Configuration with AD.. documentation confusing


I set up a test domain over the weekend to see if duo would work for us, but I can’t get it to work in what I would consider a sensible way.

If I add the RDP/Login to duo, it’s easy enough to set it up for only enrolled accounts to be asked for additional authentication, that’s fine.
however the moment I add a new account it locks that account from logging in. This presents a problem, since you can’t send an enrollment email without adding the user - which prevents them logging in to receive the email.

I need to set duo up so that someone who has been sent an email but not enrolled is allowed to enroll in their own time - enforcement is months away… it needs to be voluntary.

The documentation talks about self enrollment but I’ve been unable to work out how to set that up. Is there a standard URL for that on the server? Writing my own email that says ‘go here to enroll’ is acceptable.


The Windows Logon doesn’t support self-enrollment (hence all the warnings in the documentation about making sure you’ve enrolled your users separately).

You can have your users self-enroll in a few ways:

  1. Use bulk enrollment to end an enrollment email to users. the email contains a link they can use to add their authentication devices (easy).

  2. Deploy Duo’s standalone Device Management Portal so they can enroll themselves by visiting a URL you specify on a web server you’re hosting internally (more difficult).

To make sure that users who haven’t enrolled in Duo yet aren’t challenged for two-factor when logging in to the application you can use Duo policies to create and apply a group policy to your RDP application that sets the New User Policy policy to “allow access” to unenrolled users.

I hope this helps you stage out your Duo deployment! Thanks for trying Duo.


The moment you use bulk enrollment for a user, their account is locked out. This means it is impossible to log in to pick up the email. New User policy appears to be ignored for bulk enrolled users.

If it’s supposed to work as you describe unless I’m missing something it’s currently broken - there needs to be a way to send the email without enrolling the user.

I’ll look at the device management portal although it looks quite involved.