So i have deployed Duo RDP for users workstations. I was under the impression that by default, users would need to re-authenticate every time they login to their workstation. This we deployed Monday and users have only had to re-authenticate on monday and haven’t had to since. I found a setting in Globabl policies to allowe users to remember their device which I just now set for 1 day, but not sure if this is the right spot to make the change. I would like users to have to re-authenticate every time the login to Windows.
Did you get any answer for this?
I have received no response since ticket submittal that I’m aware of.
This is how the Duo for Windows Logon application is intended to work. The “Remembered Devices” policy setting applies to applications where you see Duo’s interactive prompt in a web browser, and doesn’t skip authentication for Duo Windows Logon.
There are a few reasons why users might not be prompted for Duo MFA at login. Is it possible that the user workstations no longer can reach Duo’s service, so they are failing open? Or, do you have your new user policy or authentication policy set in such a way that the users bypass Duo auth? Did you define an authorized networks policy?
I suggest you take a look at the debug logs for the Duo Windows Logon application to see if they shed some light on what is happening.