Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2011
Views
0
Helpful
5
Replies

RDP setup with group policy - why add keys to transform or command line?

mcbsys
Level 1
Level 1

‎12-03-2019 10:02 AM

After setting up RDP group policy (2FA for Windows Remote Desktop Protocol and Local Logons | Duo Security), the IKEY, SKEY, and HOST values are present in each machine’s local registry, here:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv

So why do those instructions specify going through the laborious process of creating a transform file for the installer?

In my case, I plan to do manual installation from the command line (https://help.duo.com/s/article/1090?language=en_US), but again, the examples only show command lines with all keys and options specified.

Wouldn’t the simple way to do this be

  1. Set up group policy with all keys and options. Wait for it to sync.
  2. Deploy on each computer without specifying options:
    msiexec.exe /i DuoWindowsLogon64.msi /qn

Am I missing something here? Is it more secure to NOT put the keys in group policy and instead only provide them during the installation on each machine?

Thanks,

Mark Berry
MCB Systems

Labels:
0 Helpful
5 Replies 5

DuoKristina
Cisco Employee
Cisco Employee

‎12-04-2019 08:17 AM

The transform instructions are mentioned only in the context of software deployment via GPO.

If you will not use GPO to actually install the software (i.e. if you are using scripted deploy with msiexec), you can do exactly what you described.

Thanks for using Duo!

Duo, not DUO.
0 Helpful

mcbsys
Level 1
Level 1
In response to DuoKristina

‎12-04-2019 10:55 AM

Thanks Kristina, but I still don’t get it. If I’m deploying with Group Policy, why would I need a transform file with the keys? Why not just use the bare MSI installer? The keys are specified directly in the group policy. It doesn’t make sense to me that I would have to configure the keys in two places.

In other words, steps 3 and 6 of this procedure seem unnecessary and redundant if you put the keys in the main GPO as shown in the screen shot at the end of this procedure.

Regards,

Mark Berry

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to mcbsys

‎12-04-2019 12:31 PM

It was required by the installer when the software publishing instructions were published, but it’s possible that subsequent changes to the installer negated the transform requirement. We can check on that and update the instructions if warranted.

If you are concerned about securing the key information when configuring via GPO, ensure that only those who should be able to view that info can (such as don’t let unprivileged users read the GPO or the RSOP machine scope settings, etc.).

Duo, not DUO.
0 Helpful

jasonhand
Level 1
Level 1

‎05-15-2021 04:34 AM

Did this ever get resolved? I was wondering the same issue as the original poster and it doesn’t look like the documentation has changed. Why can’t you just put the ikey, skey and the api hostname in the GPO and use the standard msi install in the group policy?

0 Helpful

mcbsys
Level 1
Level 1

‎05-15-2021 01:02 PM

I wound up not doing the actual installation via GPO. I just set up the keys in a GPO and run the regular (un-transformed) installer with a script.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents