Hi Techie73, once you check the “Enable offline login and enrollment” box on your RDP/Windows Logon application’s properties page in the Duo Admin Panel and save your settings, all users will be prompted to complete offline enrollment the next time they see the Duo prompt for Windows Logon and their system has access to the internet. You can see the expected behavior in our instructional video here (video should start at 4:25):
Note that you can limit offline access to certain Duo groups by checking the “Limit access by groups” box and adding Duo user groups.
To answer your second question, yes, you can disable failopen for those users. They will not be using conventional “bypass codes,” however, they will be using Security Keys or Duo Mobile-generated passcodes.