Please note that this Duo program does not support ARM processors. Further details about Duo Authentication for Windows Login and RDP can be found in Duo’s documentation.
Reach out to EITS Information Security using the Duo Support Request form to get the integration key, secret key, and API hostname. You will receive the keys and hostname through SendFiles.
Download the latest package: Duo Authentication for Windows Logon installer package.
Run the installer with administrative privileges.
Enter the API Hostname and click Next.
Enter your integration key and secret key, then click Next again.
Select your integration options based on the descriptions below:
|
Setting
|
Description
|
|
Bypass Duo authentication when offline (FailOpen)
|
Enable this option to allow user logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If you plan to enable offline access with MFA consider disabling FailOpen.
Windows Logon 4.2.2 and earlier installers enable this setting by default. Windows Logon 4.3.0 installers default to fail closed. The msi installer will preserve the selection made by a previously installed version on upgrade. Upgrades from previous versions using the exe installer will override the previous fail mode selection and default to fail closed.
|
|
Use auto push to authenticate if available
|
Automatically send a Duo Push or phone call authentication request after primary credential validation to the first capable device attached to the user. Checked by default and applies to all users of the target system.
|
|
Only prompt for Duo authentication when logging in via RDP
|
Leave this option unchecked to require Duo two-factor authentication for console and RDP sessions. If enabled, console logons do not require 2FA approval. If you want to enforce protected offline access to laptop logins, be sure you don’t check this box. If you do, laptop console logins won’t require any form of Duo MFA.
|
If you plan to use smart cards on the systems where you install Duo, click to Enable Smart Card Support and select your smart card options:
|
Setting
|
Description
|
|
Protect smart card login with Duo
|
Select this option to require Duo authentication after primary login with username and password or primary authentication with a smart card. Supported for local console logins.
|
|
Enable smart card login without Duo
|
Select this option to permit use of the Windows smart card login provider as an alternative to Duo authentication. Smart card logins won't require 2FA.
|
If you'd like to add Duo 2FA protection to account elevation via Windows User Account Control (UAC), click to Enable UAC Elevation Protection and select your elevation options:
Example of UAC:
|
Setting
|
Description
|
|
Protect User Elevation only
|
Enable Duo two-factor authentication at password-protected UAC prompts only. If you check this box Duo will not prompt for 2FA at local or RDP login or workstation unlock.
|
|
Protect User Elevation while offline
|
Permit offline access authentication for password-protected UAC prompts if offline access is also enabled.
|
|
Allow offline enrollment during User Elevation
|
Allow and prompt for offline access enrollment during UAC password elevation if offline access is also enabled.
|
Click Next and then Install to complete Duo installation.