Duo MFA for Every Windows Login

From Notes_Wiki
Revision as of 07:08, 29 July 2025 by Kumar (talk | contribs)


πŸ“˜ Objective

Configure Duo Multi-Factor Authentication (MFA) to prompt users with a Duo Push notification at every Windows login (console or RDP).

βœ… Prerequisites

Item Details
OS Windows 10/11 or Windows Server 2016/2019/2022
Admin Rights Local or domain administrator rights on the system
Duo Account Free or paid Duo Admin account (https://admin.duosecurity.com)
Mobile App Duo Mobile installed on the user’s smartphone
Internet Access Required on the PC to contact Duo cloud

πŸ”§ Step-by-Step Configuration

πŸ”Ή Step 1: Sign Up and Create RDP Application in Duo

  1. Go to https://admin.duosecurity.com
  2. Sign in or register for a Duo Admin account
  3. Navigate to Applications β†’ Protect an Application
  4. Search and select: Microsoft RDP
  5. Click Protect this Application
  6. Note down the following:
    1. Integration Key
    2. Secret Key
    3. API Hostname

πŸ”Ή Step 2: Download & Install Duo Windows Logon Agent

  1. Download installer: https://duo.com/docs/rdp
  2. Run the installer on the target Windows system
  3. During setup, enter the following:
    1. Integration Key
    2. Secret Key
    3. API Hostname
  4. Select the following options:
    1. [βœ“] Use Duo Authentication for console logon
    2. [βœ“] Use Duo Authentication for RDP logon
    3. [ ] Only prompt for RDP logins (leave unchecked)
    4. [βœ“] Choose fail-safe option based on policy
  5. Finish installation and restart the system

πŸ”Ή Step 3: Add and Enroll User in Duo Admin Portal

  1. Go to Duo Admin Portal β†’ Users
  2. Click Add User and enter the Windows login username
  3. After creating the user:
    1. Assign a phone/device
    2. Send an enrollment link via email or SMS
  4. On the user’s mobile phone:
    1. Open the link
    2. Follow instructions to enroll using Duo Mobile

πŸ”Ή Step 4: Test Windows Login with MFA

  1. Lock or restart the system
  2. Enter your Windows username and password
  3. You’ll receive a Duo Push notification
  4. Approve the request on your phone to complete login
  • Duo prompt will appear for every Windows login (console or RDP)

πŸ” Repeat for Additional Users

  • Repeat enrollment for every user (Step 3)
  • Ensure usernames match Windows login names exactly

βš™οΈ Optional Configuration Notes

Feature Description
Fail-Safe Mode Choose whether login is allowed if Duo is unreachable
RDP-Only Prompt Leave unchecked to enforce MFA for console and RDP login
Offline Mode Not supported (Duo requires internet access)
Central Management Use Registry or GPO to centrally manage Duo settings

βœ… Validation Checklist

Test Scenario Expected Outcome
System restart Duo prompt appears before login completes
Lock screen login Duo prompt appears before unlocking
Incorrect push response Login is denied
No internet (fail-safe OFF) Login is blocked
No internet (fail-safe ON) Login bypasses Duo temporarily

πŸ“Œ Summary

Task Status
Duo Admin setup βœ… Completed
Duo Application created βœ… Completed
Windows Logon Agent installed βœ… Completed
Users enrolled with Duo Mobile βœ… Completed
MFA enforced at every login βœ… Working

πŸ“„ Notes

  • This setup uses Duo Push notifications
  • Works on both domain-joined and workgroup PCs
  • Duo is ideal for organizations preferring cloud-based MFA
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Duo_MFA_for_Every_Windows_Login&oldid=9299"