Skip navigation
Documentation

Duo Authentication for Windows Logon and RDP - FAQ

Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop and local logons.

General

Does Duo support Windows 10?

Duo Authentication for Windows Logon versions 1.2 and later support Windows 10.

We strongly recommend that you either uninstall Duo version 1.1.8 and older from your Windows PC or upgrade Duo to version 1.2 or later before upgrading your PC to Windows 10. If you do not update or remove Duo first you may not be able to log in to your computer after the OS upgrade completes.

If you find yourself unable to log in to Windows 10 with Duo installed, you can boot into Safe Mode and uninstall the Duo Credential Provider.

Can I use Duo with a Microsoft account?

You can authenticate with Duo Authentication for Windows Logon using a Microsoft attached account on a standalone system if you enable the local group policy setting “Interactive logon: Do not display last user name” and enroll the username of the Microsoft account in Duo.

To edit your local policy (must be a local administrator):

  1. Run the command gpedit.msc to open the Local Group Policy Editor.
  2. Navigate to Local Computer PolicyComputer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.
  3. Double-click the Interactive logon: Do not display last user name setting.
  4. Select Enabled and click OK.
  5. Close the Local Group Policy Editor window.

You can also enable the setting via the registry. Create a new DWORD value dontdisplaylastusername set to 1 at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

With this setting enabled you receive the “Other user” login dialog, where you can input your Microsoft account credentials.

On a domain-joined workstation this setting may be controlled by your administrator.

To determine the username of the Microsoft account on a Windows 10 computer, open the Windows User Manager (lusrmgr.msc), locate the Microsoft account in the list, and look at the Name field for that user. The Name value of the Microsoft account won’t be the full e-mail address that you use to sign in, but instead will be shown as a portion of the local part of the email address (the information before the @ symbol). When you have found the Name value for the Microsoft account, enroll that account in Duo. If you do not enroll the account in Duo with the correct username you may not be able to complete log in with the Microsoft account.

What logon interfaces can Duo protect?

Duo Authentication for Windows Logon provides two-factor authentication for RDP and local console logons.

Duo’s Windows Logon client does not add a secondary authentication prompt to the following logon types:

  • Right-click “Run as administrator”
  • Shift + right-click “Run as different user”
  • PowerShell “Enter-PsSession” or “Invoke-Command” cmdlets
  • Non-interactive logons (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)

How does Duo Authentication for Windows Logon work with NLA (Network Level Authentication)?

Network Level Authentication (NLA) for Remote Desktop Connection is an optional security feature available in Windows Vista and later. When NLA is enabled, remote connections pre-authenticate to the remote system when the RDP client connects before displaying a full remote session. When NLA is disabled, the Windows username and password is entered within the RDP client session after connecting.

When Duo Authentication for Windows Logon is installed on a system where NLA is enabled the RDP client prompts for the Windows username and password in a local system dialog. That information is used to connect to the remote system and passed through to the Remote Desktop manager. Once the RDP client has completed primary authentication the full Remote Desktop session is displayed, and the Duo Security prompt appears for two-factor authentication.

When Duo Authentication for Windows Logon is installed on a system where NLA is not required a full Remote Desktop session is displayed when the RDP client connects to the remote system. The Windows username and password are entered in the Remote Desktop window, and after the logon information is accepted the Duo Security prompt appears for two-factor authentication.

There are some security advantages to enabling NLA, but one of the drawbacks is that users with expired passwords are prevented from logging on to the remote system. More information about NLA and RDP can be found at the Microsoft site and on Wikipedia.

Does Duo Authentication for Windows Logon support web proxying?

Duo can use the HTTPS proxy server configured in your system-wide WinHTTP settings. Configure the proxy server(s) used by WinHTTP with the netsh command.

Duo Authentication version 2.0.0.71 and later also support proxying only Duo authentication traffic. Refer to the instructions for configuring a Duo only proxy.

Does Duo support Windows XP or Windows 2003?

Microsoft ended support for Windows XP on April 8, 2014 and for Windows Server 2003 on July 14, 2015. The last Duo release with XP and 2003 compatibility was version 1.1.8. Duo no longer supports any applications on Windows XP or Server 2003. We strongly urge you to upgrade to a supported version of Windows.

Are there any known issues with Windows 2003 and XP?

Duo’s legacy Windows Logon (RDP) integration for Windows 2003 and XP contained the following limitations:

  • A reboot is required after installing or uninstalling the Duo Windows Logon integration.
  • A password may be changed from the Windows password expiration warning dialog or the password expired prompt without first completing two-factor authentication.

Duo no longer supports any applications on Windows XP or Server 2003. We urge you to upgrade to a supported version of Windows.

