installs are supported starting with version 2.1.0. Duo for Windows Logon version 4.0.0 adds Server 2019 support.

Nano (headless) installs are not supported.

Does Duo support Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2?

Microsoft ended support for Windows Vista on April 11, 2017, and ended support for Windows 7, 2008, and 2008 R2 on January 14, 2020. Duo no longer supports installation of any Duo applications on these operating systems. We strongly urge you to upgrade to a supported version of Windows.

Can I use Duo with a Microsoft account?

Important Note for Windows 10 with the Fall Creators Update

There is a known issue with using Duo authentication and Microsoft/Live accounts after installing the Windows 10 Fall Creators Update (version 1709) released 10/17/17.

As a temporary workaround, you can allow the Windows Live credential provider, which restores the login prompt for Microsoft and Live.com accounts.

With this workaround in place, Microsoft and Live.com account users log in without Duo 2FA! Domain and local accounts still require Duo authentication.

To enable the Windows Live credential provider for Microsoft and Live.com accounts, use the Registry Editor (regedit.exe) with administrator privileges to create (or update) the following registry values:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
ProvidersWhitelist <class="keyword">REG_MULTI_SZ</class="keyword"> <class="keyword">{F8A0B131-5F68-486C-8040-7E8FC3C85BB6}</class="keyword">

For Windows systems not running the Windows 10 version 1709 update, you can authenticate with Duo Authentication for Windows Logon using a Microsoft attached account on a standalone system if you enable the local group policy setting "Interactive logon: Do not display last user name" and enroll the username of the Microsoft account in Duo.

To edit your local policy (must be a local administrator):

  1. Run the command gpedit.msc to open the Local Group Policy Editor.
  2. Navigate to Local Computer Policy → Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options.
  3. Double-click the Interactive logon: Do not display last user name setting.
  4. Select Enabled and click OK.
  5. Close the Local Group Policy Editor window.

You can also enable the setting via the registry. Create a new DWORD value dontdisplaylastusername set to 1 at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

With this setting enabled you receive the "Other user" login dialog, where you can input your Microsoft account credentials.

On a domain-joined workstation this setting may be controlled by your administrator.

To determine the username of the Microsoft account on a Windows 10 computer, open the Windows User Manager (lusrmgr.msc), locate the Microsoft account in the list, and look at the Name field for that user. The Name value of the Microsoft account won't be the full e-mail address that you use to sign in, but instead will be shown as a portion of the local part of the email address (the information before the @ symbol). When you have found the Name value for the Microsoft account, enroll that account in Duo. If you do not enroll the account in Duo with the correct username you may not be able to complete log in with the Microsoft account.

What logon interfaces can Duo protect?

Duo Authentication for Windows Logon provides two-factor authentication for RDP and local console logons, and credentialed UAC elevation prompts (e.g. Right-click + "Run as administrator").

Duo's Windows Logon client does not add a secondary authentication prompt to the following logon types:

  • Shift + right-click "Run as different user"
  • PowerShell "Enter-PsSession" or "Invoke-Command" cmdlets
  • Non-interactive logons (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)
  • Pre-Logon Access Providers (PLAPs) such as Windows Always On VPN
  • RDP Restricted Admin Mode

How does Duo Authentication for Windows Logon work with NLA (Network Level Authentication)?

Network Level Authentication (NLA) for Remote Desktop Connection is an optional security feature available in Windows Vista and later. When NLA is enabled, remote connections pre-authenticate to the remote system when the RDP client connects before displaying a full remote session. When NLA is disabled, the Windows username and password is entered within the RDP client session after connecting.

When Duo Authentication for Windows Logon is installed on a system where NLA is enabled the RDP client prompts for the Windows username and password in a local system dialog. That information is used to connect to the remote system and passed through to the Remote Desktop manager. Once the RDP client has completed primary authentication the full Remote Desktop session is displayed, and the Duo Security prompt appears for two-factor authentication.

When Duo Authentication for Windows Logon is installed on a system where NLA is not required a full Remote Desktop session is displayed when the RDP client connects to the remote system. The Windows username and password are entered in the Remote Desktop window, and after the logon information is accepted the Duo Security prompt appears for two-factor authentication.

There are some security advantages to enabling NLA, but one of the drawbacks is that users with expired passwords are prevented from logging on to the remote system. More information about NLA and RDP can be found at the Microsoft site and on Wikipedia.

Does Duo Authentication for Windows Logon support web proxying?

Duo can use the HTTPS proxy server configured in your system-wide WinHTTP settings. Configure the proxy server(s) used by WinHTTP with the netsh command.

Duo Authentication version 2.0.0.71 and later also support proxying only Duo authentication traffic. Refer to the instructions for configuring a Duo only proxy.

