Certificate-based Trusted Endpoint verification for Intune will reach end-of-life in a future release. Migrate existing iOS Certificate Configuration management integrations to iOS Configuration and existing Windows Certificate Configuration management integrations to Windows Configuration. Learn more about the end-of-life timeline and migration options in the Duo Trusted Endpoints Certificate Migration Guide.
Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the access device's management status. You can monitor access to your applications from trusted and untrusted devices, and optionally block access from devices not trusted by your organization.
Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.
Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate or REST API access for Duo to your managed devices. This guide walks you through Intune configuration for Android and iOS mobile devices and Windows endpoints.
Mobile Trusted Endpoints and Verified Duo Push: Trusted endpoint verification of iOS and Android devices with Duo Mobile uses the standard Duo Push approval process and will not prompt for a Duo Push verification code, even if the effective authentication methods policy for the user and application has "Verified Duo Push" enabled.
Perform these Azure app registration steps prior to the specific Android, iOS, or Windows configuration steps. You only need to register one Azure app for Duo to use with all three client operating systems. These instructions create a single-tenant application where the application is intended to run within only one organization.
1. Log in to the Microsoft Azure Administrator console as an Azure AD administrator with the "Global Administrator" role.
Click Azure Active Directory and then click on the Azure Active Directory domain.
Click on App registrations in the "Manage" section of your Azure domain's blade.
Click New registration.
Enter a descriptive name for the application and select Accounts in this organizational directory only under "Supported account types".
Click Register. You'll be sent to the details page for the new app registration.
On the newly-created application's page, click API Permissions in the "Manage" section, and then click Add a Permission.
On the "Request API Permissions" page, select Microsoft Graph from the available Microsoft APIs, and then select Application Permissions.
Select the following Microsoft Graph permission:
Click Add Permissions after selecting the Graph permission.
Back on the API permissions page you should see the list of API permissions you selected. Click the Grant admin consent for
In the Azure portal, return to Azure Active Directory and then click on the Azure Active Directory domain.
Click on App registrations in the "Manage" section of your Azure domain's blade and select the Duo app registration you created earlier.
Click Certificate & secrets in the "Manage" section.
Under "Client secrets" click New client secret. In the Description leave a comment, then under "Expires" select 2 years (the permitted maximum). This creates a new secret, but the secret value is hidden until you save your changes. Click Add.
The new secret's value is shown after you save. Do not leave or close this page! You will need to copy the secret VALUE from this page and paste it into your Intune management integration configuration page in the Duo Admin Panel once you create the management integration in the next set of steps below for your OS platform.
This is your only chance to view the secret value! If you leave this area of the Azure portal before entering the secret Intune management integration configuration in the Duo Admin Panel, then you can't view the same key's value again and you'll have to create a new one.
It's a good idea to save this Azure secret in a secure password manager in case you need it again after you finish setting up your Intune management integration, like if you want to add support for other OS platforms in the future.
Duo determines trusted device status on Android devices by leveraging the installed and activated managed Duo Mobile application on a given device to verify device information.
Use the following instructions to complete setup of your Duo Intune management integration for Android devices.
The new Intune integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Keep the Duo Admin Panel open in your browser while you access the Azure portal in a new window or tab. You'll need to return to the Intune management integration page to complete the Android configuration steps.
Scroll down on the configuration page for your Intune Trusted Endpoints management integration to the "Register Azure Application with Duo" section.
Copy the Azure application client secret value that you created during the Azure configuration steps, and paste the copied secret as the Azure Secret value in the third step on your Intune management integration's config page in the Duo Admin Panel.
Click Overview on the Duo Azure app registration's page. You'll see the Application (client) ID and Directory (tenant) ID listed at the top of the page.
Copy the Application (client) ID value from Azure and paste it as the Azure Application ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.
Copy the Directory (tenant) ID value from Azure and paste it as the Azure Directory ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.
Click Test Configuration to verify Azure API access, and if successful click Save & Configure on the Duo Intune management integration page.
In the Azure Portal, navigate to Intune → Device Enrollment → Android Enrollment.
Select Manage Google Play in the "Prerequisites" section to connect to your organization's Google Play account.
Grant Microsoft permission to send user/device information to Google, and click the Launch Google to connect now button to access Google.
Sign in to Google using the account you use to manage and publish apps in Google Play and complete linking your managed Google Play account to Intune.
In the Azure Portal, navigate to Intune → Client Apps → Managed Google Play.
Click the Open the Managed Google Play Store link.
Search the Google Play Store for Duo Mobile and click the Duo Mobile app icon to select it from the search results.
Click the Approve button on the Duo Mobile app page, and click Approve again after reviewing the requested app permissions.