Install and Uninstall

Can I silently install Duo Authentication for Windows Logon from a command line or PowerShell?

Enter the following command into PowerShell or a Command Prompt to silently install Duo Security with auto-push on, fail open enabled, and protecting both RDP and console logons:

duo-win-login-2.0.0.71.exe /S /V" /qn IKEY="DIXXXXXXXXXXXXXXXXXXXX" SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" HOST="api-xxxxxxxx.duosecurity.com" AUTOPUSH="#1" FAILOPEN="#1" RDPONLY="#0""

Note that the parameter names passed to the installer (IKEY, SKEY, HOST, etc.) are case-sensitive!

You can also choose to change the default settings for fail mode (FAILOPEN="#0" to fail closed) and whether local console logins require two-factor (RDPONLY="#1" to only require Duo for remote logons).

This performs the install with the same settings in the previous example from the command line using Windows Installer, using the 64-bit MSI installer included in the Duo Authentication for Windows Logon Group Policy MSI installers, template files, and documentation package.

msiexec.exe /i DuoWindowsLogon64.msi IKEY="Integration Key" SKEY="Secret Key" HOST="API Hostname" AUTOPUSH="#1" FAILOPEN="#1" RDPONLY="#0" /qn

The MSI installers and properties can also be used to create a transform file for use with with Active Directory Group Policy Software Publishing or other automated software deployment utilities. See the Duo Authentication for Windows Logon Group Policy documentation for more information.

Can I deploy or configure Duo Authentication for Windows Logon using Group Policy?

Yes. Please refer to the Duo Authentication for Windows Logon Group Policy documentation.

How do I disable or uninstall Duo Authentication for Windows Logon in Safe Mode?

To disable Duo’s credential provider on Windows Vista and later (including Windows 10) after booting in Safe Mode, run the following from an elevated command prompt:

Versions 1.2.0.14 and earlier

regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoCredProv.dll"
regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoCredFilter.dll"

Version 2.0.0 and later

regsvr32 /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredProv.dll"
regsvr32 /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredFilter.dll"

For Windows XP and Server 2003 run the following in the command prompt:

regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoGina.dll"

You can also uninstall the Duo Windows Logon integration while still in safe mode with a registry change and a service start.

  1. When booted into safe mode, launch the Registry Editor (regedit.exe).
  2. Drill down into the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal registry hive (if you are booted into regular safe mode) or down to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network (if you are booted into safe mode with networking).
  3. Right-click the Minimal or Network registry key (as appropriate for your currently booted mode) and click NewKey on the context menu. Name the new key MSIServer.
  4. From an elevated command prompt, run the command net start msiserver.
  5. You can now use Programs and Features on the Windows Control Panel (Add/Remove Programs in Windows 2003) to uninstall the Duo application.

For more information about Safe Mode refer to the instructions for your operating system: Windows 10, Windows 8/8.1 and 2012/2012 R2, Windows 7 and 2008, or Windows Vista and 2008.

Configuration

How can I configure the fail mode?

By default, Duo Authentication for Windows Logon will “fail open” and permit the Windows logon to continue if it is unable to contact the Duo service. You can set the fail mode during installation to “fail closed” by deselecting the “Bypass Duo authentication when offline” box during installation. This will deny all login attempts if there is a problem contacting the Duo service.

To change the fail mode after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value in HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
FailOpen DWORD Set to 1 to allow “fail open” or 0 to restrict to “fail closed”. Default: Fail open.

When modifying the FailOpen registry value on a Windows 2003 or XP system a reboot is required to make the change effective.

How can I configure auto push?

When auto push is enabled, Duo Authentication for Windows Logon automatically sends a push notification to the Duo Mobile app or a phone call to the user’s default device submitting the Windows username and password. This is the installation default. You can choose to disable auto push by deselecting the “Use auto push to authenticate if available” box during installation.

To change the auto push behavior after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value in HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
AutoPush DWORD Set to 0 to disable auto-push or 1 to enable it.

When auto-push is disabled, Duo does not request logon verification until the user submits the name of an authentication factor at the Duo Authentication prompt.

How do I enable debug logging?

To enable debug logging, use the Registry Editor (regedit.exe) with administrator privileges to create the following registry value in HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
Debug DWORD Set to 1 to enable debug logging. Default: No debug logging.

The log file location is %PROGRAMDATA%\Duo Security\duo.log for version 1.1.8 and later, and %ProgramFiles%\Duo Security\DuoCredProv\duo.log for version 1.1.7 and earlier. Please note that these paths apply to both the Credential Provider and GINA Duo installations.

Can Duo protect local console logins in Windows?

