Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5663
Views
3
Helpful
3
Replies

Can't upgrade or reinstall Duo for Windows Logon; "requires local administrative rights"

Go to solution
cofi-alan
Level 1
Level 1

‎12-23-2019 02:05 PM

I’ve got one random machine that can’t upgrade to Duo (Windows Logon) 4.0.7. Our other protected machines all worked fine but this one has some odd issue. As a free-tier user I’m not eligible for support so I’m hoping someone here might have an idea before I have to go re-build the system from scratch.

I tried to upgrade from the installed 4.0.1 to the latest 4.0.7 and received the following error (whether I ran the EXE or MSI):
Duo Authentication for Windows Logon x64 requires local administrative rights to install. Please run this installer from an elevated prompt.

The verbose, debug-enabled MSI logs say the same thing and not much else:

MSI © (44:90) [13:55:27:339]: Doing action: LaunchConditions
Action 13:55:27: LaunchConditions. Evaluating launch conditions
Action start 13:55:27: LaunchConditions.
Duo Authentication for Windows Logon x64 requires local administrative rights to install. Please run this installer from an elevated prompt.
MSI © (44:90) [13:55:28:339]: Product: Duo Authentication for Windows Logon x64 – Duo Authentication for Windows Logon x64 requires local administrative rights to install. Please run this installer from an elevated prompt.
Action ended 13:55:28: LaunchConditions. Return value 3.
MSI © (44:90) [13:55:28:339]: Doing action: SetupCompleteError
[snip]
Property©: MsiTrueAdminUser = 1
Property©: AdminUser = 1

I tried:

  • Running the file (and received the expected UAC dialog)
  • Running the EXE from an elevated command prompt and PowerShell
  • Running the MSI with msiexec from an elevated command prompt (both interactive and silent)
  • Rebooting
  • Using the 4.0.6 installer (same error)
  • Disabling UAC
  • Disabling antivirus
  • Using a different administrative account
  • Using the console instead of RDP
  • Removing 4.0.1 first (and now I have no Duo at all)

Any ideas, or any way to get a hold of support with a free account?

Thanks!
Alan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cofi-alan
Level 1
Level 1

‎01-24-2020 06:59 PM

Since I really needed this to work, really didn’t want to rebuild the whole VM, and don’t have access to support I thought about it more and had an idea. With some digging I traced this through a few things and found out that the failure was due to security hardening in place on this particular VM. The Server (LanmanServer) service is disabled because this machine should never be running network shares of any sort. Due to this, one of the admin checks ended up failing within the installer.

While the method I used to figure all this out was pretty heavy there ends up being two simple workarounds. If you find yourself with a hardened system you can either:

  1. Check if your Server service is disabled and temporarily enable it during installation.
  2. If you’re positive you’re an admin user you can pass an option to the installer like you’re doing a silent install: duo-win-login-4.0.7.exe /V" ISADMIN=1"

View solution in original post

3 Replies 3

Go to solution
JammyShaw
Level 1
Level 1

‎12-27-2019 07:17 AM

Sounds crazy, but did you try right click and running as administrator? (i’m no expert on duo but it does sound like a permissions issue and you didn’t list it thats all)

If not, may be worth checking what permissions are set for the latest update file? and was it all done with the local machines admin account? Maybe try creating a new admin user for the machine and try it with that?

Just trying to help best I can with somethings I would try

Jammy

0 Helpful

Go to solution
cofi-alan
Level 1
Level 1
In response to JammyShaw

‎12-27-2019 03:42 PM

Hi Jammy.
Thanks for the thoughts. I didn’t try those since the same file worked elsewhere and my other steps should have bypassed any of those. However, for good measure I gave them a shot after your post just to be sure I hadn’t wrongly ignored the obvious.

  • Right-click: didn’t work
  • Permissions: full control (and made sure to “unblock” the file when applicable)
  • Tried with local Administrator account: didn’t work

Whatever is stuck is really stuck.

Alan

0 Helpful

Go to solution
cofi-alan
Level 1
Level 1

‎01-24-2020 06:59 PM

Since I really needed this to work, really didn’t want to rebuild the whole VM, and don’t have access to support I thought about it more and had an idea. With some digging I traced this through a few things and found out that the failure was due to security hardening in place on this particular VM. The Server (LanmanServer) service is disabled because this machine should never be running network shares of any sort. Due to this, one of the admin checks ended up failing within the installer.

While the method I used to figure all this out was pretty heavy there ends up being two simple workarounds. If you find yourself with a hardened system you can either:

  1. Check if your Server service is disabled and temporarily enable it during installation.
  2. If you’re positive you’re an admin user you can pass an option to the installer like you’re doing a silent install: duo-win-login-4.0.7.exe /V" ISADMIN=1"
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents