Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop and local logons. Active Directory domain administrators may deploy and configure Duo Authentication for Windows Logon on domain member workstations using Group Policy Software Publishing and Group Policy Administrative Templates.
Client-side configuration options for Duo may be configured via Active Directory Group Policy. The Duo Authentication for Windows Logon Group Policy template lets you configure two types of settings:
The Duo_Authentication_for_Windows_Logon_Group_Policy_Settings.xlsx spreadsheet included in the downloaded zip file describes the Duo Authentication for Windows Logon configurable Group Policy settings in detail. Any setting configured by a GPO is stored as a reg value in
HKLM\Software\Policies\Duo Security\DuoCredProv, and overrides the original Duo installation settings (stored in the registry at
To create and apply the Duo Authentication for Windows Logon Group Policy Object (GPO):
Extract the contents of the zip file and copy the two Group Policy template files into your domain's Administrative Templates store.
Expand your forest and navigate down the tree to Group Policy Objects. Right-click the Group Policy Objects folder and click New. Enter a name for the new GPO (such as "Duo Windows Logon") and click OK.
Right-click the new GPO created in step 4 and click Edit. Navigate to Computer Configuration\Policies\Administrative Templates and expand Duo Authentication for Windows Logon.
Double-click a setting to configure it. When you've finished configuring settings, close the policy editor.
Apply the new GPO for Windows Logon to domain member workstations by linking the policy to the desired OU.
For additional information about using GPOs and administrative templates, please see Microsoft's Group Policy documentation collection.
When Duo Authentication for Windows Logon is installed interactively, the default Duo settings registry key HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv permissions are restricted by the installer so that unprivileged users may not read the Duo application secret key (SKey) and other application information from the registry.
Configuring Duo Authentication for Windows Logon via Group Policy after installation creates an additional registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv with the GPO settings.
Duo Authentication for Windows Logon secures both HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv and HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv registry keys when Duo's credential provider is invoked.
When creating a GPO with Duo Authentication for Windows settings, you can further restrict permissions on the policy's registry key to ensure that unprivileged users can still not view the application information when the GPO refreshes. You can add the registry restriction to the same GPO where you configured the Windows Logon client and service settings.
Open the Duo Authentication for Windows Logon GPO you created earlier, or create a new Group Policy object in your domain just to secure the policy registry key.
Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Registry. Right-click Registry and select Add Key...
In the "Select Registry Key" window, expand MACHINE, click on SOFTWARE and append \Policies\Duo Security\DuoCredProv in the Selected key: box, so the full selected key text reads MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv. Click OK.
On the "Database Security for MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv" window, select the ALL APPLICATION PACKAGES object and click the Remove button. Repeat the removal step for the Users object. Click OK when done.
Click OK on the "Add Object" window to propagate inheritable permissions to subkeys.
Close the Group Policy editor to save the change.
Here's an example of a Duo Authentication for Windows GPO containing both client and service settings and with the registry key permissions secured by the GPO:
Duo Authentication for Windows Logon may be deployed via a Group Policy software installation package. Use the MSI installers included in the zip file you downloaded earlier. We provide both 32-bit and 64-bit MSI files. Do not rename the MSI install files! Changing the names of the MSI files can cause installation or later upgrades to fail.
To avoid overwriting these MSI install files with the installers for a different version we recommend you keep the MSI files for each Duo Windows Logon release in a unique, per-version subdirectory.
Copy the subdirectory containing the DuoWindowsLogon32.msi and DuoWindowsLogon64.msi files to your centralized software deployment share. Remember, do not rename these MSI files.
Create a transform for the installer file by using a table editor tool like Orca to deploy the Duo Windows Logon client with initial configuration.
Open the the Duo Windows Logon MSI 32-bit or 64-bit file in the editor, click on the Property table, and add these new rows using your Duo RDP application's information from the Duo Admin Panel:
|IKEY||Your Duo integration key|
|SKEY||Your Duo secret key|
|HOST||Your Duo API hostname|
Save the transform as an MST file and copy that transform to your central application deployment share as well.
In the Group Policy Management console, create a new GPO for Duo Authentication for Windows publishing. Navigate to Computer Configuration\Policies\Software Settings\Software installation then right-click and select New > Package.
Select the network accessible DuoWindowsLogon32.msi or DuoWindowsLogon64.msi installer package from your software deployment share and choose Advanced as the deployment method.
Go to the Modifications tab in the properties window. Click the Add button and select the MST transform you created earlier in step 3.
Click OK to finish, and the Duo Authentication for Windows Logon software package is created. When you've finished, close the policy editor.
Apply the new software publishing GPO for Windows Logon to domain member workstations by linking the policy to the desired OU. The target client workstations need a reboot to apply the new GPO settings and install Duo.
Here's a sample software publishing policy for Duo Authentication for Windows Logon v220.127.116.11 64-bit, showing use of a transform file (AcmeDuoWinLogon.mst).
Learn more about installing software using Group Policy at Microsoft Support.
Need some help? Take a look at the Windows Logon Frequently Asked Questions (FAQ) page or try searching our Windows Logon Knowledge Base articles or Community discussions. For further assistance, contact Support.