Duo MFA for Every Windows Login

From Notes_Wiki

Objective

Configure Duo Multi-Factor Authentication (MFA) to prompt users with a Duo Push notification at every Windows login (console or RDP).

Prerequisites

Item Details
OS Windows 10/11 or Windows Server 2016/2019/2022
Admin Rights Local or domain administrator rights on the system
Duo Account Free or paid Duo Admin account (https://admin.duosecurity.com)
Mobile App Duo Mobile installed on the user’s smartphone
Internet Access Required on the PC to contact Duo cloud

Step-by-Step Configuration

Step 1: Sign Up and Create RDP Application in Duo

  1. Go to https://admin.duosecurity.com
  2. Sign in or register for a Duo Admin account
  3. Navigate to Applications → Protect an Application
  4. Search and select: Microsoft RDP
  5. Click Protect this Application
  6. Note down the following:
    1. Integration Key
    2. Secret Key
    3. API Hostname

Step 2: Download & Install Duo Windows Logon Agent

  1. Download installer: https://duo.com/docs/rdp
  2. Run the installer on the target Windows system
  3. During setup, enter the following:
    1. Integration Key
    2. Secret Key
    3. API Hostname
  4. Select the following options:
    1. [✓] Use Duo Authentication for console logon
    2. [✓] Use Duo Authentication for RDP logon
    3. [ ] Only prompt for RDP logins (leave unchecked)
    4. [✓] Choose fail-safe option based on policy
  5. Finish installation and restart the system

Step 3: Add and Enroll User in Duo Admin Portal

  1. Go to Duo Admin Portal → Users
  2. Click Add User and enter the Windows login username
  3. After creating the user:
    1. Assign a phone/device
    2. Send an enrollment link via email or SMS
  4. On the user’s mobile phone:
    1. Open the link
    2. Follow instructions to enroll using Duo Mobile

Step 4: Test Windows Login with MFA

  1. Lock or restart the system
  2. Enter your Windows username and password
  3. You’ll receive a Duo Push notification
  4. Approve the request on your phone to complete login
  • Duo prompt will appear for every Windows login (console or RDP)

Repeat for Additional Users

  • Repeat enrollment for every user (Step 3)
  • Ensure usernames match Windows login names exactly

Optional Configuration Notes

Feature Description
Fail-Safe Mode Choose whether login is allowed if Duo is unreachable
RDP-Only Prompt Leave unchecked to enforce MFA for console and RDP login
Offline Mode Not supported (Duo requires internet access)
Central Management Use Registry or GPO to centrally manage Duo settings

Validation Checklist

Test Scenario Expected Outcome
System restart Duo prompt appears before login completes
Lock screen login Duo prompt appears before unlocking
Incorrect push response Login is denied
No internet (fail-safe OFF) Login is blocked
No internet (fail-safe ON) Login bypasses Duo temporarily

📄 Notes

  • This setup uses Duo Push notifications
  • Works on both domain-joined and workgroup PCs
  • Duo is ideal for organizations preferring cloud-based MFA
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Duo_MFA_for_Every_Windows_Login&oldid=9452"