When asked "how to handle new app permission requests", select Keep approved when app requests new permissions and then click Done.
After you've approved the Duo Mobile app in the Play store, return the Intune Managed Google Play page and click the Sync button.
In the Azure Portal, navigate to Intune → Client apps → App configuration policies.
Click the Add button and select Managed devices.
Enter the following information on the "Create app configuration policy" page's "Basics" tab:
| Name | Enter a descriptive name. |
| Description | Enter additional information about this new policy, if desired. |
| Device Enrollment Type | Select Managed Devices. |
| Platform | Select Android Enterprise. |
| profile | Select Work Profile only. |
Click the Select app link next to "Targeted app".
In the "Associated App" search find and and choose Duo Mobile. Click OK to return to the "Basics" tab, and then click Next.
On the "Settings" tab, under "Configuration settings format", choose Use configuration designer.
Click Add+ and select Trusted Endpoint Identifier and Trusted Endpoints Configuration Key. The Trusted Endpoint Identifier should have value type "Variable" and Trusted Endpoints Configuration Key should have value type "String".
Return to your Intune management integration page in the Duo Admin Panel and copy the information for these fields from Duo and paste into the corresponding configuration value fields in the Azure configuration designer:
Click Next after entering the information for those two configuration settings.
On the "Assignment" tab, choose the Azure group to which you would like to push Duo Mobile. We recommend starting with a test group. Click Next after selecting your target groups.
Verify the information on the "Review + Create" tab, and click Create if it looks correct.
In the Azure Portal, navigate to Intune → Client Apps → Apps.
Select the Duo Mobile app with type "Android Store App".
Select Assignments and then click Add Group.
Make the following selections:
Click OK and then click Save.
Duo Mobile should now be available to download from the Intune Work Profile App Store on Android devices.
At this point the configured integration is disabled and applies to no users until you finish your deployment.
Duo determines trusted device status on iOS devices by leveraging the installed and activated managed Duo Mobile application on a given device to verify device information.
Use the following instructions to complete setup of your Duo Intune management integration for iOS devices.
The new Intune with App Config integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Intune with App Config management integration page to complete the configuration steps.
Scroll down on the configuration page for your Intune with App Config Trusted Endpoints management integration to the "Register Azure Application with Duo" section.
Copy the Azure application client secret value that you created during the Azure configuration steps, and paste the copied secret as the Azure Secret value in the third step on your Intune management integration's config page in the Duo Admin Panel.
Click Overview on the Duo Azure app registration's page. You'll see the Application (client) ID and Directory (tenant) ID listed at the top of the page.
Copy the Application (client) ID value from Azure and paste it as the Azure Application ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.
Copy the Directory (tenant) ID value from Azure and paste it as the Azure Directory ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.
Click Test Configuration to verify Azure API access, and if successful click Save & Configure on the Duo Intune with App Config management integration page.
In the Azure portal, navigate to Apps → All apps → +Add.
Select iOS store app in the "App Type" drop-down, and then click Select.
Click on Search the App Store, and type Duo Mobile in the app search bar.
Click on Duo Mobile in the search results and then click Select.
On the "App information" page, complete any other sections as needed and then click Next.
On the "Assignments" page, assign the Duo Mobile app as needed and then click Next.
Review the settings for Duo Mobile and then click Create.
In the Azure portal, navigate to Apps → App configuration policies.
Click the Add button and select Managed devices.
Enter the following information on the "Basics" tab of the "Create app configuration policy" page:
| Name | Enter a descriptive name for the app configuration policy. |
| Description | Enter additional information about this new policy, if desired. |
| Device Enrollment Type | Select Managed Devices. |
| Platform | Select iOS/iPadOS. |
Click the Select app link next to "Targeted app".
In the "Associated App" search, find and choose Duo Mobile. Click OK to return to the "Basics" tab, and then click Next.
On the "Settings" tab, use the "Configuration settings format" drop-down to choose Enter XML data.
Return to your Intune with App Config management integration page in the Duo Admin Panel and copy the AppConfig XML provided in step 3.7. Paste this into the XML property list field within the Intune app configuration policy page.
Click Next after entering the information for the configuration settings.
On the "Assignment" tab, choose the Azure group or groups to which you would like to push Duo Mobile. We recommend starting with a test group. Click Next after selecting your target groups.
Verify the information on the "Review + Create" tab, and if correct then click Create.
At this point the configured integration is disabled and applies to no users until you finish your deployment.
New Intune iOS certificate deployment management integrations may no longer be created as of October 2021. Consider migrating your certificate-based iOS Intune integration to Intune with App Config. See the Duo Knowledge Base article Guide to updating Trusted Endpoints iOS integrations from certificates to AppConfig for more information about migrating your iOS certificate-based management integrations to App Config.