Does Duo Authentication for Windows Logon work with third-party disk encryption software or other credential providers?

Duo's credential provider cannot be chained with other credential providers present on your system. Disk encryption software that stores the Windows username and password provided before boot may no longer use those credentials to automatically log on to Windows.

Duo Authentication for Windows Logon version 2.1.0 permits use of the Windows smart card login provider as an alternative to Duo, meaning that users may choose to authenticate with either Duo 2FA or a PIV/CAC card. Duo for Windows Logon v3.1.0 adds support for smart cards logon with Duo 2FA at the local console.

Does Duo support Windows XP or Windows 2003?

Microsoft ended support for Windows XP on April 8, 2014 and for Windows Server 2003 on July 14, 2015. The last Duo release with XP and 2003 compatibility was version 1.1.8. Duo no longer supports any applications on Windows XP or Server 2003. We strongly urge you to upgrade to a supported version of Windows.

Are there any known issues with Windows 2003 and XP?

Duo's legacy Windows Logon (RDP) integration for Windows 2003 and XP contained the following limitations:

  • A reboot is required after installing or uninstalling the Duo Windows Logon integration.
  • A password may be changed from the Windows password expiration warning dialog or the password expired prompt without first completing two-factor authentication.

Duo no longer supports any applications on Windows XP or Server 2003. We urge you to upgrade to a supported version of Windows.

Install and Uninstall

Can I silently install Duo Authentication for Windows Logon from a command line or PowerShell?

Yes, you can run the .exe or .msi installers from PowerShell or the Command Prompt. This has no required parameters, but if you do not supply the IKEYSKEY, and HOST values from the command line make sure you have a Windows group policy object applying values for those settings, or make them present in the registry using another method, or the Duo for Windows Logon application will not function.

Enter the following command into PowerShell or a Command Prompt to silently install Duo Security with automatic push on, fail open enabled, smart cards disabled, and protecting both RDP and console logons:

duo-win-login-4.0.2.exe /S /V" /qn IKEY="DIXXXXXXXXXXXXXXXXXXXX" SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" HOST="api-xxxxxxxx.duosecurity.com" AUTOPUSH="#1" FAILOPEN="#1" SMARTCARD="#0" RDPONLY="#0""

Note that the parameter names passed to the installer (IKEY, SKEY, HOST, etc.) are case-sensitive!

The following table lists all the parameters and options that may be set via the command line installer (as of v4.0.2), noting default values if not specified in the command.

Setting Description Default
IKEY Your Duo RDP application's integration key. Blank; product will not function
SKEY Your Duo RDP application's secret key. Blank; product will not function
HOST Your Duo API hostname. Blank; product will not function
AUTOPUSH 1 to automatically send a push request, or 0 to disable automatic push. 0
FAILOPEN 1 to allow access when Duo's service is unreachable, or 0 to block access without Duo MFA. 1
RDPONLY 1 to only require Duo for remote logons, or 0 to require Duo for console and RDP logons. 0
SMARTCARD 1 to allow smart card login as an alternative to Duo, or 0 to disable the Windows smart card provider. 0
WRAPSMARTCARD 1 to require Duo after smart card primary logon at the local console, or 0 to allow smart card logon without Duo approval afterward. 0
ENABLEOFFLINE 1 to enable offline access (subject to the configuration in the Admin Panel), or 0 to completely disable offline access on the target system. 1
USERNAMEFORMAT The username format sent to Duo. One of: 0 for sAMAccountName (narroway), 1 for the NTLM domain and username (ACME\narroway), or 2 for the userPrincipalName (narroway@acme.corp). 1
PROXYHOST The hostname or IP address of an upstream HTTP proxy server for Duo communications Not set
PROXYPORT The port for HTTP proxy communications. Not set
LOGFILE_MAXCOUNT Number of rotated log files to be maintained. Not set
LOGFILE_MAXSIZEMB Size of rotated log file to be maintained in megabytes (MB). Not set
UAC_PROTECTMODE 0 to respect existing Duo authentication settings for logon, 1 to disable Duo at logon and only prompt during User Elevation, or 2 to enforce Duo 2FA at both logon and User elevation. 0
UAC_OFFLINE 1 to enable offline access for User Elevation, or 0 to disable offline access for User Elevation. 1
UAC_OFFLINE_ENROLL 1 to enable offline access enrollment during User Elevation, or 0 to prevent Offline Enrollment during User Elevation. 1

When specifying a value for one of the DWORD options (a value of 01, or 2), be sure to prefix it with a pound sign #, e.g. RDPONLY=#1.

