Fall Creators Update (Version 1709) of Windows 10 breaks Duo for Windows Logon’s support for Microsoft Accounts


#17

Ok - I updated registry value to 1, rebooted, reinstalled duo software. And the issue still ocurrs.

If you want to see what it looks like I can share the computer I’m trying to connect to so you can see it first hand via private message?


#18

I’m having the same problem but posted that earlier in this thread but I thought of something else. I’m using a Windows live login for logging into my PC instead of a local account. Not sure if this would make a difference for trouble shooting or others are setup this way or not.


#19

Good thinking, Alan, I am also using a windows live account or what I think they call Microsoft Accounts more generically, but not a local account anyway.

I also use a PIN for windows Hello, but i turned that off as thought it might be the conflict…


#20

Chiming in as i also have the same issue. Disabling printer forwarding does not work, nor does having dontdisplaylastusername set to 1. I’m also using a windows live account for signing in.

Reading about the type of account people in here is using i decided to test a couple of things - here are my findings:

Creating a local user account and using that RDP actually does bring up the duo prompt. I enrolled this user and got push notifications to my phone. Thus, i can log in with the local user. Trying with my regular Windows Live account resulted in the same failure as previously - no duo prompt. In fact, the login attempt does not even show in the duo portal.

As the next step i logged in to the local user i just created but canceled the login. I’m now passed the NLA CredSSP login provider and have an active RDP session with my host. I change accounts from the local user to my Windows Live account and log in with that, which does give me the duo prompt and the push notification. I can now log into the host.

This leads me to believe that it has something to do with NLA and CredSSP so i disable that on my host and create a .rdp file that has:
enablecredsspsupport:i:0

As i don’t have to authenticate before establishing the rdp session i can now just put in my regular Windows Live account credentials and i get the duo prompt and correlating push request to my phone. I am now able to log in again.

I’m pretty sure it has to do with NLA and the CredSSP provider but i can’t do more tests right now. I’ll get back to it later but I hope this helps you guys in troubleshooting and finding the issue.


#21

I am also using a Microsoft account for authentication. @Dooley Have you tried adding a Microsoft account to your test machines?


#22

After replicating the issue internally with Windows Live Accounts, we have a workaround by whitelisting a specific Microsoft credential provider, allowing RDP and DUO to work together as expected.

Use the Registry Editor (regedit.exe) with administrator privileges to create (or update) the following registry values in

HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv

   Registry Value: ProvidersWhitelist	
    Type: REG_MULTI_SZ	
    Populate the multi string value data with the following GUID: {1ee7337f-85ac-45e2-a23c-37c753209769}

ProviderRegKey


#24

Patrick. Good deal. That fix works…partially. For me after i reinstalled Duo, updated the registry and rebooted I was able to authenticate with DUO 2FA working. However, after breaking the connection to the RDP session and trying again - it failed in the same way as before. If i force a restart and login over DUO RDP 2FA the first time it continues to work but just not to connect to an existing session.


#25

Same problem here unfortunately, the regfix does not solve it for me.


#26

I have the same issue after updating to Windows 10 Fall Creator’s Update. Rebooting the machine would allow me to login but then any succeeding re-connection to the RDP session would fail even though I’m getting the prompt to approve and has been providing my approval. The screen would just get stuck on the lock screen. Funny thing is icons to disconnect, restart, etc. are available and working. My last recourse if the solution from DUO or MS will take time is to restore from backup prior to fall creators update.


#27

I am having the same issue. I am coming in from the Microsoft RDP client in android and a client on Windows 7. The local admin account works, but the live linked account does not. I tried using the local representation of the live account but that had the same result. Next I added the providerswhitelist into regedit, installed 3.1.1 and rebooted. That did not help. All resource forwarding is cancelled.

Has anyone had success with a workaround? Looks like disabling CredSSP is the leading contender.


#28

@PatrickKnight Unfortunately this has not worked for me. I have the same problem as @Duo_RDP_User


#29

I can confirm. After Win10 Fall Update 2FA with DUO does not work. RDP hangs on login screen and waits. When DUO is uninstalled RDP works as expected.


