Fall Creators Update (Version 1709) of Windows 10 breaks Duo for Windows Logon’s support for Microsoft Accounts


#43

Hi @cclarsen and @johnbize (and everyone else watching this thread),

We understand that this is a frustrating issue without a complete workaround and apologize for the time it’s taking to get this resolved. We are working with Microsoft on a solution and have further escalated this issue with our contacts there. We will promptly update this thread and our documentation as soon as a full solution is available, but we do not have any additional details to share at this time.


#44

We haven’t heard anything in three weeks.

I believe this is a significant enough bug to warrant frequent updates. Will a fix be in the next (March?) release? Has Duo just decided to abandon Windows account users? It broke last November, right?


#45

Hey @johnbize,

I understand the frustration, unfortunately there isn’t much to update at this time other than we are waiting on additional feedback from Microsoft developers. As soon as there is more info we’ll share it here.

Also we are not abandoning Microsoft/LiveID accounts.


#46

Hi Fellow Duo Users,
I used this product a lot and care about this feature. As a workaround I have reverted back to previous version prior to fall creators update and have paused build updates so that I can use feature without issues.

Hi Duo Support,
Are you open to allowing end users to help troubleshoot and in return probably provide bounties / rewards if the provided resolution does work? This would certainly help fast track the resolution of this particular issue. I’m guessing most of the users responding on this forum are either IT Pros or Developers that can help with proper motivation. It’s just a suggestion.


#47

@Jeal138

We don’t have a bug bounty program, but we’re always glad to work with customers.


#48

I also would like to express concern over this bug. There seems to have been little progress made, or at least communicated to the community.

While I am sure this is quite a difficult problem to handle, we are talking about something that was introduced in the FALL 2017 update. Microsoft releases major updates yearly or more often now for Windows 10.

Should we expect a major feature to be broken for half a year before a fix is applied? Another major update is six months away. Will this be resolved before the next huge patch comes and potentially causes more problems? Could this not have been tracked down before 1709 hit by finding the problem in one of the RCs and fixed before the cumulative patch set was pushed to consumers?

The other option is to expect us to hold off on installing vital security fixes to our machines? Obviously, your subscribers are more interested in security than the average user, so that is a non-starter.

Please help us understand how the problem is being worked, and when a resolution can be expected.


#49

We absolutely understand the frustration regarding this issue, but there is not a fix or timeline available at this time.

We are still very much working with Microsoft support on a resolution. You can also reach out to Microsoft Support regarding this issue as well. If you do so, please cite issue #117121217311532.


#50

I am interested in what Microsoft has to say, so I asked.

https://answers.microsoft.com/en-us/windows/forum/windows_10-security/duo-security-broken-after-fall-security-update/ba38be39-6dee-433d-a59b-295b80658342


#51

Also commenting that this is impacting my functionality of the program and I’m really surprised that it is taking this long to resolve.


#52

We have confirmation from Microsoft a bug was introduced in v1709 that causes multiple authentication prompts during RDP sessions. In build 1709, the ICredentialProviderFilter is constructed but IF the user already has a logged-in session (locked or unlocked) then Update RemoteCredential is not called. Build 1703 works.

The ETA provided by Microsoft for shipping the hotfix is 2-4 weeks. The SR# for this issue is: 118041318000260 if anyone else wants to track the issue.

On the the LiveID/Microsoft Account issue we are still engaged with Microsoft developers do not have an eta on resolution currently.


#53

Quick update with the upcoming release of Windows 10 - April 2018 it does not include the aforementioned fix as it is slated for RS5. Microsoft is working on internal approvals to back port this as a hotfix to RS3/v1709/Fall Creators and RS4/April 2018, with timing TDB for this summer.


#54

I can confirm that this issue still persists in the Spring/April update. I am on version 1803 OS Build 17134.1 and still see the same behavior.


#55

I haven’t upgraded yet to 1803 but I gave up waiting for the update / patch. I have reverted back to using local account instead of the live id.

Use of local account is not affected by the changes made in build1709.


#56

So this broke in mid October 2017 and it’s now mid June 2018, 8 months later. This represents our only use-case for using Duo and it’s no longer available.

I think it’s probably safe to assume that this is not a priority for Duo.

We must have a 2FA solution for users with Microsoft accounts. What are the alternatives?


#57

Honestly, I’ve given up on Duo fixing this.

I don’t use live accounts on public-facing rdp servers, and I have also never recommended Duo to a client, or upgraded my account to the paid tier.


#58

We continue to engage with Microsoft around this issue. The most up to date information I can provide at this point is, based on the information we have provided to Microsoft they are close to identifying a root cause.

Feel free to contact Microsoft support and reference SR#117121217311532 for additional guidance.

@johnbize Could you reach out to Support to discuss your use case and see if there are other way to protect RDP.


#59

It seems like this issue has been resolved? I have been able to log in using a Microsoft account via rdp successfully multiple times, while only disconnecting the session. I am on Win 10 Pro x64 OS Build 17134.137.

I have another machine with Win 10 Pro x64 OS Build 17134.112 and that one still has the issue.


#60

@Chuck,

This thread’s discussion has addressed two different issues…

The initial issue for which this thread was created, problems logging in using a Microsoft Live account with Duo installed, is still outstanding. We have been working with Microsoft on it since it was first apparent. Any interested parties can contact Microsoft and reference our case SR#117121217311532.

A second issue was raised by some commenters not using Live accounts where they experienced disconnects or multiple prompts when logging in. This was identified as a bug by Microsoft and first fixed in the RS5 update.

It sounds like you were encountering the second issue, which would explain why it is fixed in the later Win 10 build.


#61

I have been experiencing the first issue, as I use a Live account to log into Windows 10. Since last Fall, I have been unable to log in using a Live account and Duo, unless it was the first login after rebooting my computer.

Over the last couple of days I have been to log in and reconnect multiple times, without rebooting my computer.


#62

@Chuck,

Had you implemented the whitelist workaround described here, or is your Live account working for all connects and reconnects without the additional registry entry?