Thank you for your reply. However, as already stated:
“I’m NOT interested in deploying to the session hosts (as already addressed). Deploying solely to the RD Gateway server is favorable…”
I’ve experimented with deploying to session hosts. While this might seem like a preferable solution for some, it would be time consuming for our organization. We have over hundreds of virtual machines in our cloud environment (I know a GPO is an option). By deploying to a RD Gateway, a single deployment will provide the secondary authentication we are looking to achieve.
Once again, “I’m assuming Duo will/is continuing to evolve the technology and will incorporate some level of RAP / CAP functionality down the road.”