This performs the install with the same settings in the previous example from the command line with Windows Installer (msiexec), using the 64-bit MSI installer included in the Duo Authentication for Windows Logon Group Policy MSI installers, template files, and documentation package. View checksums for Duo downloads here.

msiexec.exe /i DuoWindowsLogon64.msi IKEY="Integration Key" SKEY="Secret Key" HOST="API Hostname" AUTOPUSH="#1" FAILOPEN="#1" SMARTCARD="#0" RDPONLY="#0" /qn

The MSI installers and properties can also be used to create a transform file for use with with Active Directory Group Policy Software Publishing or other automated software deployment utilities. See the Duo Authentication for Windows Logon Group Policy documentation for more information.

Can I silently upgrade Duo Authentication for Windows Logon from a command line?

Enter the following command into a Command Prompt to silently upgrade an existing Duo installation using the MSI of a newer version, preserving the current integration information and installed options (as of v4.0.2):

msiexec.exe /qn /i "DuoWindowsLogon64.msi"

For MSI upgrade installs of releases prior to v4.0.2, and to upgrade from v4.1.0 to 4.1.1 or later, include the options shown in this command:

msiexec.exe /quiet /i "DuoWindowsLogon64.msi" REINSTALL=ALL REINSTALLMODE=vomus IS_MINOR_UPGRADE=1

To silently upgrade using a newer installer executable, enter this command:

duo-win-login-4.1.3.exe /S /v/qn

Can I silently uninstall Duo Authentication for Windows Logon from a command line or PowerShell?

Enter the following command into PowerShell or a Command Prompt to silently uninstall Duo for Windows Logon using the same version of the installer executable that you have installed on the system (so this example uses the v4.1.3 installer to remove v4.1.3 from the system):

duo-win-login-4.1.3.exe /S /v/qn /X

If you no longer have the same installer executable that matches the Duo installation you wish to remove, use msiexec to perform the uninstall. You will first need to determine the correct product code GUID for your installed version:

  1. Launch the Registry Editor (regedit.exe).
  2. Navigate down the tree to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
  3. Examine the GUID keys until you locate the key with the DisplayName value of "Duo Authentication for Windows Logon".
  4. Copy the UninstallString value for the Duo Authentication for Windows Logon product from the registry (for example: MsiExec.exe /X{BD789CFF-3C7A-4533-90F3-A3E5190A9D43}).
  5. Use the information from the registry to construct your silent msi uninstall command:
    MsiExec.exe /qn /x {BD789CFF-3C7A-4533-90F3-A3E5190A9D43}

Can I deploy or configure Duo Authentication for Windows Logon using Group Policy?

Yes. Please refer to the Duo Authentication for Windows Logon Group Policy documentation.

How do I disable or uninstall Duo Authentication for Windows Logon in Safe Mode?

To disable Duo's credential provider on Windows after booting in Safe Mode, run the following from an elevated command prompt:

Versions 1.2.0.14 and earlier

regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoCredProv.dll"
regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoCredFilter.dll"

Version 2.0.0 and later

regsvr32 /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredProv.dll"
regsvr32 /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredFilter.dll"

You can also uninstall the Duo Windows Logon integration while still in safe mode with a registry change and a service start.

  1. When booted into safe mode, launch the Registry Editor (regedit.exe).
  2. Drill down into the HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal registry hive (if you are booted into regular safe mode) or down to HKLM\System\CurrentControlSet\Control\SafeBoot\Network (if you are booted into safe mode with networking).
  3. Right-click the Minimal or Network registry key (as appropriate for your currently booted mode) and click New → Key on the context menu. Name the new key MSIServer.
  4. From an elevated command prompt, run the command net start msiserver.
  5. You can now use Programs and Features on the Windows Control Panel to uninstall the Duo application.

For more information about Safe Mode refer to the instructions for your operating system: Windows 10Windows 8/8.1 and 2012/2012 R2.

Windows 10 users may need the BitLocker recovery key in order to boot the system into safe mode. If you don't have it available, use one of Microsoft's recommendations to locate it.

Configuration

Where are the Duo for Windows Logon settings stored in the registry?

Duo Authentication for Windows Logon stores the installation settings in the registry at HKLM\Software\Duo Security\DuoCredProv.

If you're managing the Duo client configuration with Windows Group Policy, then any setting configured by a GPO is stored as a registry value in HKLM\Software\Policies\Duo Security\DuoCredProv, and overrides the same setting configured at the default registry location.

Since GPO settings get reapplied periodically at the client system, any permanent changes to a setting configured via group policy should be made by editing the GPO to update the setting with the new value, not by updating the client registry.

How does offline access in Duo for Windows Logon interact with fail mode?

Enabling offline access on the RDP v4.0 or later application overrides the configured fail mode setting for users who activate offline access.

Users who have not activated offline access are subject to the fail mode setting e.g. if set to fail open, a user who did not activate offline access would be able to log in without completing Duo offline authentication. Disable "fail open" if you want to prevent users who did not activate offline access from logging in when the computer is offline.

