Difference between revisions of "Duo MFA for Every Windows Login"

From Notes_Wiki
(Created page with "Home > Authentication Methods > Duo MFA for Every Windows Login == πŸ“˜ Objective == Configure '''Duo Multi-Factor Authentication (MFA)''' to prompt users with a '''Duo Push notification''' at '''every Windows login''' (console or RDP). == βœ… Prerequisites == {| class="wikitable" ! Item !! Details |- | OS || Windows 10/11 or Windows Server 2016/2019/2022 |- | Admin Rights || Local or domain administrator rights on the system |- | Duo Account || F...")
Β 
Β 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Main_Page|Home]] > [[Authentication Methods]] > [[Duo MFA for Every Windows Login]]
== Objective ==
Β 
== πŸ“˜ Objective ==
Configure '''Duo Multi-Factor Authentication (MFA)''' to prompt users with a '''Duo Push notification''' at '''every Windows login''' (console or RDP).
Configure '''Duo Multi-Factor Authentication (MFA)''' to prompt users with a '''Duo Push notification''' at '''every Windows login''' (console or RDP).


== βœ… Prerequisites ==
== Prerequisites ==
{| class="wikitable"
{| class="wikitable"
! Item !! Details
! Item !! Details
Line 19: Line 17:
|}
|}


== πŸ”§ Step-by-Step Configuration ==
== Step-by-Step Configuration ==


=== πŸ”Ή Step 1: Sign Up and Create RDP Application in Duo ===
=== Step 1: Sign Up and Create RDP Application in Duo ===
# Go to https://admin.duosecurity.com
# Go to https://admin.duosecurity.com
# Sign in or register for a Duo Admin account
# Sign in or register for a Duo Admin account
Line 32: Line 30:
## '''API Hostname'''
## '''API Hostname'''


=== πŸ”Ή Step 2: Download & Install Duo Windows Logon Agent ===
=== Step 2: Download & Install Duo Windows Logon Agent ===
# Download installer: https://duo.com/docs/rdp
# Download installer: https://duo.com/docs/rdp
# Run the installer on the target Windows system
# Run the installer on the target Windows system
Line 46: Line 44:
# Finish installation and '''restart the system'''
# Finish installation and '''restart the system'''


=== πŸ”Ή Step 3: Add and Enroll User in Duo Admin Portal ===
=== Step 3: Add and Enroll User in Duo Admin Portal ===
# Go to Duo Admin Portal β†’ '''Users'''
# Go to Duo Admin Portal β†’ '''Users'''
# Click '''Add User''' and enter the '''Windows login username'''
# Click '''Add User''' and enter the '''Windows login username'''
Line 56: Line 54:
## Follow instructions to enroll using '''Duo Mobile'''
## Follow instructions to enroll using '''Duo Mobile'''


=== πŸ”Ή Step 4: Test Windows Login with MFA ===
=== Step 4: Test Windows Login with MFA ===
# Lock or restart the system
# Lock or restart the system
# Enter your Windows username and password
# Enter your Windows username and password
Line 64: Line 62:
* Duo prompt will appear for '''every Windows login''' (console or RDP)
* Duo prompt will appear for '''every Windows login''' (console or RDP)


== πŸ” Repeat for Additional Users ==
== Repeat for Additional Users ==
* Repeat enrollment for every user (Step 3)
* Repeat enrollment for every user (Step 3)
* Ensure usernames match Windows login names exactly
* Ensure usernames match Windows login names exactly


== βš™οΈ Optional Configuration Notes ==
== Optional Configuration Notes ==
{| class="wikitable"
{| class="wikitable"
! Feature !! Description
! Feature !! Description
Line 81: Line 79:
|}
|}


== βœ… Validation Checklist ==
== Validation Checklist ==
{| class="wikitable"
{| class="wikitable"
! Test Scenario !! Expected Outcome
! Test Scenario !! Expected Outcome
Line 94: Line 92:
|-
|-
| No internet (fail-safe ON) || Login bypasses Duo temporarily
| No internet (fail-safe ON) || Login bypasses Duo temporarily
|}
== πŸ“Œ Summary ==
{| class="wikitable"
! Task !! Status
|-
| Duo Admin setup || βœ… Completed
|-
| Duo Application created || βœ… Completed
|-
| Windows Logon Agent installed || βœ… Completed
|-
| Users enrolled with Duo Mobile || βœ… Completed
|-
| MFA enforced at every login || βœ… Working
|}
|}


Latest revision as of 11:06, 1 September 2025

Objective

Configure Duo Multi-Factor Authentication (MFA) to prompt users with a Duo Push notification at every Windows login (console or RDP).

Prerequisites

Item Details
OS Windows 10/11 or Windows Server 2016/2019/2022
Admin Rights Local or domain administrator rights on the system
Duo Account Free or paid Duo Admin account (https://admin.duosecurity.com)
Mobile App Duo Mobile installed on the user’s smartphone
Internet Access Required on the PC to contact Duo cloud

Step-by-Step Configuration

Step 1: Sign Up and Create RDP Application in Duo

  1. Go to https://admin.duosecurity.com
  2. Sign in or register for a Duo Admin account
  3. Navigate to Applications β†’ Protect an Application
  4. Search and select: Microsoft RDP
  5. Click Protect this Application
  6. Note down the following:
    1. Integration Key
    2. Secret Key
    3. API Hostname

Step 2: Download & Install Duo Windows Logon Agent

  1. Download installer: https://duo.com/docs/rdp
  2. Run the installer on the target Windows system
  3. During setup, enter the following:
    1. Integration Key
    2. Secret Key
    3. API Hostname
  4. Select the following options:
    1. [βœ“] Use Duo Authentication for console logon
    2. [βœ“] Use Duo Authentication for RDP logon
    3. [ ] Only prompt for RDP logins (leave unchecked)
    4. [βœ“] Choose fail-safe option based on policy
  5. Finish installation and restart the system

Step 3: Add and Enroll User in Duo Admin Portal

  1. Go to Duo Admin Portal β†’ Users
  2. Click Add User and enter the Windows login username
  3. After creating the user:
    1. Assign a phone/device
    2. Send an enrollment link via email or SMS
  4. On the user’s mobile phone:
    1. Open the link
    2. Follow instructions to enroll using Duo Mobile

Step 4: Test Windows Login with MFA

  1. Lock or restart the system
  2. Enter your Windows username and password
  3. You’ll receive a Duo Push notification
  4. Approve the request on your phone to complete login
  • Duo prompt will appear for every Windows login (console or RDP)

Repeat for Additional Users

  • Repeat enrollment for every user (Step 3)
  • Ensure usernames match Windows login names exactly

Optional Configuration Notes

Feature Description
Fail-Safe Mode Choose whether login is allowed if Duo is unreachable
RDP-Only Prompt Leave unchecked to enforce MFA for console and RDP login
Offline Mode Not supported (Duo requires internet access)
Central Management Use Registry or GPO to centrally manage Duo settings

Validation Checklist

Test Scenario Expected Outcome
System restart Duo prompt appears before login completes
Lock screen login Duo prompt appears before unlocking
Incorrect push response Login is denied
No internet (fail-safe OFF) Login is blocked
No internet (fail-safe ON) Login bypasses Duo temporarily

πŸ“„ Notes

  • This setup uses Duo Push notifications
  • Works on both domain-joined and workgroup PCs
  • Duo is ideal for organizations preferring cloud-based MFA
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Duo_MFA_for_Every_Windows_Login&oldid=9452"