Mass Install DUO to Multiple Computers

Hello,

Is there a way to mass install DUO to multiple computers? I found documentation for silently installing DUO here: Knowledge Base | Duo Security but I was not sure how this worked with the Integration Key and the Secret Key. Has anyone come across this and or found a solution?

Hi @ccarpenter ,

In the command given in that linked article:

duo-win-login-4.0.7.exe /S /V" /qn IKEY="■■■■■■■■■■■■■■■■■■■■XX" SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" HOST="■■■■■■■■■■■■■■■■■■■■■■■■■■■■" AUTOPUSH="#1" FAILOPEN="#1" SMARTCARD="#1" RDPONLY="#0""

The you would replace the DIXXXXX... value after IKEY= with your integration key and the xxxxx value after SKEY= with your secret key. If you have an endpoint management tool that can run batch commands you can use that (or the msiexec equivalent in that same article) in a job you push to your workstations to install Duo for Windows Logon.

If your workstations are AD domain joined, you could also deploy Duo for Windows Logon via software install GPO.

ETA it occurs to me that you might want to mass-deploy Duo to Windows systems using a unique Duo application for each workstation (therefore a different ikey/skey value needed for each one). There is not a great way to do this, other than some advanced scripting.

1 Like

Hello @DuoKristina,

Thank you for this reply.

We are planning to push out DUO to around 200-300 computers to protect the Windows Login so would there be any issues or drawbacks to using the same Integration Key/Secret Key with so many installs?

Thanks,

The drawback is that if all the computers share the same Duo application (same ikey/skey) you can’t apply unique Duo policies for different workstations that share the same application (you can associate Duo policies with Duo Applications and with groups of Duo users, but not with individual or groups of computers).

Also, when reviewing your Duo authentication logs all the logins will show as coming from that one application, so you’ll need to look at the hostname information included in those authentication events to see which workstation reported the auth event, and there is no way to filter the authentication logs for a particular hostname.

Got it. Thank you for your assistance in answering my questions. You have been a great help!

1 Like