Skip navigation
Documentation

Duo Authentication for Windows Logon and RDP

Last Updated: October 16th, 2019

Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop and local logons.

There is a known issue with using Duo authentication and Microsoft/Live accounts after installing the Windows 10 Fall Creators Update (version 1709) released 10/17/17. Please see the Microsoft Account FAQ item for more information and a workaround.

 

Important Notes

  • Installing Duo Authentication for Windows Logon adds two-factor authentication to all Windows login attempts, whether via a local console or over RDP, unless you select the "Only prompt for Duo authentication when logging in via RDP" option in the installer. If two-factor is enabled for both RDP and console logons, it may be bypassed by restarting Windows into Safe Mode (e.g. in case of a configuration error). If you wish to protect local console logons with Duo, please see the FAQ for some guidance on securing your Windows installation appropriately.
  • Duo Authentication for Windows Logon doesn't support inline self-service enrollment for new Duo users. We recommend using bulk enrollment to send your users unique self-enrollment links via email. Read the enrollment documentation to learn more.
  • Additional configuration may be required to log in using a Microsoft attached account. See Can I Use Duo with a Microsoft Account? for more information.
  • Windows users must have passwords to log in to the computer. Users with blank passwords may not login after Duo Authentication installation.

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.

System Requirements

Duo Authentication for Windows Logon supports both client and server operating systems.

Clients:

  • Windows 7 SP1
  • Windows 8.1
  • Windows 10 (as of v1.1.8)

Servers (GUI and core installs):

  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016 (as of v2.1.0)
  • Windows Server 2019 (as of v4.0.0)

Ensure your system's time is correct before installing Duo.

Duo Factor support

Duo for Windows Logon supports these factor types for online 2FA:

  • Duo Push (Duo Mobile)
  • Duo Mobile Passcodes
  • SMS Passcodes
  • OTP Hardware Token Passcodes
  • Phone Call
  • Bypass Codes

Security key (U2F) support is limited to Offline Access only.

First Steps

Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.

  1. Sign up for a Duo account.

  2. Log in to the Duo Admin Panel and navigate to Applications.

  3. Click Protect an Application and locate Microsoft RDP in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.) You will need this information to install the Duo application.

  4. We recommend setting the New User Policy for your Microsoft RDP application to Deny Access, as no unenrolled user may complete Duo enrollment via this application.

  5. Download the Duo Authentication for Windows Logon installer package. View checksums for Duo downloads here.

  6. If you'd like to enable offline access with Duo MFA you can do that now, or return to the Admin Panel later to configure offline access after first verifying logon success with two-factor authentication.

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Enroll a User

Add your first user to Duo, either manually or using bulk enrollment. The username should match your Windows logon name. Install Duo Mobile and add your account to it so you can use Duo Push. If the user logging in to Windows after Duo is installed does not exist in Duo, the user may not be able to log in.

Run the Installer

  1. Run the Duo Authentication for Windows Logon installer with administrative privileges.

  2. When prompted, enter your API Hostname from the Duo Admin Panel and click Next. The installer verifies that your Windows system has connectivity to the Duo service before proceeding.

    Duo API Hostname Information

    If the connectivity check fails, ensure that your Windows system is able to communicate with your Duo API hostname over HTTPS (port 443).

    If you need to use an outbound HTTP proxy in order to contact Duo Security's service, enable the Configure manual proxy for Duo traffic option and specify the proxy server's hostname or IP address and port here.

  3. Enter your integration key and secret key from the Duo Admin Panel and click Next again.

    Duo Application Information

  4. Select your integration options:

    Setting Description
    Bypass Duo authentication when offline (FailOpen) Enable this option to allow user logon without completing two-factor authentication if the Duo Security cloud service is unreachable. Checked by default. If you plan to enable offline access with MFA consider disabling FailOpen.
    Use auto push to authenticate if available Automatically send a Duo Push or phone call authentication request after primary credential validation. Checked by default.
    Only prompt for Duo authentication when logging in via RDP Leave this option unchecked to require Duo two-factor authentication for console and RDP sessions. If enabled, console logons do not require 2FA approval. If you want to enforce protected offline access to laptop logins, be sure you don’t check this box. If you do, laptop console logins won’t require any form of Duo MFA.

