Duo for Outlook Web App (OWA) - Release Notes
Last updated:
Action required by February 2, 2026 - Duo CA bundle expiration
Duo’s existing certificate authority (CA) pinning bundle will expire in 2026. Duo products that use certificate pinning require a software update for continued use after February 2, 2026.
Check your Duo for OWA installations and upgrade them if they are not running version 2.2.0 or later.
Please visit the Duo Knowledge Base article How can I make sure I am up to date with Duo's latest applications in time for the Duo root certificate authority bundle replacement? for more information and guidance.
Product Downloads
Download the current release from the Checksums and Downloads page.
Version 2.2.0 - June 5, 2025
- Adds support for new Duo certificate authorities.
- Adds the new Duo Secret Key Rotation tool in the OWA installation directory to assist administrators with updating the application's
Client_Secret
to a new value when required. - The
Client_Secret
is encrypted in the Windows registry. Previously, theClient_Secret
was saved as clear text in the registry. - Supports Windows Server 2025.
Version 2.1.0 - May 9, 2024
- Duo MFA parameters now correctly removed from the OWA URL after Duo authentication.
- Corrects an issue affecting redirection to shared mailboxes after Duo MFA.
Version 2.0.0 - May 4, 2023
- Duo Universal Prompt support with OIDC standards-based redirects. The Duo Prompt no longer loads in an iframe. Learn more about the move to frameless authentication in preparation for Duo Universal Prompt.
- The installer now defaults to "fail closed" for new installations and upgrades from v1.x to v2.0.0. Upgrades from v2.0.0 to future releases will preserve the installed fail mode selection.
- TLS 1.2 is now the minimum supported version. Drops support for TLS 1.1, 1.0, and SSLv3.
- Now supports WinHTTP proxy server configurations that use a bypass-list.
- Corrects an issue where ECP logout did not expire the Duo session cookie created after MFA success at login.
- Changes the Duo OWA registry key location to
HKLM\Software\Duo Security\DuoOwa
and the registry valuesIKey
andSKey
toClient_Id
andClient_Secret
.
Version 1.3.3 - October 2019
- Released for Exchange 2013+ only; no Exchange 2010 release (Duo's support for Exchange 2010 ends on February 15, 2021).
- Fixed security issue with session cookie expiration affecting Exchange 2013 and newer.
- Updated jQuery version to 1.6.3.
- Support for Windows Server 2008 R2 ends in January 2020. Future releases may not function on unsupported operating systems.
Version 1.3.2 - April 2018
- Support for UPN usernames.
- Internal permit bypass for Exchange 2013 and 2016 built-in health mailboxes.
- Separate installers and instructions for Exchange 2010 and Exchange 2013 and later.
- Exchange 2013 and later installations now require .NET Framework 4.5 and ASP.NET 4.5.
- TLS 1.1 and 1.2 support for Exchange 2013 and later.
Version 1.2.1 - October 2017
- Duo Web SDK 2.6.
Version 1.2.0 - April 2016
- Adaptive sizing for Duo authentication prompt.
- Supports SSL offloading.
- Supports OWA on Exchange 2016.
Version 1.1.9 - November 2014
- Fail mode refinements.
Version 1.1.7 - September 2014
- Expanded two-factor protection to ECP site.
Version 1.1.5 - April 2014
- Bugfixes.
Version 1.1.3 - April 2014
- Fixed double-prompt for primary credentials with some Exchange Server 2013 installations.
- Fixed installer issues on systems using certain international date formats.
Version 1.1.2 - January 2014
- Fixed time-synchronization with Duo's service.
- Fixed incorrect handling of client IP addresses.
Version 1.0.8 (for Exchange Server 2007) - January 2014
- Fixed an issue in which high usage could incorrectly cause Exchange Server to exceed its session limit.
- This was the last release for Exchange 2007.
Version 1.1.1 - November 2013
- Added support for Exchange Server 2013.
- Added fail-open mode.
- Fixed post-login redirection for deep links.
- Removed the option to strip Windows domains from usernames (superseded by the username normalization option for applications set in the Admin Panel).
- Removed support for Exchange Server 2007.
Version 1.0.6 - August 2013
- Added support for Duo's new enrollment frame.
- Fixed permissions errors when using multiple IIS Application Pools.
Version 1.0.5 - May 2013
- Fixed incorrect usage of persistent cookies.
Version 1.0.4 - August 2012
- Fixed a compatibility issue with HTTPS-only cookies.
Version 1.0.3 - June 2012
- Added an option to strip Windows domains from usernames.