Skip navigation
Documentation

Duo Authentication for Windows Logon (RDP) - Active Directory Group Policy

Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop and local logons. Active Directory domain administrators may deploy and configure Duo Authentication for Windows Logon on domain member workstations using Group Policy Software Publishing and Group Policy Administrative Templates.

Duo Group Policy Settings

Client-side configuration options for Duo may be configured via Active Directory Group Policy. The Duo Authentication for Windows Logon Group Policy template lets you configure two types of settings:

  • Client Settings determine the end-user experience.
  • Duo Service Settings configure communications between the Duo Authentication for Windows Logon application and Duo's cloud service.

The Duo_Authentication_for_Windows_Logon_Group_Policy_Settings.xlsx spreadsheet included in the downloaded zip file describes the Duo Authentication for Windows Logon configurable Group Policy settings in detail. Any setting configured by a GPO is stored as a reg value in HKLM\Software\Policies\Duo Security\DuoCredProv, and overrides the original Duo installation settings (stored in the registry at HKLM\Software\Duo Security\DuoCredProv).

Creating the Duo Authentication for Windows Logon GPO

To create and apply the Duo Authentication for Windows Logon Group Policy Object (GPO):

  1. Download the Duo Authentication for Windows Logon Group Policy MSI installers, template files, and documentation.

  2. Extract the contents of the zip file and copy the two Group Policy template files into your domain's Administrative Templates store.

    \\your.domain.local\sysvol\your.domain.local\Policies\PolicyDefinitions\DuoWindowsLogon.admx
    \\your.domain.local\sysvol\your.domain.local\Policies\PolicyDefinitions\en-us\DuoWindowsLogon.adml
    
  3. On your domain controller or another system with the Windows Remote Server Administration Tools installed, launch the Group Policy Management console (GPMC).

  4. Expand your forest and navigate down the tree to Group Policy Objects. Right-click the Group Policy Objects folder and click New. Enter a name for the new GPO (such as "Duo Windows Logon") and click OK.

  5. Right-click the new GPO created in step 4 and click Edit. Navigate to Computer Configuration\Policies\Administrative Templates and expand Duo Authentication for Windows Logon.

    Group Policy Editor

  6. Double-click a setting to configure it. When you've finished configuring settings, close the policy editor.

  7. Apply the new GPO for Windows Logon to domain member workstations by linking the policy to the desired OU.

For additional information about using GPOs and administrative templates, please see Microsoft's Group Policy documentation collection.

Securing the Group Policy Registry Key

When Duo Authentication for Windows Logon is installed interactively, the default Duo settings registry key HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv permissions are restricted by the installer so that unprivileged users may not read the Duo application secret key (SKey) and other application information from the registry.

Configuring Duo Authentication for Windows Logon via Group Policy after installation creates an additional registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv with the GPO settings.

Duo Authentication for Windows Logon secures both HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv and HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv registry keys when Duo's credential provider is invoked.

When creating a GPO with Duo Authentication for Windows settings, you can further restrict permissions on the policy's registry key to ensure that unprivileged users can still not view the application information when the GPO refreshes. You can add the registry restriction to the same GPO where you configured the Windows Logon client and service settings.

  1. Open the Duo Authentication for Windows Logon GPO you created earlier, or create a new Group Policy object in your domain just to secure the policy registry key.

  2. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Registry. Right-click Registry and select Add Key...

  3. In the "Select Registry Key" window, expand MACHINE, click on SOFTWARE and append \Policies\Duo Security\DuoCredProv in the Selected key: box, so the full selected key text reads MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv. Click OK.

    Duo Windows Logon Policy Registry Key

  4. On the "Database Security for MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv" window, select the ALL APPLICATION PACKAGES object and click the Remove button. Repeat the removal step for the Users object. Click OK when done.

    Duo Windows Logon Policy Object Permissions

  5. Click OK on the "Add Object" window to propagate inheritable permissions to subkeys.

    Duo Windows Logon Policy Registry Permissions

  6. Close the Group Policy editor to save the change.

    Duo Windows Logon Policy Registry Key

Here's an example of a Duo Authentication for Windows GPO containing both client and service settings and with the registry key permissions secured by the GPO:

Duo Windows Logon Service Settings

Deploying Duo Authentication for Windows Logon to clients using Active Directory

Duo Authentication for Windows Logon may be deployed via a Group Policy software installation package. Use the MSI installers included in the zip file you downloaded earlier. We provide both 32-bit and 64-bit MSI files. Do not rename the MSI install files! Changing the names of the MSI files can cause installation or later upgrades to fail.

To avoid overwriting these MSI install files with the installers for a different version we recommend you keep the MSI files for each Duo Windows Logon release in a unique, per-version subdirectory.

  1. Download the Duo Authentication for Windows Logon Group Policy MSI installers, template files, and documentation.

  2. Copy the subdirectory containing the DuoWindowsLogon32.msi and DuoWindowsLogon64.msi files to your centralized software deployment share. Remember, do not rename these MSI files.

  3. Create a transform for the installer file by using a table editor tool like Orca to deploy the Duo Windows Logon client with initial configuration.

    Open the the Duo Windows Logon MSI 32-bit or 64-bit file in the editor, click on the Property table, and add these new rows using your Duo RDP application's information from the Duo Admin Panel:

    Property Value
    IKEY Your Duo integration key
    SKEY Your Duo secret key
    HOST Your Duo API hostname

    Orca Property Table with Duo Rows

    Save the transform as an MST file and copy that transform to your central application deployment share as well.

  4. In the Group Policy Management console, create a new GPO for Duo Authentication for Windows publishing. Navigate to Computer Configuration\Policies\Software Setings\Software installation then right-click and select New > Package.

  5. Select the network accessible DuoWindowsLogon32.msi or DuoWindowsLogon64.msi installer package from your software deployment share and choose Advanced as the deployment method.

  6. Go to the Modifications tab in the properties window. Click the Add button and select the MST transform you created earlier in step 3.

  7. Click OK to finish, and the Duo Authentication for Windows Logon software package is created. When you've finished, close the policy editor.

  8. Apply the new software publishing GPO for Windows Logon to domain member workstations by linking the policy to the desired OU. The target client workstations need a reboot to apply the new GPO settings and install Duo.

Here's a sample software publishing policy for Duo Authentication for Windows Logon v2.0.0.71 64-bit, showing use of a transform file (AcmeDuoWinLogon.mst).

Software Publishing GPO

Learn more about installing software using Group Policy at Microsoft Support.

Troubleshooting

Need some help? Take a look at the Windows Logon Frequently Asked Questions (FAQ) page or try searching our Windows Logon Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free