    Duo Application Options

  5. If you plan to use smart cards on the systems where you install Duo, click to Enable Smart Card Support and select your smart card options:

    Setting Description
    Protect smart card login with Duo Select this option to require Duo authentication after primary login with username and password or primary authentication with a smart card. Supported for local console logins.
    Enable smart card login without Duo Select this option to permit use of the Windows smart card login provider as an alternative to Duo authentication. Smart card logins won't require 2FA.

    These options only support the Windows native smart card provider.

    Duo Application Smart Card Options

  6. Click Next to complete Duo installation.

Test Your Setup

To test your setup, attempt to log in to your newly-configured system as a user enrolled in Duo.

Windows Login Screen

The Duo authentication prompt appears after you successfully submit your Windows credentials. When automatic push is enabled (the default option), the Duo prompt indicates that a request has been pushed to your phone.

Duo Auto Push

If automatic push is disabled or if you click the Cancel button on the Duo authentication prompt, you can select a different device from the drop-down at the top (if you've enrolled more than one) or select any available factor to verify your identity to Duo:

  • Duo Push: Send a request to your smartphone. You can use Duo Push if you've installed and activated Duo Mobile on your device.
  • Call Me: Perform phone callback authentication.
  • Passcode: Log in using a passcode generated with Duo Mobile, received via SMS, generated by your hardware token, or provided by an administrator. To have a new batch of SMS passcodes sent to you click the Send me new codes button. You can then authenticate with one of the newly-delivered passcodes.

Duo Auth Factors

Remember: if you find that Duo Authentication for Windows Logon has locked you out of your Windows system (e.g. due to a configuration error), you can reboot into Safe Mode to bypass it.

Offline Access

Duo Authentication for Windows Logon v4.0.0 introduces offline access, allowing secure local logons to Windows systems even when unable to contact Duo’s cloud service.

Offline Access Video Overview

Offline Access Requirements

  • Duo MFA, Access, or Beyond plan subscription (learn more about Duo's different plans and pricing)
  • Duo Authentication for Windows Logon version 4.0.0 or later
    • Disable the Bypass Duo authentication when offline (FailOpen) option. If you enabled FailOpen during installation, you can change it in the registry.
    • Disable the Only prompt for Duo authentication when logging in via RDP option to use offline access with laptop or desktop local console logins. If you enabled Duo for RDP logins only during installation, you can change it in the registry.

Users must have either:

  • Duo Mobile for Android or iOS version 3.22 or later (no Windows Phone support)
  • A supported U2F security key
    • Yubico brand keys supporting U2F/FIDO2
    • Google Titan
    • Feitian ePass FIDO
    • Thetis FIDO

HyperFIDO tokens are not supported for offline access activation, nor are simple OTP passcode tokens or Duo D-100 hardware tokens.

Note these functional limitations for offline access authentication devices:

  • Users may only register one authenticator for offline access, so it is not possible to register backup devices for approving offline login. Registering a second offline device deactivates the first one.
  • U2F security keys for offline authentication only work for local system console logins. It is not possible to use a security key attached to your local RDP client system to perform offline authentication at a remote Windows server. You can use a Duo Mobile offline passcode with a remote system.

Offline Access Configuration

  1. Return to your "Microsoft RDP" application page in the Duo Admin Panel. You may have given the RDP application a different name when you created it, but the "Type" will always be shown as "Microsoft RDP" on the Applications page.

  2. Scroll down to the bottom of the RDP application’s page to locate the Offline Access Settings. Check the box next to Enable offline login and enrollment to turn on offline access.

  3. Check the Only allow offline login from users in certain groups to specify a group or groups of Duo users permitted to activate offline access. Users who are not members of the groups you select here won't be able to login in with MFA when the Windows system is unable to contact Duo, and instead are subject to your fail mode configuration (let in without MFA if you enabled fail open, or prevented from logging in if you disabled fail open).

    After you configure this option, when a user logs into a Windows system while it's online and can reach Duo and it has been greater than 24-30 hours since the last online authentication, Duo for Windows Login will update the offline policies for all users on the system, including deprovisioning them for offline access if they are no longer members of the offline groups selected for offline login in the Duo Admin Panel.

