After setting up RDP group policy (2FA for Windows Remote Desktop Protocol and Local Logons | Duo Security), the IKEY, SKEY, and HOST values are present in each machine’s local registry, here:
So why do those instructions specify going through the laborious process of creating a transform file for the installer?
In my case, I plan to do manual installation from the command line (https://help.duo.com/s/article/1090?language=en_US), but again, the examples only show command lines with all keys and options specified.
Wouldn’t the simple way to do this be
- Set up group policy with all keys and options. Wait for it to sync.
- Deploy on each computer without specifying options:
msiexec.exe /i DuoWindowsLogon64.msi /qn
Am I missing something here? Is it more secure to NOT put the keys in group policy and instead only provide them during the installation on each machine?