Disable Duo for Windows Local Admin?

LipidFault · ‎11-20-2021

I am testing deploying to our fleet of Windows devices for our domain admin, server admin and maybe for RDP for regular users.

We do leave the local admin account enabled on all systems and rotate the passwords weekly with LAPS.

I can’t figure out how to exclude this account?

DuoPablo · ‎11-22-2021

Hi @LipidFault ,

Installing Duo Authentication for Windows Logon adds two-factor authentication to all interactive user Windows login attempts, whether via a local console or over RDP: Duo Authentication for Windows Logon and RDP | Duo Security. At this time, there is no way to exclude certain accounts. Please also see Knowledge Base | Duo Security.

Please feel free to submit a feature request asking for this functionality via your Account Executive, Customer Success Manager if applicable, or our Support Team.

Thank you!

macolinob · ‎11-24-2021

Why not make that user in Duo (example admin) and place them in a Duo group (example local admins) and set the group to bypass. Add that group to the RDP logon groups. That should allow that user to bypass Duo security. Does that make sense?

DuoPablo · ‎11-29-2021

Excellent suggestion, @macolinob ! Bypassing the local administrator account in the Duo Admin Panel (either via Policy or setting the user to Bypass status) can permit logon without 2FA.

It may be a good idea to set your Fail Mode to open in the event the local administrator needs to log in while the server is offline since Duo’s cloud service needs to be accessible in order to perform the bypass. Enrolling in Offline Access may be a cumbersome process if multiple server admins need to log in with the local admin account at any given (offline) time. The ability to exempt users locally via the Duo for Winlogon client (from the above process) is not available at this time.