RDP setup with group policy - why add keys to transform or command line?

After setting up RDP group policy (2FA for Windows Remote Desktop Protocol and Local Logons | Duo Security), the IKEY, SKEY, and HOST values are present in each machine’s local registry, here:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv

So why do those instructions specify going through the laborious process of creating a transform file for the installer?

In my case, I plan to do manual installation from the command line (https://help.duo.com/s/article/1090?language=en_US), but again, the examples only show command lines with all keys and options specified.

Wouldn’t the simple way to do this be

  1. Set up group policy with all keys and options. Wait for it to sync.
  2. Deploy on each computer without specifying options:
    msiexec.exe /i DuoWindowsLogon64.msi /qn

Am I missing something here? Is it more secure to NOT put the keys in group policy and instead only provide them during the installation on each machine?


Mark Berry
MCB Systems

The transform instructions are mentioned only in the context of software deployment via GPO.

If you will not use GPO to actually install the software (i.e. if you are using scripted deploy with msiexec), you can do exactly what you described.

Thanks for using Duo!

Thanks Kristina, but I still don’t get it. If I’m deploying with Group Policy, why would I need a transform file with the keys? Why not just use the bare MSI installer? The keys are specified directly in the group policy. It doesn’t make sense to me that I would have to configure the keys in two places.

In other words, steps 3 and 6 of this procedure seem unnecessary and redundant if you put the keys in the main GPO as shown in the screen shot at the end of this procedure.


Mark Berry

It was required by the installer when the software publishing instructions were published, but it’s possible that subsequent changes to the installer negated the transform requirement. We can check on that and update the instructions if warranted.

If you are concerned about securing the key information when configuring via GPO, ensure that only those who should be able to view that info can (such as don’t let unprivileged users read the GPO or the RSOP machine scope settings, etc.).