How can I configure the fail mode?

By default, Duo Authentication for Windows Logon will "fail open" and permit the Windows logon to continue if it is unable to contact the Duo service. You can set the fail mode during installation to "fail closed" by deselecting the "Bypass Duo authentication when offline" box during installation. This will deny all login attempts if there is a problem contacting the Duo service.

To change the fail mode after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
FailOpen <class="keyword">DWORD</class="keyword"> Set to 1 to allow "fail open" for all users or 0 to restrict to "fail closed" (except for users who have activated offline access in v4.0 or later). Default: Fail open.

If the Duo settings are managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Duo Service: Fail Open if Unable to Contact Duo" setting in the GPO instead.

When modifying the FailOpen registry value on a Windows 2003 or XP system a reboot is required to make the change effective.

How can I configure automatic push?

When automatic push is enabled, Duo Authentication for Windows Logon automatically sends a push notification to the Duo Mobile app or a phone call to the user's default device submitting the Windows username and password. This is the installation default. You can choose to disable automatic push by deselecting the "Use automatic push to authenticate if available" box during installation.

To change the automatic push behavior after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
AutoPush <class="keyword">DWORD</class="keyword"> Set to 0 to disable automatic push or 1 to enable it.

If the Duo settings are managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Client: Enable Auto Push" setting in the GPO instead.

When automatic push is disabled, Duo does not request logon verification until the user submits the name of an authentication factor at the Duo Authentication prompt.

How do I enable debug logging?

To enable debug logging, use the Registry Editor (regedit.exe) with administrator privileges to create the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
Debug <class="keyword">DWORD</class="keyword"> Set to 1 to enable debug logging. Default: No debug logging.

If the Duo settings are managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Enable Debug Logging" setting in the GPO instead to enable debug logging globally, or if you just need to temporarily enable it to capture an issue update the HKLM\Software\Policies\Duo Security\DuoCredProv\debug registry value as well (this may be reverted at the client's next GPO refresh).

The log file location is %PROGRAMDATA%\Duo Security\duo.log for version 1.1.8 and later, and %ProgramFiles%\Duo Security\DuoCredProv\duo.log for version 1.1.7 and earlier.

How can I configure log file rotation?

By default, Duo Authentication for Windows Logon will not rotate log files.

Version 4.0.6 and later supports log file rotation. To configure the log file rotation, use the Registry Editor (regedit.exe) with administrator privileges to create the following registry values:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
LogFileMaxSizeMB <class="keyword">DWORD</class="keyword"> Set the size of log file to be maintained in megabytes (MB). Minimum Value: 1 Maximum Value: 4096 (decimal)
LogFileMaxCount <class="keyword">DWORD</class="keyword"> Set the number of log files to be maintained on disk. Minimum Vale: 1 Maximum Value: 100 (decimal)

Both registry keys must be created and set to a value greater than 0 to enable rotation. Backup logs will increment starting at duo00.log through duo99.log. Log may be slightly larger than the defined size to ensure an authentication in-process is not split across log files.

Example setting: LogFileMaxSizeMB to 1 and LogFileMaxCount to 1 will result in Duo.log coexisting with duo00.log, both with a maximum size of 1MB.

Can Duo protect local console logins in Windows?

Yes, Duo Authentication for Windows Logon does provide protection for local console logins. However, it can be difficult to prevent an attacker with physical access to a system from compromising it. In particular, there are two significant threats you should take care to address:

  • Duo Authentication for Windows Logon can be bypassed by rebooting a Windows system into Safe Mode. To limit the effect of this, you should prevent all but a select group of users from logging in while Windows is running in Safe Mode (for example, via the registry DWORD value HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SafeModeBlockNonAdmins set to 1).
  • By default, the RDP integration will "fail open" if it is unable to contact the Duo service. A user with local console access might be able to disrupt a machine's network connectivity (e.g. by unplugging an ethernet cord), thereby bypassing Duo authentication.

    You can set the fail mode during installation to "fail close" by deselecting the "Bypass Duo authentication when offline" box in the Duo installer, or by configuring the Registry DWORD value HKLM\Software\Duo Security\DuoCredProv\FailOpen set to 0 to "fail closed". This will deny all login attempts if there is a problem contacting the Duo service.

To enable Duo authentication for both local console and RDP logins, clear the "Only prompt for Duo authentication when logging in via RDP" box during installation.

To change which logon connections are required to use Duo after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
RdpOnly <class="keyword">DWORD</class="keyword"> Set to 0 to protect both RDP and local console logons or 1 to protect RDP logons only.

If the Duo settings are managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Client: Limit Two-Factor to RDP Logons Only" setting in the GPO instead.

