Proof that Duo is set to pop up at windows logon

Hello. Im currently working on a FedRamp project that is using Duo for MFA. Can anyone tell me where i can find evidence that Duo is set up to pop up at a servers logon screen? Is there a configuration setting or a registry key that can prove this?

I’d wait for someone who works for Duo to give you an official answer but I think the registry keys in HKLM\SOFTWARE\Duo Security\DuoCredProv\ are proof.

You can show it’s installed and configured via the registry values at HKLM\SOFTWARE\Duo Security\DuoCredProv or HKLM\Software\Policies\Duo Security\DuoCredProv (the second location is where the effective config lives if you used GPO in your org to configure Duo).

For example, if you want to show that it is configured to require Duo MFA at both RDP and local console logons, you could check that the RdpOnly value at those locations is set to 0.

You can see details for all GPO configurable registry settings in the Windows Logon GPO download linked from here.

ETA: I came from an environment that sounds like yours, where we had regular audits of server security settings, including 2FA (not Duo, but another vendor’s solution that had a client installed on the server). For all the various bits of security software I would gather registry and RSoP info for the in-scope servers and prepare a report for the auditors, but they’d spot-check by choosing 20-30 systems and have me actually log in to demonstrate the controls from the report were effective.