Differentiating Between Remote Desktop Sessions and RemoteApp Sessions with Duo Winlogon

I’m currently trying to protect administrative Remote Desktop, UAC, and console access to our organization’s servers with Duo Winlogon. Most of our servers act as Remote Desktop Session hosts, and in testing I’ve found that Duo prompts for both full Remote Desktop sessions as well as RemoteApp sessions. Now the obvious solutions is to make a bypass policy for the application and an enforce policy for the administrative group which I have done and works fine.

However I’m trying to plan ahead for when we want to protect RemoteApp and Remote Desktop logons for all users. I’m concerned that I won’t be able to differentiate between the two types of traffic in Duo for creating policies that differ between applications. Is it possible to have Winlogon only pick up on full Remote Desktop sessions and ignore RemoteApp sessions?

1 Like

I don’t believe this is possible today. The Duo credential provider recognizes RDP and Local (as in, “not RDP”) logon types, and wouldn’t distinguish between RDP for full desktop or RDP for just an app.

You can submit this as a feature request by contacting your account exec or customer success manager (if you have one), or by contacting Duo Support.

1 Like