Can't upgrade or reinstall Duo for Windows Logon; "requires local administrative rights"

I’ve got one random machine that can’t upgrade to Duo (Windows Logon) 4.0.7. Our other protected machines all worked fine but this one has some odd issue. As a free-tier user I’m not eligible for support so I’m hoping someone here might have an idea before I have to go re-build the system from scratch.

I tried to upgrade from the installed 4.0.1 to the latest 4.0.7 and received the following error (whether I ran the EXE or MSI):
Duo Authentication for Windows Logon x64 requires local administrative rights to install. Please run this installer from an elevated prompt.

The verbose, debug-enabled MSI logs say the same thing and not much else:

MSI © (44:90) [13:55:27:339]: Doing action: LaunchConditions
Action 13:55:27: LaunchConditions. Evaluating launch conditions
Action start 13:55:27: LaunchConditions.
Duo Authentication for Windows Logon x64 requires local administrative rights to install. Please run this installer from an elevated prompt.
MSI © (44:90) [13:55:28:339]: Product: Duo Authentication for Windows Logon x64 – Duo Authentication for Windows Logon x64 requires local administrative rights to install. Please run this installer from an elevated prompt.
Action ended 13:55:28: LaunchConditions. Return value 3.
MSI © (44:90) [13:55:28:339]: Doing action: SetupCompleteError
[snip]
Property©: MsiTrueAdminUser = 1
Property©: AdminUser = 1

I tried:

  • Running the file (and received the expected UAC dialog)
  • Running the EXE from an elevated command prompt and PowerShell
  • Running the MSI with msiexec from an elevated command prompt (both interactive and silent)
  • Rebooting
  • Using the 4.0.6 installer (same error)
  • Disabling UAC
  • Disabling antivirus
  • Using a different administrative account
  • Using the console instead of RDP
  • Removing 4.0.1 first (and now I have no Duo at all)

Any ideas, or any way to get a hold of support with a free account?

Thanks!
Alan

Sounds crazy, but did you try right click and running as administrator? :slight_smile: (i’m no expert on duo but it does sound like a permissions issue and you didn’t list it thats all)

If not, may be worth checking what permissions are set for the latest update file? :slight_smile: and was it all done with the local machines admin account? Maybe try creating a new admin user for the machine and try it with that?

Just trying to help best I can with somethings I would try :smiley:

Jammy

Hi Jammy.
Thanks for the thoughts. I didn’t try those since the same file worked elsewhere and my other steps should have bypassed any of those. However, for good measure I gave them a shot after your post just to be sure I hadn’t wrongly ignored the obvious.

  • Right-click: didn’t work
  • Permissions: full control (and made sure to “unblock” the file when applicable)
  • Tried with local Administrator account: didn’t work

Whatever is stuck is really stuck.

Alan

Since I really needed this to work, really didn’t want to rebuild the whole VM, and don’t have access to support I thought about it more and had an idea. With some digging I traced this through a few things and found out that the failure was due to security hardening in place on this particular VM. The Server (LanmanServer) service is disabled because this machine should never be running network shares of any sort. Due to this, one of the admin checks ended up failing within the installer.

While the method I used to figure all this out was pretty heavy there ends up being two simple workarounds. If you find yourself with a hardened system you can either:

  1. Check if your Server service is disabled and temporarily enable it during installation.
  2. If you’re positive you’re an admin user you can pass an option to the installer like you’re doing a silent install: duo-win-login-4.0.7.exe /V" ISADMIN=1"
1 Like