I’m attempting to setup our domain joined Windows clients to require DUO MFA whenever the user needs admin right, i.e., at a UAC prompt. I have modified policy to require the user enter credentials at the UAC prompt even if they are admins, which does trigger MFA.
My issue is that I always get the error “Access is not allowed because you are not enrolled in duo”. Apparently the logs show that Windows/Duo is sending the user to duo as “domain\user” instead of “user@domain”. How do I get the “Duo Authentication for Windows Logon” application to send the username in the correct format?