Difference between revisions of "Duo MFA for Every Windows Login"
From Notes_Wiki
(Created page with "Home > Authentication Methods > Duo MFA for Every Windows Login == π Objective == Configure '''Duo Multi-Factor Authentication (MFA)''' to prompt users with a '''Duo Push notification''' at '''every Windows login''' (console or RDP). == β
Prerequisites == {| class="wikitable" ! Item !! Details |- | OS || Windows 10/11 or Windows Server 2016/2019/2022 |- | Admin Rights || Local or domain administrator rights on the system |- | Duo Account || F...") Β |
|||
| Line 1: | Line 1: | ||
Β | |||
== π Objective == | == π Objective == | ||
Revision as of 07:08, 29 July 2025
π Objective
Configure Duo Multi-Factor Authentication (MFA) to prompt users with a Duo Push notification at every Windows login (console or RDP).
β Prerequisites
| Item | Details |
|---|---|
| OS | Windows 10/11 or Windows Server 2016/2019/2022 |
| Admin Rights | Local or domain administrator rights on the system |
| Duo Account | Free or paid Duo Admin account (https://admin.duosecurity.com) |
| Mobile App | Duo Mobile installed on the userβs smartphone |
| Internet Access | Required on the PC to contact Duo cloud |
π§ Step-by-Step Configuration
πΉ Step 1: Sign Up and Create RDP Application in Duo
- Go to https://admin.duosecurity.com
- Sign in or register for a Duo Admin account
- Navigate to Applications β Protect an Application
- Search and select: Microsoft RDP
- Click Protect this Application
- Note down the following:
- Integration Key
- Secret Key
- API Hostname
πΉ Step 2: Download & Install Duo Windows Logon Agent
- Download installer: https://duo.com/docs/rdp
- Run the installer on the target Windows system
- During setup, enter the following:
- Integration Key
- Secret Key
- API Hostname
- Select the following options:
- [β] Use Duo Authentication for console logon
- [β] Use Duo Authentication for RDP logon
- [ ] Only prompt for RDP logins (leave unchecked)
- [β] Choose fail-safe option based on policy
- Finish installation and restart the system
πΉ Step 3: Add and Enroll User in Duo Admin Portal
- Go to Duo Admin Portal β Users
- Click Add User and enter the Windows login username
- After creating the user:
- Assign a phone/device
- Send an enrollment link via email or SMS
- On the userβs mobile phone:
- Open the link
- Follow instructions to enroll using Duo Mobile
πΉ Step 4: Test Windows Login with MFA
- Lock or restart the system
- Enter your Windows username and password
- Youβll receive a Duo Push notification
- Approve the request on your phone to complete login
- Duo prompt will appear for every Windows login (console or RDP)
π Repeat for Additional Users
- Repeat enrollment for every user (Step 3)
- Ensure usernames match Windows login names exactly
βοΈ Optional Configuration Notes
| Feature | Description |
|---|---|
| Fail-Safe Mode | Choose whether login is allowed if Duo is unreachable |
| RDP-Only Prompt | Leave unchecked to enforce MFA for console and RDP login |
| Offline Mode | Not supported (Duo requires internet access) |
| Central Management | Use Registry or GPO to centrally manage Duo settings |
β Validation Checklist
| Test Scenario | Expected Outcome |
|---|---|
| System restart | Duo prompt appears before login completes |
| Lock screen login | Duo prompt appears before unlocking |
| Incorrect push response | Login is denied |
| No internet (fail-safe OFF) | Login is blocked |
| No internet (fail-safe ON) | Login bypasses Duo temporarily |
π Summary
| Task | Status |
|---|---|
| Duo Admin setup | β Completed |
| Duo Application created | β Completed |
| Windows Logon Agent installed | β Completed |
| Users enrolled with Duo Mobile | β Completed |
| MFA enforced at every login | β Working |
π Notes
- This setup uses Duo Push notifications
- Works on both domain-joined and workgroup PCs
- Duo is ideal for organizations preferring cloud-based MFA
