How to invoke Duo challenge in RDP based on local group membership


Hi all, I wanted to configure duo in RDP that will, let’s say, challenge members of some local groups (like local administrators group), and will pass through the rest. Anyone could think of way implementing it without use of AD/DUO groups?
Meaning, could there be policy that would check if user is member of “local administrators” on this host and if so challenge him, else pass through?


Hi eujeens, based on your requirements, you could consider only enrolling the local administrators in Duo and setting your RDP application policy to allow access without 2FA for all unenrolled users.

We recommend requiring enrollment and using group policy for this for better security, but this solution may help.


The problem is that most of my users aer enrolled, they have other machines where they are admins. So they will be challenged in this logon though they are not admins here.


You can use Duo applications and group policies to require Duo MFA for a group of Duo users (in a group policy assigned to an application) while bypassing MFA for users not in the Duo group (in an application policy).

Not that I mean a group in Duo populated with Duo users, not a local group on the client that contains users who also exist in Duo.

Here’s an example (only Duo users in the “ServerAdmins” Duo group have to perform 2FA):

Learn more about Duo policies here.


You do inherit some risk when you setup bypass rules for these privileged admins. You can add the “administrator” account to DUO and then attach it to the admins who have the required access to use that account. When RDP sessions are initiated, you can select, at logon, which device you want to authenticate with.