I’m testing out Duo right now and I have it working with RDP, but it doesn’t appear to be working when I uses psexec to remote into it. Is there a way to require 2FA for ALL login attempts and not just RDP and local console logins?
You can find which logon types Duo for Windows Logon protects in the FAQ What logon interfaces can Duo protect?. As you observed, this includes interactive logons and elevation requests.
Please contact your Account Executive, Customer Success Manager if applicable, or our Support Team to submit a feature request for protecting additional login interfaces.