Trusted Endpoint for RDP authentication

i’m trying to figure out if the following scenario is possible:

i have 2 session hosts with RDP auth agents installed. i would like for:

  • enrolled users who are on trusted laptops, bypass DUO 2FA, log in with AD creds
  • enrolled users on untrusted laptops/desktops, challenged with AD creds and DUO 2FA

articles i’ve read so far seem to cover only online apps/browser based applications, and even with the DUO certificate installed on a trusted device, still has DUO challenge being prompted.

No, this is not possible today for two reasons:

  • As you observed, the Trusted Endpoints feature supports browser authentication to applications, not local Windows logons.
  • Additionally, the Duo trust certificate is not used to determine whether a user must perform 2FA or not.

Feel free to contact your Duo account executive or customer success manager (if you have one), or Duo support, to submit a feature request for trusted access for Windows logon and/or 2FA bypass for trusted devices.