Can I choose which username attribute gets sent to Duo?

Duo Authentication for Windows Logon defaults to sending the username in NTLM (or msDS-PrincipalName) e.g. DOMAIN\username to Duo's cloud service as the Duo username. However, when you create your RDP application in Duo, the "Username normalization" option defaults to "Simple" normalization, so that Duo ignores anything preceding a backslash or after an at symbol in the username received in a logon request. This means Duo treats "narroway", "ACME\narroway", and "narroway@acme.local" as the same "narroway" user in Duo. Therefore, with the default username settings applied at both the Windows client and to the RDP application in Duo, we try to match the username only when looking for an existing user; essentially matching the sAMAccountName.

If the username sent to Duo by our Windows Logon application doesn't match an existing Duo username, the user can't complete Duo authentication. This causes issues when an organization has already enrolled Duo users with a different username format, like userPrincipalName (UPN).

Duo Authentication for Windows Logon version 3.1 and later allows specifying which Windows username attribute is sent to Duo's service when authenticating.

To change which Windows username attribute gets sent to Duo, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
UsernameFormatForService <class="keyword">DWORD</class="keyword"> Set to 0 to send the sAMAccountName as the Duo username (e.g. "narroway").

Set to 1 to send the NTLM domain and username as the Duo username (e.g. "ACME\narroway"). This is the default installation setting.

Set to 2 to send the userPrincipalName as the Duo username (e.g. "narroway@acme.local").

If the Duo settings are managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Duo Service: Specify format of username sent to Duo service" setting in the GPO instead.

If you want Duo for Windows Logon to send the NTLM or UPN username formats to Duo, and your Duo usernames or aliases are also NTLM or UPN format, then be sure to log in to the Duo Admin Panel and change the "Username normalization" option for your RDP integration from "Simple" to "None".

Whichever username format you choose, ensure that a matching username or username alias exists in Duo.

Can Duo protect Remote Desktop Connection logons only?

It is possible to only enable Duo authentication for RDP sessions (and not local console logins). This can be set during the installation by checking the "Only prompt for Duo authentication when logging in via RDP" box.

To change which logon connections are required to use Duo after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
RdpOnly <class="keyword">DWORD</class="keyword"> Set to 1 to protect RDP logons only or 0 to protect both RDP and local console logons.

If the Duo settings are managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Client: Limit Two-Factor to RDP Logons Only" setting in the GPO instead.

When modifying the RdpOnly registry value on a Windows 2003 or XP system a reboot may be required to make the change effective.

Is it possible to use a web proxy only for Duo Authentication for Windows Logon traffic?

Yes, Duo Authentication for Windows Logon version 2.0.0.71 and later supports proxying only Duo authentication traffic. This can be set during the installation by checking the "Configure manual proxy for Duo traffic" box and entering your proxy host and port information.

To change the HTTP proxy settings for the Duo application after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
HttpProxyHost <class="keyword">String</class="keyword"> Hostname or IP address of an HTTP proxy. If set, will be used for communicating with Duo Security's service. Must support the CONNECT protocol. Default: do not use a proxy.
HttpProxyPort <class="keyword">DWORD</class="keyword"> Port to connect to on http_proxy_host. Enter port number as decimal. Default: '80'.

If the Duo settings are managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Duo Service: HTTP Proxy Hostname" and "Duo Service: HTTP Proxy Port" settings in the GPO instead.

If you do not already have an HTTP proxy deployed on your network you can use the Duo Authentication Proxy application to act as an HTTP proxy for Duo Windows Logon client connections. Install the Authentication Proxy on a server in your network that has direct internet access, add the HTTP proxy settings to the Authentication proxy configuration, and then update the Duo for Windows Logon proxy settings to point to that Authentication Proxy. See the HTTP Proxy instructions in the Authentication Proxy Reference for more information.

How do I allow smart card login instead of Duo Authentication?

Duo Authentication for Windows Logon v2.1.0 and later permits use of the Windows smart card login provider as an alternative to Duo. When this is enabled, user may choose to log on with either the built-in Windows smart card authentication and a DOD CAC or other PIV card, or with Windows primary username and password credentials followed by Duo two-factor authentication.

You can turn on smart card login during a clean install of Duo for Windows Logon by selecting the "Enable Smart card support" option followed by selecting "Enable smart card login without Duo" in the installer.

To enable smart card support after upgrading or installing v2.1.0 or later, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
EnableSmartCards <class="keyword">DWORD</class="keyword"> Set to 0 to disable smart cards and only allow Duo authentication. Default: 0.

If the Duo settings are managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Duo Service: Enable Smart Cards" setting in the GPO instead.

How do I enable smart card login plus Duo Authentication?

