Duo Authentication for Windows Logon and RDP - Release Notes

Download the current release from the Checksums and Downloads page.

Version 5.0.0 - February 24. 2025

• General availability of Passwordless OS Logon. Users may log in securely to Windows via Bluetooth connection to a mobile device with Duo Mobile platform biometric or PIN verification instead of entering a password.
  • It is now possible to restrict which user groups may use Passwordless OS Logon from the Duo Admin Panel.
  • Cancelling a Passwordless OS Logon push now immediately cancels the push in progress rather than simply dismissing the Passwordless push dialog but waiting for the push to time out.
• General availability of Verified Duo Push support for Windows logons when the authentication methods policy requires Verified Duo Push with a verification code.
• Improved handling of updates to offline policies.
• Improvements to the Windows password reset experience.
• Adds support for Windows Server 2025 and removes installer support for Windows 2012 R2 and earlier.

Version 4.3.16 - November 14, 2024

• Public preview of Passwordless OS Logon. Instead of entering their Windows password, users log in securely via Bluetooth connection to a mobile device with Duo Mobile platform biometric or PIN verification.
• Preview release of Verified Duo Push in Windows Logon. Users will enter a code into Duo Mobile to approve a push request when the effective authentication methods policy requires Verified Duo Push with a verification code.
• Adds certificate pinning to enhance security of the connection between the Duo for Windows Logon client and Duo's cloud service.
• Now sends the Passport signature for every local authentication regardless of whether local remembered devices is enabled or checked. This removes the "Remember devices for Windows Logon" policy requirement for Duo Passport starting with the D304 cloud release.

Version 4.3.1 - April 9, 2024

• Restores the ability to perform a silent install without providing application information in the command.
• Corrects an issue where the exe installer did not retain the existing FailOpen value during upgrade from a prior version.
• Corrects installer issues with uninstalls and reinstalls of the same version.
• Corrects an issue where a trusted session was erroneously invalidated.
• Corrects an issue where the login button was focused on by default instead of the passcode field.
• Adds the MaxBootTimeDelta GPO setting.

Version 4.3.0 - February 27, 2024

• Accessibility improvements.
• Design improvements and minor bug fixes in installer.
• Corrects an issue which caused occasional black or frozen screens during Duo login.
• Adds an optional registry setting ParseUsernameAndDomain which overrides Duo user/domain determination logic by parsing the username provided by the user. Refer to Why might an incorrect username get sent to Duo from a machine joined to Entra ID? for more information.
• Addresses a security vulnerability in which trusted sessions persisted after a reboot (CVE-2024-20301; Cisco Security Advisory).
• Addresses a security vulnerability where the Duo secret key value was logged in plain-text during an application upgrade (CVE-2024-20292; Cisco Security Advisory).
  • We recommend you migrate to a new instance of the application to preserve the integrity of the application credentials on your client systems. Refer to Duo KB Article 8760 for step-by-step instructions. Refer to the Duo KB article What are Duo application credentials and how should I protect them? for more information.
• Corrects an issue where the installer did not secure the Duo registry key so integration credentials could be read by unprivileged users until the registry key was secured by first launch of the application.
• The exe installer now defaults to "fail closed" for the Bypass Duo authentication when offline (FailOpen) setting and overrides the previous fail mode selection. The msi now installer will default to "fail closed" for net new installations and upgrades will preserve the previous fail mode selection.

Version 4.2.2 - March 15, 2023

• Corrects an issue in Duo Offline Access for Windows which allowed "Windows Offline" login passcodes to be reused or replayed under certain conditions (CVE-2023-20123; Cisco Security Advisory).

Version 4.2.1 - November 22, 2022

• Corrects an issue where an enrolled Windows Offline user would be deprovisioned from offline access if there was a network disruption during online login.

Version 4.2.0 - September 23, 2021

• Introduces remembered devices for local Windows logins. The Remembered Devices policy for Duo Essentials, Advantage, and Premier plan customers now includes settings for Windows Logon. Remembering the device during online authentication creates a trusted session, letting users skip Duo two-factor authentication for the lifetime of the session.
• Adds the hostname of the system where Duo for Windows Logon is installed to Duo Mobile push requests and the Windows logon authentication type (Local, RDP, UAC) to Duo Push request notifications.
• Adds support for Windows 11 and Windows Server 2022.
• Bug fixes.

Version 4.1.3 - November 2, 2020

• Fixes an issue with Duo Windows Logon installer that may cause a MSI self-repair and subsequent "Installation stopped" error from Duo Windows Logon Installer. Customers upgrading from 4.1.2 may still experience unexpected MSI self repairs during installation. Refer to Duo KB article 6462 for additional remediation steps.

Version 4.1.2 - October 14, 2020

• Addresses an elevation of privilege vulnerability in the Windows Logon installer which could allow an authenticated local attacker to overwrite files in privileged directories (CVE-2020-3427). The vulnerability was limited to the installer only, and did not affect the application once installed.