#30

Quick update we are still working on a fix for this issue.

As a workaround without uninstalling you can set the GUID to F8A0B131-5F68-486C-8040-7E8FC3C85BB6
and removing the one posted above. This does not require a reboot.

The expected behavior after setting this will allow Duo to remain installed, protecting non-Microsoft Accounts and allows RDP of Microsoft accounts with no second factor.


#31

Thanks for the update. In lieu of disabling 2FA for microsoft accounts, I have begun rebooting my machine whenever I go to log out of my microsoft account. This works for me as I don’t keep any programs up when I log out.

This workaround has worked for me thus far. If I forget to reboot I can log in with a local account and reboot from there.


#32

HI all, thanks for all of your help with reporting this issue and trying out the various workaround solutions we’ve posted here. Our Engineering Team now has a very good understanding of the issue, but unfortunately a full solution is going to require additional development and collaboration with Microsoft.

We have confirmed that the Fall Creators Update (Version 1709) of Windows 10 breaks Duo for Windows Logon’s support for Microsoft Accounts (previously known as Windows Live ID). This is due to new behavior by the Microsoft Account credential provider which requires it to be loaded for accounts to appear.

As @patrickknight posted earlier, a workaround is available that allows Duo to remain installed and protect non-Microsoft Accounts while allowing access to Microsoft Accounts with no second factor.

To do this, use the Registry Editor (regedit.exe) with administrator privileges to create (or update) the following registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv

  • Registry Value: ProvidersWhitelist
  • Type: REG_MULTI_SZ
  • Populate the multi string value data with the following GUID: F8A0B131-5F68-486C-8040-7E8FC3C85BB6

No reboot is required.

We will continue to update this thread as more information becomes available. Thanks again for your help and patience with this issue.


#33

I’m new to Duo and trying to follow this conversation on Creators Fall. English is not my native language, so what I get from this post, is problem regarding non-local accounts … my problem is with local account.

I reinstalled my Windows Pc (Creators Fall), created a local account and installed Duo.

Now when I try to Remote Desktop from my Mac to the Pc, it asks for credentials even tough my Mac Remote Desktop is providing the username and password. After I have entered my credentials, the Duo form is shown - not before.

Uninstalling Duo makes my Mac Remote Desktop perfectly without asking for credentials … why is it asking for credentials (when Duo is installed) even though the credentials are provided from the Mac? Can I fix this?

This was not a problem before Creators Fall - before Creators Fall, my Mac would start Remote Desktop, I get the Duo form, I accept and I’m in - no credentials.


#34

Hi Dooley,

How’s it going getting Duo working with the Fall Creator’s update? Any eta?

Cheers


#35

Any progress to report? For now, despite some disadvantages for local accounts, I reverted to a local login to get around this issue and allow Duo to work on 1709. I would very much like to go back to a Microsoft Account though, once this issue is resolved. Thanks!

I do wish the dual factor RDP article was clearer, since it seems to give hope that above is a work-around, but you stated here more clearly

“As @patrickknight posted earlier, a workaround is available that allows Duo to remain installed and protect non-Microsoft Accounts while allowing access to Microsoft Accounts with no second factor.”

FYI, I’m quite happy with Duo for RDP, an awesome capability that I’ve wanted for years. Coupled with creative router config to forward port 443 to 3389 for the IP of my RDP listening Windows 10 1709 PC (since hotels often block 3389), I can now avoid the slow-down of VPNing to my remote network with relative safety. Glad Duo even works even when using my phone’s RDP app, when hair-pinning (connecting while on local LAN) or remote (taking advantage of the port-forwarding coupled with ddns.net). Awesome!


#36

I rolled back prior to fall creators edition. For now, that’s the only option to get connected without doing the reboots.


#37

Quick update we are currently engaged with Microsoft about this issue, we will supply an ETA once we know more. Thanks!