With Duo Authentication for Windows Logon v3.1.0 and later, you can require Duo two-factor authentication for smart card users logging in at the local console. When this is enabled, user may choose to log on with either the built-in Windows smart card authentication and a DOD CAC or other PIV card, or with Windows primary username and password credentials. Both smart card and username/password primary login is followed by Duo two-factor authentication.

You can turn on smart card login during a clean install of Duo for Windows Logon by selecting the "Enable Smart card support" option followed by selecting "Enable smart card login wit Duo" " in the installer.

To enable smart card + Duo support after upgrading or installing v3.1.0 or later, use the Registry Editor (regedit.exe) with administrator privileges to create (or update) both of the following registry values:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
EnableSmartCards <class="keyword">DWORD</class="keyword"> Set to 1 to enable the smart card credential provider. This may already be done if you selected the "Enable Smart card support" option during installation.
WrapSmartCards <class="keyword">DWORD</class="keyword"> Set to 1 to require Duo authentication after logging in with the smart card credential provider. Default: 0.

If the Duo settings are managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Duo Service: Wrap Smart Cards" setting in the GPO instead.

Can I permit use of other credential providers after installing Duo?

Installing Duo disables all other installed logon credential providers. You can enable the Windows smart card login provider in the Duo installer, but other credential providers (what your users may refer to as "logon tiles") are hidden.

Duo Authentication for Windows Logon version 3.1 and later allows re-enabling access to a hidden credential provider via the registry. A common use case for this would be to restore access to a password reset tool from the Windows logon screen.

Be aware that any third-party credential provider you allow may then be accessed without Duo two-factor authentication!

Use the Registry Editor (regedit.exe) with administrator privileges to create (or update) the following registry values:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
ProvidersWhitelist <class="keyword">REG_MULTI_SZ</class="keyword"> Populate the multi string value data with the GUIDs of the third-party credential providers to allow. You can find GUIDs for all registered credential providers on a system in <class="keyword">HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers, or contact the application's vendor for assistance determining the GUID for their credential provider. Supports multiple permitted GUIDs.</class="keyword">

Example registry value that permits the Microsoft FIM Password Reset client:

Duo Windows Logon ProvidersWhiteList

How many users can enroll in offline access with MFA per Windows client?

By default, five (5) users may enroll in offline access. To increase or reduce the number of users that may activate offline access on a given Windows client, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
OfflineMaxUsers <class="keyword">DWORD</class="keyword"> Create this value and set to the number of users you would like to be have the ability to enroll in offline access on a given Windows system. Minimum value: 1; Maximum value: 50. If not set the default is 5.

Once the maximum number of users have activated offline access, the next user receives an error when attempting to enroll in offline access.

How can I remove a user's existing offline activation?

To force offline reactivation for a previously activated user on a given Windows system, use the Registry Editor (regedit.exe) with administrator privileges to delete the entire registry key that includes the username from HKLM\SOFTWARE\Duo Security\DuoCredProv\Offline.

How can I completely prevent offline access with MFA at the Windows client?

You may have Windows systems where no users should log in using offline access, regardless of the application setting in the Duo Admin Panel. To prevent offline authentication for any user on a given Windows client, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
OfflineAvailable <class="keyword">DWORD</class="keyword"> Create this value and set to 0 to disable offline access for all users. Your fail mode configuration applies to offline logins (either fail open or fail closed).

How do I enable and configure User Elevation to add Duo authentication to UAC prompts?

Available in version 4.1 and later, User Elevation adds Duo two-factor authentication to password-protected Windows UAC elevation attempts. By default. Duo UAC elevation protection is disabled. When enabled, Duo Authentication for Windows Logon will prompt for MFA on credentialed UAC elevation attempts.

You can enable and configure User Elevation during a clean install of Duo for Windows Logon by selecting the "Enable UAC Elevation Protection" option, followed by selecting your desired User Elevation configuration settings in the installer.

To enable and configure User Elevation after upgrading or installing v4.1.0 or later, use the Registry Editor (regedit.exe) with administrator privileges to create (or update) the following registry values:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
ElevationProtectionMode <class="keyword">DWORD</class="keyword"> Create this value and set to 0 to disable UAC protection and only prompt for Duo 2FA at login, 1 to enable Duo only for UAC protection (no Duo 2FA at login) or 2 to enable Duo 2FA for both logon and UAC. Default: 0
ElevationOfflineEnable <class="keyword">DWORD</class="keyword"> Create this value and set to 0 to disable offline access for UAC elevation, or 1 to enable offline access for UAC elevation. Requires offline access enabled and ElevationProtectionMode set to 1 or 2. Default: 1
ElevationOfflineEnrollment <class="keyword">DWORD</class="keyword"> Create this value and set to 0 to permit enrollment in offline access during UAC elevation, or 1 to disable enrollment in offline access during UAC elevation. Requires offline access enabled and ElevationProtectionMode set to 1 or 2. Default: 1

How do I enable User Account Control credentialed elevation in Windows?