    If you also configured permitted groups on your RDP application, users need to be members of both the permitted and the offline login groups to use offline access.

  4. Choose from the two options for expiring offline access in the Prevent offline login after setting:

    • Enter the maximum number of offline logins allowed to users. With this option, there is no expiration date for offline access.

      Users may log on to the Duo-protected Windows workstation while offline the number of times you specify here. They'll need to reconnect their offline computer to the internet upon reaching this limit. The next time they perform an online Duo authentication, the computer’s offline counter resets.

    • Enter the maximum number of days offline, up to 365. With this option, there is no limit to the number of times a user logs in while offline during the allowed period.

      Users need to reconnect their offline computer to the internet upon reaching the end of the period you define here. The next time they perform an online Duo authentication, the computer’s offline expiration date resets.

  5. Users may activate offline access using either the Duo Mobile application for iOS or Android, or a U2F security key. Both offline authentication methods are allowed unless you uncheck one in the Offline authentication methods setting. You may not uncheck both options.

    Any authentication method enabled for offline access is always permitted, overriding any other policy setting restricting authentication methods for the RDP application.

  6. Click the Save Changes button.

Windows Login Offline Access Settings

Offline Access Logging

No information about logins using offline access is reported in Duo Admin Panel authentication reports while the Windows system is offline. At the next online authentication, login events that occurred while the system was offline are sent to Duo's service. These events show up in the Authentication Log with other user access results, and show the offline authentication method used.

Windows Login Offline Access Authentication Log Events

Advanced Configuration

Change How Many Users May Use Offline Access

By default, five (5) users may enroll in offline access. To increase or reduce the number of users that may activate offline access on a given Windows client, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
OfflineMaxUsers DWORD Create this value and set to the number of users you would like to have the ability to enroll in offline access on a given Windows system. Minimum value: 1; Maximum value: 50. If not set the default is 5.

Once the maximum number of users have activated offline access, the next user receives an error when attempting to enroll in offline access.

Force Offline Reactivation for a User

To force offline reactivation for a previously activated user on a given Windows system, use the Registry Editor (regedit.exe) with administrator privileges to delete the entire registry key that includes the username from HKLM\SOFTWARE\Duo Security\DuoCredProv\Offline.

Prevent Offline Access Use on a Client

You may have Windows systems where no users should log in using offline access, regardless of the application setting in the Duo Admin Panel. To prevent offline authentication for any user on a given Windows client, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
OfflineAvailable DWORD Create this value and set to 0 to disable offline access for all users. Your fail mode configuration applies to offline logins (either fail open or fail closed).

Offline Access Activation and Login

The next time you (or your end user) logs in to or unlocks the workstation while it’s online and able to contact Duo, the offline activation prompt displays after successful two-factor authentication.

Windows Login Offline Access Activation

Step through the guided activation process to configure Duo Mobile or a U2F security key for offline MFA.

Once you’ve activated offline access for your account, when your computer isn’t able to contact Duo’s cloud service you’ll automatically be offered the option to login with an offline code or security key after successfully submitting your Windows username and password.

Windows Login Offline Access Authentication

You can also reactivate offline access from the online Duo prompt. Note that only one authentication device — a single phone with Duo Mobile or a single security key — may be activated for offline login. Activating a second device via the reactivation process deactivates the first.

See the full offline activation and login experience in the Duo User Guide for Windows Logon.

Updating Duo Authentication for Windows Logon

You can upgrade your Duo installation over the existing version; there's no need to uninstall first. The installer maintains your existing application information and configuration options.

  1. Download the most recent Duo Authentication for Windows Logon installer package. View checksums for Duo downloads here.

  2. Run the installer with administrator privileges and follow the on-screen prompts to complete the upgrade installation.

Advanced Deployment and Configuration using Group Policy

Please see our Duo Authentication for Windows Logon Group Policy documentation.

Troubleshooting

Need some help? Take a look at the Windows Logon Frequently Asked Questions (FAQ) page or try searching our Windows Logon Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

  1. RDP connection or console logon initiated
  2. Primary authentication
  3. Duo Windows Logon credential provider connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. Duo Windows Logon credential provider receives authentication response
  6. RDP or console session logged in