Disabling "Only prompt for duo authentication when logging in via rdp" doesn't seem to work?

I’ve installed Duo on multiple computers and disabled the option, “Only prompt for duo authentication when logging in via rdp.” I’ve also confirmed this by checking that is “RdpOnly” is set to 0 (zero) in the registry.

Regardless, I am able to login to the computers from LogMeIn (console) and VMWare UI (console) without any Duo 2FA.

What am I doing wrong?

Thank you!

Perhaps there is another issue, like the Duo Windows client applications is “failing open” because it can’t contact Duo’s cloud service at login. You can enable debug logging for the Duo Windows Logon client and examine the logs to see if it explains what is happening.

Duo 2FA works perfectly when I RDP in, before and after the console attempts. Also, Fail Open is disabled in favor of offline login allowed.

I believe LogMeIn and VMWare UI are logging you into the console session on the machine and that’s why you’re not prompted for Duo 2FA. I’ve seen the same thing when accessing a Hyper-V VM in the console vs RDP. Try disabling the “RDP only” option to see if that helps.

I enabled Debug logging and rebooted (assuming I would need to for the regedit to take effect). Duo properly stopped me during a console login. I’ve since disabled Debug, rebooted, and Duo continues to properly stop me during a console login.

Except for the reboot and the addition/removal of the registry value, nothing has changed. (I also rebooted when Duo was initially allowing me to login to the console without 2FA this morning and the issue persisted after.)

It does not typically require a reboot for any of the Duo registry settings to take effect, but I’m glad it helped resolve your issue.

I guess I’m glad too, however, not knowing why it allowed me to remote in via the console without Duo 2FA in the first place (again, to multiple computers) is rather concerning. Thank you.

Do you have any systems left with the issue where you haven’t already rebooted?

It’s possible that the non-debug level logging that was on when you initially encountered the issue captured some useful information. If that’s so, please use that to open a case with Duo support. This definitely isn’t expected behavior so we’d want to examine whatever artifacts you could provide.

If there are no logs available from before, but you encounter this again with future installs, please enable debugging via regedit without rebooting, reproduce the issue, and contact Duo Support to open a case.

For reference, which version of the Duo software did you install, what were the target Windows versions, and did you install Duo interactively or silently using the MSI?