User Account Control (UAC) protects Windows systems and users from malicious software by prompting for additional approval before running an application with administrator privileges. Duo Authentication for Windows Logon v4.1.0 and later optionally adds two-factor authentication to password-protected UAC prompts. If you've enabled Duo User Elevation but you're only getting asked to approve UAC elevation requests ("Prompt for consent"), and aren't required to enter your Windows password to approve the elevation request, you won't be prompted for Duo when approving the UAC elevation request either.

You can configure User Account Control to require a password to approve elevation requests via registry edit or local/domain Group Policy.

To require password entry for UAC elevation with the Registry Editor, launch regedit.exe with administrator privileges to create (or update) the following registry values:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:

Registry Value Type Description
ConsentPromptBehaviorAdmin <class="keyword">DWORD</class="keyword"> Create this value and set to 1 to prompt administrators for credentials on the secure desktop (recommended), or 3 to prompt administrators for credentials on the interactive desktop.
ConsentPromptBehaviorUser <class="keyword">DWORD</class="keyword"> Create this value and set to 1 to prompt standard users for credentials on the secure desktop (recommended), or 3 to prompt standard users for credentials on the interactive desktop.

To require password entry for UAC elevation with Group Policy, enable the following policy settings with Group Policy Management Console (gpmc.msc) or local Group Policy Editor (gpedit.msc):

Location: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Policy Setting Description
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Set to Prompt for credentials on the secure desktop or Prompt for credentials.
User Account Control: Behavior of the elevation prompt for standard users Set to Prompt for credentials on the secure desktop or Prompt for credentials.

Please refer to User Account Control Group Policy and registry key settings for additional information about UAC settings.

How do I enable remembered devices for Windows Logon?

Duo MFA, Access, and Beyond customers can apply a remembered devices policy to their Microsoft RDP Duo applications with the Remember devices for Windows Logon setting enabled and set to the number of hours or days desired.

Duo Authentication for Windows Logon version 4.2.0 and later will apply this policy setting to online authentications at the local console, offering the "Remember me" option in the prompt.

Earlier versions of Duo Authentication for Windows Logon must be upgraded to v4.2.0 or later to use this feature.

Can remembered devices be used over RDP (Remote Desktop Protocol) connections?

No, RDP logins will not see the option to remember the device in the Duo for Windows 2FA prompt. Consider applying an authorized networks policy to the Duo Microsoft RDP application to minimize interactive Duo authentication for RDP users.

Do offline sessions work with remembered devices?

No, a trusted device session created with the "Remember me" option during online Duo authentication does not maintain the trusted session for offline access, and an offline access login will not show the option to remember the device.

How are local trusted sessions created by the remembered device option invalidated or revoked?

An existing device trust session ends under any of the following conditions:

  • Changes to the operating system session state: When initialized the Duo credential provider determines if the Windows logon type is a workstation unlock or a new logon session. A new logon session will require Duo multi-factor authentication (MFA), and subsequent workstation unlocks bypass interactive MFA for the duration of the "Remember me" session.
  • Change to network location: At each logon authentication attempt Duo snapshots and compares the network state of the user's device to determine whether it differs from the most recent network used to create a local trusted session. If the network state has changed, Duo prompts for interactive MFA.
  • Use of offline authentication: If a user logs in to or unlocks the workstation with Duo offline access, Duo prompts for interactive MFA at the next online login.
  • User action: If a user clicks the “Cancel” button during login of a local trusted session, Duo prompts for interactive MFA.
  • Policy change: If a Duo administrator removes the remembered devices policy from the Duo Microsoft RDP application or edits the policy to disable the "Remember devices for Windows Logon" setting, at the next logon or workstation unlock the local Duo application applies the policy change and prompts for interactive MFA.
  • Registry edit: The trusted session created by remembering the device adds a registry key at HKLM\Software\Duo Security\DuoCredProv\Users\<UserSID>. If that registry key for a user is deleted, Duo prompts for interactive MFA.

What logging is available for device authentication during a trusted session?

Duo records logins authenticated as a local trusted session in the Admin Panel Authentication Log with “Remembered Device” as the second factor. The local Windows Logon client log, found at %PROGRAMDATA%\Duo Security\duo.log, also shows the authentication type for the logon activity as a “Remembered Device”.

Troubleshooting

Using the Support Tool

If you open a case with Duo Support for an issue involving Duo Authentication for Windows Logon (RDP), your support engineer will need you to submit your registry configuration, recent debug log output demonstrating the issue, and other system configurations. Sensitive information, such as your Duo application's SKEY, should not be sent to support.

