Password Protect RDP Uninstall

Is there currently a feature, or a feature in the works, that will allow admins to set a password requirement to uninstall the Duo RDP installation. I have not had any users attempt to remove it yet, but it would be best to get ahead of the potential risk.

Hi @Frosty81, there is a feature request to require a password to uninstall Duo for Windows Logon and RDP. The Duo Support team can add you to this request if you’d like.

In the meantime, we also strongly advise you to not allow users to have local admin rights when utilizing WinLogon. When using Duo for Windows Logon, you should encrypt the hard drive and not have any local admins. There are too many ways that somebody with hands-on access can abuse rights on that machine.
I hope that helps!

I will reach out to the support team to be added to the request.

I would LOVE to remove local admin rights to the end users machines. However, being a dept of 1 who manages 400-500 end user computers, it is not feasible for me to have to micromanage them.

Thank you for your time in advising me on the status of the feature, and have a great day.

1 Like

Has there been any update to this feature? I’ve already got in touch with support and I received the same “automated” response down to the letter. This is such an important feature to have that I can’t believe this wasn’t incorporated into the application when it was developed. There are a lot of users that are uninstalling this to bypass Duo. I also have hundreds of endpoints and 95% of users need to be admin of the box’s to be able to perform their duties on the applications they use. We need this yesterday!

Hi @time, unfortunately, no there has not been any update to this feature yet. The reason you received the same response from support as what I’ve said here is because that is all we can share publicly at this time. This idea is still under consideration for the future. I appreciate you sharing your use case and the importance of this feature with us though. I’ll reach out to our internal team and see if there’s any additional information they can add to the conversation here.

Update: We are considering enhancements to Duo for Windows Logon RDP and, by extension, RDWeb and RDGateway with the Device Health Application to help not just security posture, but also combine a known process with several checks and authentication before authorization.

I realize you’re concerned with users uninstalling Duo to get around the requirement for MFA. However, having a password like this would ultimately not be sufficient security in the event a bad actor was to get admin access, which is why our continued recommendation is to not allow users to have admin access.

I hope that helps.

The recommendation to not allow users to have local admin rights is not the best recommendation. Security and business flow must work with each other for it to work. Most of our apps require our users to have local admin rights. Taking away that privilege will take away their productivity leading to loss of revenue for the organization. We can’t have that. MFA is crucial to protecting and preventing compromised accounts. Yet, DUO is a huge part in an organizations layered defense that we still don’t understand why this isn’t yet available. Every other security focused applications that I am aware of, Symantec, Malwarebytes, CrowdStrike, etc… offers this capability. I hope your internal team moves this to the top of their priority list.

Thank you for sharing this additional context with us, and I wish I had a better recommendation to share with you at this time. I can appreciate the impact this has on your organization. I will share your feedback with our development team.