12-03-2019 10:02 AM
After setting up RDP group policy (2FA for Windows Remote Desktop Protocol and Local Logons | Duo Security), the IKEY, SKEY, and HOST values are present in each machine’s local registry, here:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv
So why do those instructions specify going through the laborious process of creating a transform file for the installer?
In my case, I plan to do manual installation from the command line (https://help.duo.com/s/article/1090?language=en_US), but again, the examples only show command lines with all keys and options specified.
Wouldn’t the simple way to do this be
msiexec.exe /i DuoWindowsLogon64.msi /qn
Am I missing something here? Is it more secure to NOT put the keys in group policy and instead only provide them during the installation on each machine?
Thanks,
Mark Berry
MCB Systems
12-04-2019 08:17 AM
The transform instructions are mentioned only in the context of software deployment via GPO.
If you will not use GPO to actually install the software (i.e. if you are using scripted deploy with msiexec), you can do exactly what you described.
Thanks for using Duo!
12-04-2019 10:55 AM
Thanks Kristina, but I still don’t get it. If I’m deploying with Group Policy, why would I need a transform file with the keys? Why not just use the bare MSI installer? The keys are specified directly in the group policy. It doesn’t make sense to me that I would have to configure the keys in two places.
In other words, steps 3 and 6 of this procedure seem unnecessary and redundant if you put the keys in the main GPO as shown in the screen shot at the end of this procedure.
Regards,
Mark Berry
12-04-2019 12:31 PM
It was required by the installer when the software publishing instructions were published, but it’s possible that subsequent changes to the installer negated the transform requirement. We can check on that and update the instructions if warranted.
If you are concerned about securing the key information when configuring via GPO, ensure that only those who should be able to view that info can (such as don’t let unprivileged users read the GPO or the RSOP machine scope settings, etc.).
05-15-2021 04:34 AM
Did this ever get resolved? I was wondering the same issue as the original poster and it doesn’t look like the documentation has changed. Why can’t you just put the ikey, skey and the api hostname in the GPO and use the standard msi install in the group policy?
05-15-2021 01:02 PM
I wound up not doing the actual installation via GPO. I just set up the keys in a GPO and run the regular (un-transformed) installer with a script.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide