Duo for RDP (Windows Logon) is a different offering from us than Duo for RD Web and RD Gateway.
The most typical use case for Duo Windows Logon/RDP is to install it on a server that users connect to with RDP or login at the console interactively, or to install on an end-user workstation. Users provide their Windows credentials, and then approve the Duo login request.
If you want to just protect interactive logins to a server or workstation where users are at the console or connect directly with MSTSC application (or similar) on the normal 3389 port, this is all you need.
You could also install Duo for Windows login only on the session host in an RDS deployment. Whether users connected to that host from RD Web, RD Gateway, or a direct RDP connection, they would complete Duo 2FA only at the session host.
It is generally not considered safe to open your system up to direct inbound RDP traffic from the internet. That’s why Microsoft RDS exists (of which RD Web and RD Gateway are components). These technologies let you provide connectivity to your session hosts over HTTPS instead of RDP 3389.
If you have an RDS deployment then you could install Duo for RDW on your RD Web server and Duo for RD Gateway on your RD Gateway server. That way anyone connecting through either of those would perform 2FA at the initial connection point, then get passed through to the session host without any further 2FA requirement at the session host.
Or, you could just choose to install Duo for Windows Logon on your session host, so users would connect via RD Web or RD Gateway but not need to perform 2FA until they actually hit the session host.
Please carefully read through our overview of how Duo fits into a full RDS deployment here.