Duo Authentication for Windows Logon and RDP: Can I REQUIRE offline enrollment?


I was wondering if it is possible to force users to complete offline enrollment when logging into a computer that has the “Duo Authentication for Windows Logon and RDP” client installed?

Or, somehow hide the “Enroll Later” option?

Hi @JuniorSA, great question! Thanks for sharing it here with the community. No, it is not possible to hide the “Enroll Later” option or otherwise force users to complete offline enrollment. Users always have the option to skip enrollment if they want.

Thanks Amy!
My next question is: Can I see what users completed offline enrollment in the admin console?

Hi! So sorry for the delay in getting back to you. I was out sick for a while and am just now seeing your follow-up question. It is not currently possible to view offline enrollment events in the Duo Admin Panel. We do have a feature request for this functionality, which you can add your support to by working with the Duo Support team, or your Account Executive or Customer Success Manager if you are a Duo Care customer.

You can use the Admin API to return a list of offline enrollment events for the past 180 days.

I would really like to be able to choose to OPT out of seeing the offline enrollement page in general! I don’t want to enroll or click enroll later. I’d rather on the previous screen where i was prompted for MFA to be able to select if i want to enroll offline or not. TecMFA does a great job of this when intergrating into OKTA. So i’m use to this feature and not being bothered. I’m trying to switch over I just hate losing features.

@bkerstiens that can be achieved at the local computer level by performing this regedit:
REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv” /v “OfflineAvailable” /t REG_DWORD /d 0 /f

But I agree, something in the installation GUI would be nice to disable this.