These instructions remain available for customers who created these integrations before October 2021 and may need to reconfigure them. Duo continues to support existing Intune iOS certificate deployments and will do so until the integration reaches end-of-life status in a future update.
The new Intune integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Keep the Duo Admin Panel open in your browser while you access the Azure portal in a new window or tab. You'll need to return to the Intune management integration page to complete the iOS configuration steps.
Download the Duo Endpoint Root Certificate from the iOS tab of the Intune management integration page in the Duo Admin Panel.
In the Azure portal, navigate to Intune → Device Configuration → Profiles.
Click Create profile and make these selections on the "Create a profile" blade:
Click Create.
Enter this information in the "Trusted Certificate" profile editor:
Click Next.
Upload the Duo Endpoint Root Certificate you downloaded earlier and click Next, and then click Next again without adding any scope tags.
On the "Assignments" tab, assign the profile to your desired Azure users, groups, or devices. Click Next.
Verify the information on the "Review + Create" tab, and click Create if it looks correct.
In the Azure Portal, navigate to Intune → Device Configuration → Profiles.
Click Create profile and make these selections on the "Create a profile" blade:
Click Create.
Enter this information in the "SCEP Certificate" profile editor:
Click Next.
Create a new profile with the values below:
Click Next, and then click Next again without adding any scope tags.
On the "Assignments" tab, assign the profile to your desired Azure users, groups, or devices, in the same way you deploy device profiles for other purposes. When making your assignment selections, consider the following:
Click Next after selecting the policy assignment targets.
Verify the information on the "Review + Create" tab, and click Create if it looks correct.
At this point the configured integration is disabled and applies to no users until you finish your deployment.
This integration relies on having the Duo Device Health app present on your Intune-managed Windows endpoints. When users authenticate to applications protected with Duo's browser-based prompt, Duo matches the device information reported by Device Health app with managed device information obtained from Intune via API.
Use the following instructions to complete setup of your Intune with Device Health management integration for Windows devices.
The new Intune with Device Health integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Keep the Duo Admin Panel open in your browser. You'll need to refer back to the Intune with Device Health management integration page to complete the configuration steps.
Scroll down on the configuration page for your Intune Trusted Endpoints management integration to the "Register Azure Application with Duo" section.
Copy the Azure application client secret value that you created during the Azure configuration steps, and paste the copied secret as the Azure Secret value in the third step on your Intune management integration's config page in the Duo Admin Panel.
Click Overview on the Duo Azure app registration's page. You'll see the Application (client) ID and Directory (tenant) ID listed at the top of the page.
Copy the Application (client) ID value from Azure and paste it as the Azure Application ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.
Copy the Directory (tenant) ID value from Azure and paste it as the Azure Directory ID value in step 4 on your Intune management integration's config page in the Duo Admin Panel.
Click Test Configuration to verify Azure API access, and if successful click Save & Configure on the Intune with Device Health management integration page.
At this point the configured integration is disabled and applies to no users until you finish your deployment.
New Intune certificate deployment management integrations may no longer be created as of December 2021. Consider migrating your certificate-based Windows Intune integration to Intune with Device Health. See the Duo Knowledge Base article How do I migrate from Duo Trusted Endpoints certificates to Trusted Endpoints with the Device Health Application? for guidance that you may find useful in migrating Intune certificate-based management integrations to Device Health.
Use of the Duo Device Health app for trust attestation provides several advantages over the use of device certificates:
These instructions remain available for customers who created these integrations before December 2021 and may need to reconfigure them. Duo continues to support existing Intune Windows certificate deployments and will do so until the integration reaches end-of-life status in a future update.
Duo verifies the trusted status of Windows devices by checking for the presence of a Duo device certificate. You'll use Intune to push the Duo CA information to your Windows devices so they can obtain a Duo certificate.
The new Intune integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.
Keep the Duo Admin Panel open in your browser while you access the Azure portal in a new window or tab. You'll need to return to the Intune management integration page to complete the Windows configuration steps.
Download the Duo Endpoint Root Certificate from the Windows tab of the Intune management integration page in the Duo Admin Panel.
In the Azure portal, navigate to Intune → Device Configuration → Profiles.
Click Create profile and make these selections on the "Create a profile" blade:
Click Create.
Enter this information in the "Trusted Certificate" profile editor:
Click Next.
Upload the Duo Endpoint Root Certificate you downloaded earlier, leave the "Destination Store" set to Computer certificate store - Root, and click Next, and then click Next again without adding any scope tags.
