Password Protect RDP Uninstall

Is there currently a feature, or a feature in the works, that will allow admins to set a password requirement to uninstall the Duo RDP installation. I have not had any users attempt to remove it yet, but it would be best to get ahead of the potential risk.

Hi @Frosty81, there is a feature request to require a password to uninstall Duo for Windows Logon and RDP. The Duo Support team can add you to this request if you’d like.

In the meantime, we also strongly advise you to not allow users to have local admin rights when utilizing WinLogon. When using Duo for Windows Logon, you should encrypt the hard drive and not have any local admins. There are too many ways that somebody with hands-on access can abuse rights on that machine.
I hope that helps!

I will reach out to the support team to be added to the request.

I would LOVE to remove local admin rights to the end users machines. However, being a dept of 1 who manages 400-500 end user computers, it is not feasible for me to have to micromanage them.

Thank you for your time in advising me on the status of the feature, and have a great day.

1 Like

Has there been any update to this feature? I’ve already got in touch with support and I received the same “automated” response down to the letter. This is such an important feature to have that I can’t believe this wasn’t incorporated into the application when it was developed. There are a lot of users that are uninstalling this to bypass Duo. I also have hundreds of endpoints and 95% of users need to be admin of the box’s to be able to perform their duties on the applications they use. We need this yesterday!

Hi @time, unfortunately, no there has not been any update to this feature yet. The reason you received the same response from support as what I’ve said here is because that is all we can share publicly at this time. This idea is still under consideration for the future. I appreciate you sharing your use case and the importance of this feature with us though. I’ll reach out to our internal team and see if there’s any additional information they can add to the conversation here.

Update: We are considering enhancements to Duo for Windows Logon RDP and, by extension, RDWeb and RDGateway with the Device Health Application to help not just security posture, but also combine a known process with several checks and authentication before authorization.

I realize you’re concerned with users uninstalling Duo to get around the requirement for MFA. However, having a password like this would ultimately not be sufficient security in the event a bad actor was to get admin access, which is why our continued recommendation is to not allow users to have admin access.

I hope that helps.