Duo Authentication for Windows Logon UAC Elevation in Offline mode

DorkSkyBlues · ‎11-03-2020

So I have been testing User Elevation Protection on a Windows desktop for DUO Auth for Windows Logon. It works well on several desktops I have, but testing “Protect User Elevation while offline” I run into a problem. When I start the computer unplugged (and offline) and login with a user account, then try a task that requires a user elevation to admin, I still get prompted to select a Duo authentication method (such as the Duo Prompt). When offline I should not get prompted to authenticate when performing a UAC elevation, correct?

My settings in regedit on the desktop is
Autopush Set to 0
ElevationOfflineEnable (ElevationOfflineLogon) Set to 0
ElevationOfflineEnrollment Set to 0
ElevationProtectionMode set to 2
EnableSmartCards 0 don’t have smart cards
FailOpen Set to 1
OfflineAvailable 1 Allows Offline Authentication
RdpOnly 1 Protect RDP logons only

Or am i not understanding this correctly?

DuoKristina · ‎11-05-2020

Are you still offline when you try the elevated action, or have you reconnected the computer to the network after logging in while offline? The Duo prompt UI gets populated with factor options like Duo Push only after the application on your computer contacts Duo to find out what factors the username passed in has available. So, if you see a prompt that includes Duo Push when you try an elevated action, it sounds like the computer was able to contact Duo at that time.

Also it’s worth pointing out that if you have FailOpen = 1 then that negates any added security for offline logins that the offline 2fa provides. With fail open enabled, then a user who enrolled in offline 2FA gets prompted for offline 2FA when the computer can’t contact Duo, but a user not enrolled in Duo who logs in while the computer is offline doesn’t need to perform any 2FA at all as fail open permits login without online or offline 2FA success.

Duo, not DUO.