On the "Assignments" tab, assign the profile to your desired Azure users, groups, or devices. Click Next.
Verify the information on the "Review + Create" tab, and click Create if it looks correct.
In the Azure Portal, navigate to Intune → Device Configuration → Profiles.
Click Create profile and make these selections on the "Create a profile" blade:
Click Create.
Enter this information in the "SCEP Certificate" profile editor:
Click Next.
Enter the following configuration information Create a new profile with the values below.
Click Next, and then click Next again without adding any scope tags.
On the "Assignments" tab, assign the profile to your desired Azure users, groups, or devices, in the same way you deploy device profiles for other purposes. When making your assignment selections, consider the following:
Click Next after selecting the policy assignment targets.
Verify the information on the "Review + Create" tab, and click Create if it looks correct.
The PowerShell script configures automatic selection of the Duo certificate by Internet Explorer, and by Edge Chromium and Chrome as long as those browsers are installed on the client before the script runs. If Chrome or Edge Chromium get installed on the client afterwards, you'll need to make sure the PowerShell script runs on those clients again after installation to configure automatic Duo certificate selection.
Download the Duo PowerShell Script from the Windows tab of the Intune management integration page in the Duo Admin Panel.
In the Azure Portal, navigate to Intune → Device Configuration → Scripts and click Add.
Enter a Name for the script and a Description, if desired. Click Next.
Enter the following information on the "Script settings" page:
Click Next.
On the "Assignments" tab, assign the profile to your desired Azure users, or the users receiving a Trusted Endpoint Configuration from Intune. Click Next.
Verify the information on the "Review + Create" tab, and click Create if it looks correct.
At this point the configured integration is disabled and applies to no users until you finish your deployment.
After creating the Duo Mobile management integration, set the Trusted Endpoints policy to start checking for managed device status as users authenticate to Duo-protected services and applications.
When your trusted endpoints policy is applied to your Duo applications, return to the Intune, Intune with App Config, or Intune with Device Health trusted endpoint management integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this management integration only for members of a specified test group or groups, or activate for all users. If you created more than one Intune management integration, you must activate each one individually.
The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are trusted/managed and enrolled in Duo Mobile.
Users with Duo Mobile installed and activated for Duo Push on Android and iOS devices see a device trust dialog when authenticating to a protected resource via the Duo Prompt.
Duo uses the Azure application you created to perform a permissions check to verify device information.
If Duo successfully verifies the Intune device information, and the user has Duo Mobile activated for Duo Push, then the user receives a login request on their phone.
On Android devices, approving the request grants access and returns the user to the protected application. On iOS devices, after approving the Duo authentication request users tap the top-left of the Duo Mobile app to return to the application and complete login. The "Second Factor" logged for these approvals is shown as "Duo Mobile Inline Auth" in the Duo authentication log.
If the user does not have Duo Mobile activated for push, or does not approve the Duo request before it times out, the user returns to the Duo Prompt, where they may select from the available factors to complete 2FA.
When Windows users access Duo-protected resources, the installed Duo Device Health app provides device information to Duo. If the information from the device matches the information in Azure, Duo grants access to the trusted device.
With the legacy iOS certificate configuration, iOS users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.
Legacy Windows certificate configuration users will see a prompt asking them to choose a certificate when authenticating to a protected resource via the Duo prompt. After selecting the Duo Device Authentication certificate and completing authentication, subsequent Duo authentications from the same device will automatically use that same certificate for verification.
You only need to perform the Azure app registration and configuration in Duo once. The same Azure app is used for Android, iOS, and Windows Intune clients. After completing the full setup for one client platform in Duo, you need only complete the OS-specific setup steps for additional client operating systems.
Saving the Azure application secret you created for future reuse in a secure password manager lets you use the same Azure AD application registered while setting up your first Intune trusted endpoints management integration for future Intune management integrations.
If you need to remove a device from Intune so that Duo no longer recognizes it as a managed, trusted device, do not use the "Retire" action in Intune. Instead, delete the device from the Intune portal. If you "retire" the managed device in Intune instead of deleting the device, Duo continues to recognize the device as managed and permit a user to authenticate from that still trusted device. If you use the "Wipe" action that will also delete the device from Intune, and wipe the device as well.
Deleting a trusted endpoints management tool integration from the Duo Admin Panel immediately invalidates issued Duo device authentication certificates. Be sure to unassign your trusted endpoints policy from all applications or remove the "Trusted Endpoints" configuration item from your global policy before deleting an existing Intune integration from "Trusted Endpoints Configuration". You should also disable your Duo admin user in Intune.
Leaving the policy settings in place after deleting a management tools integration may inadvertently block user access to applications.
Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.