How to invoke Duo challenge in RDP based on local group membership


Hi all, I wanted to configure duo in RDP that will, let’s say, challenge members of some local groups (like local administrators group), and will pass through the rest. Anyone could think of way implementing it without use of AD/DUO groups?
Meaning, could there be policy that would check if user is member of “local administrators” on this host and if so challenge him, else pass through?


Hi eujeens, based on your requirements, you could consider only enrolling the local administrators in Duo and setting your RDP application policy to allow access without 2FA for all unenrolled users.

We recommend requiring enrollment and using group policy for this for better security, but this solution may help.