Duo for OWA - Remove/Reinstall Duo agent after CU installation


I have a Duo for OWA installation on Exchange 2016, about to be rolled out. But after each CU installation (quarterly release for Microsoft) for Exchange, we have to remove/reinstall the Duo agent. This can be quite cumbersome and error prone with a cluster of multiple CAS servers.

Is there a method to run the Duo for OWA installation agent via script? So I can write something in powershell with the iKey, sKey, API host already baked in, so that the script can be run on all CAS nodes after each CU installation?

Even better yet, any chance if the issue can be fixed entirely by Duo, so that it’s no longer necessary to remove/reinstall Duo agent after Exchange CU installation?



Microsoft’s default CU install behavior used to overwrite the existing web.config file, removing the Duo information added when you installed Duo for OWA.

This was first corrected in Exchange 2016 CU 1 - https://support.microsoft.com/en-us/help/3135688/update-preserves-the-web-config-file-for-outlook-web-app-when-you-appl.

Are you still seeing that the CU installers wipe the Duo config from your web.config file?

https://duo.com/docs/owa-faq#why-did-duo-stop-working-after-i-installed-an-exchange-cumulative-update-(cu)? for reference


Hi Kristina,

We were installing CU 9, and it did make Duo stop working. The Duo agent (1.3.2) also didn’t fail gracefully but failed hard, blocking authentication. The only solution was to uninstall then reinstall. Even just reinstalling first did not work.

It is possible that the issue would happen only during the first CU installation, and will not happen again in subsequent CU installation. We’ll try installing CU 10 and see what happens.

Could you also try replicating the issue in the lab?




Note that if the Microsoft CU installer chooses to overwrite the existing web.config file (removing the additions made by the Duo installer) it is not an issue with the Duo software.

I notice that https://docs.microsoft.com/en-us/Exchange/plan-and-deploy/install-cumulative-updates still warns admins that “Any customized per-server Exchange or Internet Information Server settings you make in Exchange XML application configuration files (for example, web.config files or the EdgeTransport.exe.config file) will be overwritten when you install an Exchange Cumulative Update (CU)”.

So it seems like a best practice is to continue the practice of uninstalling Duo before the CU update and reinstalling after.

If you’d like to continue troubleshooting your issue, please contact Duo Support to open a case. You may also contact Duo Support if you’d like to submit a feature request for updating the Duo OWA installer to support silent/scripted installations or have a “fix” flag to restore the web.config information without requiring a full un/re-install.

If you have Microsoft Support it may be worthwhile to open a case with them, so they can investigate whether some unintended regression made it into the CU releases since CU1, reverting the previous fix for this problem.


Thanks Kristina, I’ll contact my CSM then. I was just hoping that the wisdom of the community have seen the same issue first and was able to resolve it.


Hi Kristina,

I just confirmed that the web.config overwrite is definitely happening again. After installing CU 10, Duo stops working again, and require an uninstall / reinstall of the Duo agent.

The ability to script the Duo agent install (some way to feed the ikey / skey / hostname) params into the installation process from powershell instead of copy and paste through the UI, would smooth out the impact of this issue almost entirely, since we can make the Duo step automatic after all CU install on Exchange.