Fall Creators Update (Version 1709) of Windows 10 breaks Duo for Windows Logon’s support for Microsoft Accounts


#27

I am having the same issue. I am coming in from the Microsoft RDP client in android and a client on Windows 7. The local admin account works, but the live linked account does not. I tried using the local representation of the live account but that had the same result. Next I added the providerswhitelist into regedit, installed 3.1.1 and rebooted. That did not help. All resource forwarding is cancelled.

Has anyone had success with a workaround? Looks like disabling CredSSP is the leading contender.


#28

@PatrickKnight Unfortunately this has not worked for me. I have the same problem as @Duo_RDP_User


#29

I can confirm. After Win10 Fall Update 2FA with DUO does not work. RDP hangs on login screen and waits. When DUO is uninstalled RDP works as expected.


#30

Quick update we are still working on a fix for this issue.

As a workaround without uninstalling you can set the GUID to F8A0B131-5F68-486C-8040-7E8FC3C85BB6
and removing the one posted above. This does not require a reboot.

The expected behavior after setting this will allow Duo to remain installed, protecting non-Microsoft Accounts and allows RDP of Microsoft accounts with no second factor.


#31

Thanks for the update. In lieu of disabling 2FA for microsoft accounts, I have begun rebooting my machine whenever I go to log out of my microsoft account. This works for me as I don’t keep any programs up when I log out.

This workaround has worked for me thus far. If I forget to reboot I can log in with a local account and reboot from there.


#32

HI all, thanks for all of your help with reporting this issue and trying out the various workaround solutions we’ve posted here. Our Engineering Team now has a very good understanding of the issue, but unfortunately a full solution is going to require additional development and collaboration with Microsoft.

We have confirmed that the Fall Creators Update (Version 1709) of Windows 10 breaks Duo for Windows Logon’s support for Microsoft Accounts (previously known as Windows Live ID). This is due to new behavior by the Microsoft Account credential provider which requires it to be loaded for accounts to appear.

As @patrickknight posted earlier, a workaround is available that allows Duo to remain installed and protect non-Microsoft Accounts while allowing access to Microsoft Accounts with no second factor.

To do this, use the Registry Editor (regedit.exe) with administrator privileges to create (or update) the following registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv

  • Registry Value: ProvidersWhitelist
  • Type: REG_MULTI_SZ
  • Populate the multi string value data with the following GUID: F8A0B131-5F68-486C-8040-7E8FC3C85BB6

No reboot is required.

We will continue to update this thread as more information becomes available. Thanks again for your help and patience with this issue.


#33

I’m new to Duo and trying to follow this conversation on Creators Fall. English is not my native language, so what I get from this post, is problem regarding non-local accounts … my problem is with local account.

I reinstalled my Windows Pc (Creators Fall), created a local account and installed Duo.

Now when I try to Remote Desktop from my Mac to the Pc, it asks for credentials even tough my Mac Remote Desktop is providing the username and password. After I have entered my credentials, the Duo form is shown - not before.

Uninstalling Duo makes my Mac Remote Desktop perfectly without asking for credentials … why is it asking for credentials (when Duo is installed) even though the credentials are provided from the Mac? Can I fix this?

This was not a problem before Creators Fall - before Creators Fall, my Mac would start Remote Desktop, I get the Duo form, I accept and I’m in - no credentials.


#34

Hi Dooley,

How’s it going getting Duo working with the Fall Creator’s update? Any eta?

Cheers


#35

Any progress to report? For now, despite some disadvantages for local accounts, I reverted to a local login to get around this issue and allow Duo to work on 1709. I would very much like to go back to a Microsoft Account though, once this issue is resolved. Thanks!

I do wish the dual factor RDP article was clearer, since it seems to give hope that above is a work-around, but you stated here more clearly

“As @patrickknight posted earlier, a workaround is available that allows Duo to remain installed and protect non-Microsoft Accounts while allowing access to Microsoft Accounts with no second factor.”

FYI, I’m quite happy with Duo for RDP, an awesome capability that I’ve wanted for years. Coupled with creative router config to forward port 443 to 3389 for the IP of my RDP listening Windows 10 1709 PC (since hotels often block 3389), I can now avoid the slow-down of VPNing to my remote network with relative safety. Glad Duo even works even when using my phone’s RDP app, when hair-pinning (connecting while on local LAN) or remote (taking advantage of the port-forwarding coupled with ddns.net). Awesome!


#36

I rolled back prior to fall creators edition. For now, that’s the only option to get connected without doing the reboots.


#37

Quick update we are currently engaged with Microsoft about this issue, we will supply an ETA once we know more. Thanks!


#38

Hello - since it’s been almost 3 weeks, are there any updates to this issue? The work around does not appear to work for me as when I connect over RDP I never get any Duo information back, it just sits there and I cannot login. I am able to login locally, but not over RDP.


#39

Am experiencing the same issue as Jeal168. After a reboot, the DUO notification will appear on my phone and I can log in. After I disconnect and try a second time, no DUO notification, only the Windows username/password screen. This is AFTER the registry edit ProvidersWhiteList.

Using a Windows 10 Pro. Version 1709, OS build 16299.192, member of an Active Directory domain.

A fix would greatly be appreciated (and shouldn’t take this long for a company as Duo???)


#40

Hello all,

Just wanted to let you know we are still working through resolving this issue with Microsoft developer support.


#41

This is a complete show stopper as it renders Duo completely unusable for us. All of our users use Microsoft accounts.

I am currently researching alternative products. But in all honesty, I am not pleased with any so far. This is costing us time and money, and potentially future business.

Even without Microsoft cooperation, I would expect at least OTP support in the agent.

Can’t some useful workaround be provided ASAP?

Note: Having our end-users edit the registry, just to disable 2FA and re-enable regular logons is not a useful workaround.


#42

For what it’s worth I would like to second the frustration shared by johnbize. I too am researching alternatives for my company. Being a software jockey myself I completely understand the complexities that Microsoft changes could have introduced causing this to break. However, looking at the top of this blog, this has been going on for 5 months. For a company to provide such non-committal answers after 5 months is simply unacceptable. I would really hope by now to see much more detail or at least some better work on supporting your customers. As many have shared your “work around” does not work in all cases.


Duo Release Notes for March 30, 2018
#43

Hi @cclarsen and @johnbize (and everyone else watching this thread),

We understand that this is a frustrating issue without a complete workaround and apologize for the time it’s taking to get this resolved. We are working with Microsoft on a solution and have further escalated this issue with our contacts there. We will promptly update this thread and our documentation as soon as a full solution is available, but we do not have any additional details to share at this time.


#44

We haven’t heard anything in three weeks.

I believe this is a significant enough bug to warrant frequent updates. Will a fix be in the next (March?) release? Has Duo just decided to abandon Windows account users? It broke last November, right?


#45

Hey @johnbize,

I understand the frustration, unfortunately there isn’t much to update at this time other than we are waiting on additional feedback from Microsoft developers. As soon as there is more info we’ll share it here.

Also we are not abandoning Microsoft/LiveID accounts.


#46

Hi Fellow Duo Users,
I used this product a lot and care about this feature. As a workaround I have reverted back to previous version prior to fall creators update and have paused build updates so that I can use feature without issues.

Hi Duo Support,
Are you open to allowing end users to help troubleshoot and in return probably provide bounties / rewards if the provided resolution does work? This would certainly help fast track the resolution of this particular issue. I’m guessing most of the users responding on this forum are either IT Pros or Developers that can help with proper motivation. It’s just a suggestion.