We've made collecting troubleshooting information easy with a script that gathers all the necessary files, scrubs them of sensitive information, and creates a zip package ready for you to send to Duo Support. The script is included in version 4.0.6 and later at C:\Program Files\Duo Security\WindowsLogon\Winlogon-Diag.ps1. The support script is also available for download here.

The support tool performs the following actions:

  1. Runs Invoke-Webrequest to determine if a connection to Duo is available.
  2. Creates a zip file that contains all of the collected information.
  3. Captures the following information:
    • Installed version and if it is deployed with GPO configuration.
    • Debug status.
    • Host information to DuoSupport.log:
      • Hostname
      • Username
      • Domain
      • System/Browser proxy settings
      • Operating system version, build and bit
      • Bitlocker status
      • AV product
      • TPM availability
      • Timezone
  4. Exports list of all credential providers and filter from registry to credprov.txt in zip file.
  5. Copies C:\ProgramData\Duo Security\duo.log to zip file.
  6. Exports Duo Registry keys from HKLM\Software\Duo Security\DuoCredProv to DuoSupport.log in zip file (excluding your SKEY).
  7. Exports Duo Offline Registry keys from HKLM\Software\Duo Security\DuoCredProv\Offline to DuoSupport.log in zip file.
  8. Optional: Export Application and/or Security Event logs to zip file.
  9. Saves the zip file to the current CMD location or chosen directory as DuoSupport-year-month-date-time.zip.
    • For example: On Windows, the support file would be C:\SupportScript\DuoSupport2019-06-06-04-28-17.zip.

Additional PowerShell command options

Setting Description
-duodebug Default is off; $true only enables debug in registry; $false only disables debug in registry.
-out Sets the preferred log path; defaults to Desktop if not set.
-eventlogs Exports application and/or security logs. Options: all, application, security
-days Defines a selected number of days to export from both Duo native logs and event logs.
-tls Exports Client TLS settings from registry.

Running the Support Tool

Here's an example of how you can use the Support Tool. In this example, debug is enabled, and security event logs from the last two days are exported.

  1. Open an administrative PowerShell command-line session on the system where Duo is installed.
  2. Enable debug.
    PS C:\>.\Winlogon-Diag.ps1 -duodebug $true
  3. Reproduce the Duo issue you are experiencing.
  4. Run a script to export the logs:**
    PS C:\>.\Winlogon-Diag.ps1 -out C:\testing -eventlogs security -days 2
  5. Disable debug:
    PS C:\>.\Winlogon-Diag.ps1 -duodebug $false

Why am I unable to log in to Windows after installing Duo?

In order for the Duo service to properly authenticate a Windows user account the username in Windows must match the username in the Duo account. If you receive the message "The Duo native Windows client does not currently support unknown users" or "The username you have entered is not enrolled with Duo Security" then the account you are using to log into Windows does not match an enrolled Duo user.

  1. Log in to the Duo Admin Panel and make sure that you've added a user with a username that matches the Windows username.
  2. You will also need to manually enroll this user's phone number so that the user can receive passcodes or phone calls, which are needed in order to authenticate.
  3. Once the user's phone number has been added you may optionally install and enroll the Duo Mobile smartphone app, which will enable the "push" functionality for an RDP login.
  4. Now try to log in to Windows again.

If you receive the message "Unknown devices are not permitted by your administrator" then a Duo policy may be restricting your Windows system or 2FA approval device.

Please review your global policy, as well as any policies associated with your "RDP" application in the Duo Admin Panel. Commonly, issues occur with application or global policies that restrict allowed authentication methods or restrict operating systems by blocking access from Windows or specific Windows versions.

Users receive the error "Logon failure: the user has not been granted the requested logon type at this computer" when attempting to log in.

This error may be seen in Duo Windows Logon version 1.1.5 or later. Ensure that the users have been delegated the "Allow log on locally" rights for console logins, or have been delegated both the "Allow log on locally" and "Allow log on through Remote Desktop Connection" rights in the computer's local or domain-level security policy. Please see the Group Policy Settings Reference for Windows and Windows Server for more information about these user rights assignments.

When logging in via Remote Desktop, my authentication is accepted but the Remote Desktop session is disconnected. How do I fix this?

You can increase the logon timeout if extra time is needed to complete authentication (for example, if users must type in a hardware token passcode). Create a new registry DWORD value HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\LogonTimeout and set it to a decimal value greater than 60. You may need to cycle the TermService service or restart Windows recognize the change.

To increase the Remote Desktop logon timeout for multiple computers joined to an Active Directory domain with Group Policy, add the HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\LogonTimeout value to a GPO (Group Policy object) as a registry preference item. Please see "Configure a Registry Item" at the Microsoft TechNet site for more information.