Duo on Windows - 2FA on UAC/Elevated user login

patrickpoon02 · ‎08-26-2020

Sorry new to this community.

Would like to know if Duo on Windows can be set to only protecting UAC/run as administrator function?

We would like to run Duo on user computers, but we don’t need normal user login with 2FA. We just want to ensure when administrative credential is entered, this action is protected by 2FA and being logged. We would like to do this to ensure the action is done by legitimate admin person instead of stealing password of the user.

Of course the same principle may also apply to RDP with administrative accounts, but that’s another topic after we tackled the local login challenge.

mkorovesisduo · ‎08-26-2020

Hi there!

Yes, Duo for Windows Logon and RDP can be configured to only prompt for 2FA at UAC/run as admin prompts. To configure our Windows Logon integration to behave this way, you can either configure it to only protect UAC logons during installation (check step 6 of “Run the Installer” here: Duo Authentication for Windows Logon and RDP | Duo Security) or by editing the registry post-installation: https://help.duo.com/s/article/5807

Note that while there are a number of UAC elevation options, this feature only supports UAC prompts that ask for username and password.

Hope this helps!

Russell_LeVasseur · ‎07-06-2021

What is the behavior when you are logged in with a local (non-domain or 2FA enabled) account?