Fall Creators Update (Version 1709) of Windows 10 breaks Duo for Windows Logon’s support for Microsoft Accounts


#22

After replicating the issue internally with Windows Live Accounts, we have a workaround by whitelisting a specific Microsoft credential provider, allowing RDP and DUO to work together as expected.

Use the Registry Editor (regedit.exe) with administrator privileges to create (or update) the following registry values in

HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv

   Registry Value: ProvidersWhitelist	
    Type: REG_MULTI_SZ	
    Populate the multi string value data with the following GUID: {1ee7337f-85ac-45e2-a23c-37c753209769}

ProviderRegKey


#24

Patrick. Good deal. That fix works…partially. For me after i reinstalled Duo, updated the registry and rebooted I was able to authenticate with DUO 2FA working. However, after breaking the connection to the RDP session and trying again - it failed in the same way as before. If i force a restart and login over DUO RDP 2FA the first time it continues to work but just not to connect to an existing session.


#25

Same problem here unfortunately, the regfix does not solve it for me.


#26

I have the same issue after updating to Windows 10 Fall Creator’s Update. Rebooting the machine would allow me to login but then any succeeding re-connection to the RDP session would fail even though I’m getting the prompt to approve and has been providing my approval. The screen would just get stuck on the lock screen. Funny thing is icons to disconnect, restart, etc. are available and working. My last recourse if the solution from DUO or MS will take time is to restore from backup prior to fall creators update.


#27

I am having the same issue. I am coming in from the Microsoft RDP client in android and a client on Windows 7. The local admin account works, but the live linked account does not. I tried using the local representation of the live account but that had the same result. Next I added the providerswhitelist into regedit, installed 3.1.1 and rebooted. That did not help. All resource forwarding is cancelled.

Has anyone had success with a workaround? Looks like disabling CredSSP is the leading contender.


#28

@PatrickKnight Unfortunately this has not worked for me. I have the same problem as @Duo_RDP_User


#29

I can confirm. After Win10 Fall Update 2FA with DUO does not work. RDP hangs on login screen and waits. When DUO is uninstalled RDP works as expected.


#30

Quick update we are still working on a fix for this issue.

As a workaround without uninstalling you can set the GUID to F8A0B131-5F68-486C-8040-7E8FC3C85BB6
and removing the one posted above. This does not require a reboot.

The expected behavior after setting this will allow Duo to remain installed, protecting non-Microsoft Accounts and allows RDP of Microsoft accounts with no second factor.


#31

Thanks for the update. In lieu of disabling 2FA for microsoft accounts, I have begun rebooting my machine whenever I go to log out of my microsoft account. This works for me as I don’t keep any programs up when I log out.

This workaround has worked for me thus far. If I forget to reboot I can log in with a local account and reboot from there.


#32

HI all, thanks for all of your help with reporting this issue and trying out the various workaround solutions we’ve posted here. Our Engineering Team now has a very good understanding of the issue, but unfortunately a full solution is going to require additional development and collaboration with Microsoft.

We have confirmed that the Fall Creators Update (Version 1709) of Windows 10 breaks Duo for Windows Logon’s support for Microsoft Accounts (previously known as Windows Live ID). This is due to new behavior by the Microsoft Account credential provider which requires it to be loaded for accounts to appear.

As @patrickknight posted earlier, a workaround is available that allows Duo to remain installed and protect non-Microsoft Accounts while allowing access to Microsoft Accounts with no second factor.

To do this, use the Registry Editor (regedit.exe) with administrator privileges to create (or update) the following registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv

  • Registry Value: ProvidersWhitelist
  • Type: REG_MULTI_SZ
  • Populate the multi string value data with the following GUID: F8A0B131-5F68-486C-8040-7E8FC3C85BB6

No reboot is required.

We will continue to update this thread as more information becomes available. Thanks again for your help and patience with this issue.


#33

I’m new to Duo and trying to follow this conversation on Creators Fall. English is not my native language, so what I get from this post, is problem regarding non-local accounts … my problem is with local account.

I reinstalled my Windows Pc (Creators Fall), created a local account and installed Duo.

Now when I try to Remote Desktop from my Mac to the Pc, it asks for credentials even tough my Mac Remote Desktop is providing the username and password. After I have entered my credentials, the Duo form is shown - not before.

Uninstalling Duo makes my Mac Remote Desktop perfectly without asking for credentials … why is it asking for credentials (when Duo is installed) even though the credentials are provided from the Mac? Can I fix this?

This was not a problem before Creators Fall - before Creators Fall, my Mac would start Remote Desktop, I get the Duo form, I accept and I’m in - no credentials.


#34

Hi Dooley,

How’s it going getting Duo working with the Fall Creator’s update? Any eta?

Cheers


#35

Any progress to report? For now, despite some disadvantages for local accounts, I reverted to a local login to get around this issue and allow Duo to work on 1709. I would very much like to go back to a Microsoft Account though, once this issue is resolved. Thanks!

I do wish the dual factor RDP article was clearer, since it seems to give hope that above is a work-around, but you stated here more clearly

“As @patrickknight posted earlier, a workaround is available that allows Duo to remain installed and protect non-Microsoft Accounts while allowing access to Microsoft Accounts with no second factor.”

FYI, I’m quite happy with Duo for RDP, an awesome capability that I’ve wanted for years. Coupled with creative router config to forward port 443 to 3389 for the IP of my RDP listening Windows 10 1709 PC (since hotels often block 3389), I can now avoid the slow-down of VPNing to my remote network with relative safety. Glad Duo even works even when using my phone’s RDP app, when hair-pinning (connecting while on local LAN) or remote (taking advantage of the port-forwarding coupled with ddns.net). Awesome!


#36

I rolled back prior to fall creators edition. For now, that’s the only option to get connected without doing the reboots.


#37

Quick update we are currently engaged with Microsoft about this issue, we will supply an ETA once we know more. Thanks!


#38

Hello - since it’s been almost 3 weeks, are there any updates to this issue? The work around does not appear to work for me as when I connect over RDP I never get any Duo information back, it just sits there and I cannot login. I am able to login locally, but not over RDP.


#39

Am experiencing the same issue as Jeal168. After a reboot, the DUO notification will appear on my phone and I can log in. After I disconnect and try a second time, no DUO notification, only the Windows username/password screen. This is AFTER the registry edit ProvidersWhiteList.

Using a Windows 10 Pro. Version 1709, OS build 16299.192, member of an Active Directory domain.

A fix would greatly be appreciated (and shouldn’t take this long for a company as Duo???)


#40

Hello all,

Just wanted to let you know we are still working through resolving this issue with Microsoft developer support.


#41

This is a complete show stopper as it renders Duo completely unusable for us. All of our users use Microsoft accounts.

I am currently researching alternative products. But in all honesty, I am not pleased with any so far. This is costing us time and money, and potentially future business.

Even without Microsoft cooperation, I would expect at least OTP support in the agent.

Can’t some useful workaround be provided ASAP?

Note: Having our end-users edit the registry, just to disable 2FA and re-enable regular logons is not a useful workaround.


#42

For what it’s worth I would like to second the frustration shared by johnbize. I too am researching alternatives for my company. Being a software jockey myself I completely understand the complexities that Microsoft changes could have introduced causing this to break. However, looking at the top of this blog, this has been going on for 5 months. For a company to provide such non-committal answers after 5 months is simply unacceptable. I would really hope by now to see much more detail or at least some better work on supporting your customers. As many have shared your “work around” does not work in all cases.