Yes, Duo Authentication for Windows Logon does provide protection for local console logins. However, it can be difficult to prevent an attacker with physical access to a system from compromising it. In particular, there are two significant threats you should take care to address:

  • Duo Authentication for Windows Logon can be bypassed by rebooting a Windows system into Safe Mode. To limit the effect of this, you should prevent all but a select group of users from logging in while Windows is running in Safe Mode. (See, for example, http://support.microsoft.com/kb/977542.)
  • By default, the RDP integration will “fail open” if it is unable to contact the Duo service. A user with local console access might be able to disrupt a machine’s network connectivity (e.g. by unplugging an ethernet cord), thereby bypassing Duo authentication.

    You can set the fail mode during installation to “fail close” by deselecting the “Bypass Duo authentication when offline” box in the Duo installer, or by configuring the Registry DWORD value HKEY_LOCAL_MACHINE\Software\Duo Security\DuoCredProv\FailOpen set to 0 to “fail closed”. This will deny all login attempts if there is a problem contacting the Duo service.

To enable Duo authentication for both local console and RDP logins, clear the “Only prompt for Duo authentication when logging in via RDP” box during installation.

To change which logon connections are required to use Duo after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value in HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
RdpOnly DWORD Set to 0 to protect both RDP and local console logons or 1 to protect RDP logons only.

Can Duo protect Remote Desktop Connection logons only?

It is possible to only enable Duo authentication for RDP sessions (and not local console logins). This can be set during the installation by checking the “Only prompt for Duo authentication when logging in via RDP” box.

To change which logon connections are required to use Duo after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value in HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
RdpOnly DWORD Set to 1 to protect RDP logons only or 0 to protect both RDP and local console logons.

When modifying the RdpOnly registry value on a Windows 2003 or XP system a reboot may be required to make the change effective.

Is it possible to use a web proxy only for Duo Authentication for Windows Logon traffic?

Yes, Duo Authentication for Windows Logon version 2.0.0.71 and later supports proxying only Duo authentication traffic. To configure the HTTP proxy information, use the Registry Editor (regedit.exe) with administrator privileges to create the following registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Description
HttpProxyHost String Hostname or IP address of an HTTP proxy. If set, will be used for communicating with Duo Security’s service. Must support the CONNECT protocol. Default: do not use a proxy.
HttpProxyPort DWORD Port to connect to on http_proxy_host. Enter port number as decimal. Default: ‘80’.

Client HTTP proxy settings may also be configured using Duo Authentication for Windows Logon Group Policy template.

If you do not already have an HTTP proxy deployed on your network you can use the Duo Authentication Proxy application to act as an HTTP proxy for Duo Windows Logon client connections. See the HTTP Proxy instructions in the Authentication Proxy Reference for more information.

Troubleshooting

Why am I unable to log in to Windows after installing Duo?

In order for the Duo service to properly authenticate a Windows user account the username in Windows must match the username in the Duo account. If you receive the message “The Duo native Windows client does not currently support unknown users.” then the account you are using to log into Windows does not match an enrolled Duo user.

  1. Log in to the Duo Admin Panel and make sure that you’ve added a user with a username that matches the Windows username.
  2. You will also need to manually enroll this user’s phone number so that the user can receive passcodes or phone calls, which are needed in order to authenticate.
  3. Once the user’s phone number has been added you may optionally install and enroll the Duo Mobile smartphone app, which will enable the “push” functionality for an RDP login.
  4. Now try to log in to Windows again.

Users receive the error “Logon failure: the user has not been granted the requested logon type at this computer” when attempting to log in.

This error may be seen in Duo Windows Logon version 1.1.5 or later. Ensure that the users have been delegated the “Allow log on locally” rights for console logins, or have been delegated both the “Allow log on locally” and “Allow log on through Remote Desktop Connection” rights in the computer’s local or domain-level security policy. Please see the Group Policy Settings Reference for Windows and Windows Server for more information about these user rights assignments.

When logging in via Remote Desktop, my authentication is accepted but the Remote Desktop session is disconnected. How do I fix this?

You can increase the logon timeout if extra time is needed to complete authentication (for example, if users must type in a hardware token passcode). Create a new registry DWORD value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\LogonTimeout and set it to a decimal value greater than 60. You may need to cycle the TermService service or restart Windows recognize the change.

To increase the Remote Desktop logon timeout for multiple computers joined to an Active Directory domain with Group Policy, add the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\LogonTimeout value to a GPO (Group Policy object) as a registry preference item. Please see “Configure a Registry Item” at the Microsoft TechNet site for more information.

Additional Troubleshooting

Need more help? Try searching our Knowledge Base. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free