UAC_PROTECTMODE Option 1 doesn't functions as expected

My objective is to ensure the safety of my company by installing Duo on all system images. However, the procurement of licenses for thousands of accounts is unfeasible. Hence, I must rely on licenses for individuals with elevated privileges. I had considered the UAC_PROTECTMODE option 1 as a viable solution. However, its functionality appears limited as it only prompts for Duo authentication when accessing elevated privileges within a non-administrative account. This renders the option redundant if I were to log in with elevated privileges at the primary login, as I would not receive a Duo prompt. Consequently, the option does not serve its intended purpose. In the event that credentials are stolen or compromised, an individual would only need to log into the device with the same credentials, rather than the elevated privileges within the user account. In summary, is there an alternative option that can enforce Duo authentication for all elevated privileges, including those within administrative accounts but not require a prompt at login?

Our suggestion would be to require Duo authentication when the privileged user logs in to Windows. You could do this by applying an application policy to the Microsoft RDP application in Duo that bypasses 2FA, and then apply a group policy to that same RDP application that requires 2FA and target a Duo group comprised of your privileged Windows administrator accounts.