Version 4.1.1 - July 13, 2020

• Updated installer to remove the password check that contributed to user lockouts in v4.1.0 when installed on Active Directory Domain Controllers. Customers with v4.1.0 installed should upgrade to v4.1.1 at the earliest opportunity.

Version 4.1.0 - April 29, 2020

• Introduces User Elevation, which adds the 2FA Duo prompt for credentialed User Account Control.
• GPO template updated to include User Elevation configuration.
• SHA-256 signed installer.
• Additional bug fixes and security enhancements

Version 4.0.7 - October 2019

• Fixes an issue related to multiple in-flight authentications.
• Support for Windows Server 2008 R2 and Windows 7 ends in January 2020. Future releases may not function on unsupported operating systems.

Version 4.0.6 - September 2019

• Added a support tool that sanitizes and packages config and log files into a zip file you can send to Duo Support when troubleshooting issues.
• Added log file rotation.
• Added additional UI installer options for HTTP proxy settings.
• Updated GPO template to include log file rotation and Offline Authentication configuration.
• Removed .NET dependency for the installer connectivity check.
• Fixed a bug that would result in "Ordinal Not Found" being displayed in certain scenarios.
• Fixed the flow of windows password changes that could cause re-enrollment in Offline Authentication.
• Removed errant log message stating "Duo Auth Not Configured".
• Response to CERT/CC Vulnerability Note VU#576688.
• Security improvements for Offline Authentication.
• Additional bug fixes and security enhancements.

Version 4.0.5 - April 2019

• Correct issue enforcing secure failmode (FailOpen=0) when the Offline Access feature is disabled at the client system (OfflineAvailable=0). PSA-2019-001 (CVE-2019-11237)

Version 4.0.3 - February 2019

• Corrected issue with installer not preserving configured options on upgrade.

Version 4.0.2 - February 2019

• Corrected an issue with offline access de-provisioning registered users unexpectedly after a bypass login.
• Installer dialog changes for integration and smart card options.
• Command line installer now permits setting all configuration options.
• Fixed issues with installer product codes that affected MSI in-place upgrades.

Version 4.0.1 - December 2018

• UsernameFormatForService setting now respected when set via GPO.
• Bug fixes.

Version 4.0.0 - November 2018

• Introduces offline access with Duo MFA.
• Adds support for Windows Server 2019. Deprecates support for Windows 8 and 2008.
• Now includes the Windows hostname of the system where Duo is installed in the Duo authentication logs for both remote and local console logins.
• Bug fixes.

Versions Before 4.0.0

Version 3.1.2 - May 2018

• Installer improvements, including a new API connectivity check

Version 3.1.1 - October 2017

• Supports chaining Duo authentication with smart card logon
• Configurable username format for Duo now supports userPrincipalName (UPN)
• Bug fixes

Version 3.1.0 - July 2017

• Support for wrapped credential providers
• Permits an allow list of third-party credential providers
• Configurable Duo username format sAMAccountName or NTLM name (msDS-PrincipalName)
• Silent MSI command line upgrade

Version 3.0.0.85 - February 2017

• New authentication prompt UI
• Dropped active support for Windows Vista

Version 2.1.0 - September 2016

• Added option to allow smart card authentication
• Windows Server 2016 support

Version 2.0.0.71 - February 2016

• Added HTTP proxy of Duo authentication traffic only
• Supports configuration via Group Policy

Version 1.2.0.14 - August 2015

• Windows 10 support

Version 1.1.8 - September 2014

• Last release with support for Windows 2003 and XP.
• Improved handling of UPN usernames
• Adjustment to authentication attempt timeout logic
• Bugfixes

Version 1.1.7 - April 2014

• Ensured that the secondary login window always appears on Server 2012, Windows 8, and newer

Version 1.1.6 - April 2014

• Fixed upgrades using .msi installers in headless mode

Version 1.1.5 - March 2014

• Fixed log on to domain accounts on offline workstations
• Fixed log on to domain accounts with usernames that match local accounts

Version 1.1.4 - Jan 2014

• Bugfixes

Version 1.1.3 - Jan 2014

• Fixed double-prompt for username/password when logging into Windows 7 / Server 2008 R2 (or newer) with an RDP client supporting Network-Level Authentication

Version 1.1.2 - Oct 2013

• Used a more reliable mechanism to determine client IP addresses

Version 1.1.1 - Oct 2013

• Fixed issues parsing usernames

Version 1.1.0 - Sept 2013

• Support for Auto-push

Version 1.0.7 - July 2013

• Fixed password-reset workflow
• Fixed reporting of client IP addresses for RDP sessions
• Added support for system-wide WinHTTP proxy configuration

Version 1.0.6 - November 2012

• Released Windows Server 2003 version