Duo Windows Command Line Protection - FAQ

Where are settings for Duo Windows Command Line Protection stored in the registry?

The default registry location is HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCommandLineProtection.

If you actively manage Duo settings with Windows Group Policy, the location for those settings is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCommandLineProtection.

Settings configured via GPO override settings configured in the default registry location.

How can I configure automatic push?

With automatic push enabled, Duo Windows Command Line Protection automatically sends a push notification to the Duo Mobile app or a phone call to the user's default device after submitting the Windows username and password. This is the installation default.

To change the automatic push behavior for all users of the system after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCommandLineProtection

If the Duo settings are actively managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Client: Enable Auto Push" setting in the GPO instead.

With automatic push disabled, Duo does not request logon verification until the user submits the name of an authentication factor at the Duo Authentication prompt.

How can I configure the fail mode?

The default fail mode for Duo Windows Command Line Protection is to "fail closed". This will deny all login attempts if there is a problem contacting the Duo service.

With the fail mode set to "fail open", it permits the Windows CLI authentication to continue if it cannot contact the Duo service. You can set the fail mode during installation to "fail open" by selecting the "Bypass Duo authentication when offline" box during installation.

To change the fail mode after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCommandLineProtection:

If the Duo settings are actively managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Duo Service: Bypass Duo authentication when offline" setting in the GPO instead.

How do I disable certificate pinning?

Duo Windows Command Line Protection uses certificate pinning as an additional security measure protecting communications between the client application and Duo's cloud service. The installer enables certificate pinning by default.

To disable certificate pinning, use the Registry Editor (regedit.exe) with administrator privileges and update the following registry value:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCommandLineProtection

If you actively manage Duo settings with Windows Group Policy, those settings override any changes made via regedit. Update the "Client: Enable certificate pinning" setting in the GPO instead.

How do I disable sending the hostname in a Duo Push request?

Duo Windows Command Line Protection will include the hostname of the system in the Duo Push information (if it can be determined) in the Duo Push request information by default.

To disable including the hostname in the Duo Push request information, use the Registry Editor (regedit.exe) with administrator privileges and update the following registry value:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCommandLineProtection

If the Duo settings are actively managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Client: Enable Display hostname in push notification" setting in the GPO instead.