Updating existing DUO Install via GPO

//GPO
We have an existing DUO deployment pushed out via GPO. DUO is used for local Windows Logon authentication on Windows 10 domain joined devices.

What is the recommended process for updating these clients?

  • Retire the existing GPO and create a new one? or
  • Can we drop the MSI in a sub-folder and re-point the GPO at the updated MSI installer?

Upon the next boot, will this just upgrade the existing installation?

//Servers
We also have DUO installed on a few RDS servers (manual, non-GPO install).
We have an RMM agent so we can run powershell scripts remotely as SYSTEM.
Can we run the MSI on the command-line to update DUO as-is?

For your servers, which did not receive Duo installed via GPO, you can run the newer installer on those systems using PowerShell to perform an upgrade.

To update the version of Duo installed via a software publishing GPO, you create an upgrade package relationship between the older version and the new one you want to deploy. You can find guidance from Microsoft on how to upgrade GPO-managed applications here: Upgrading Installed Applications: Group Policy | Microsoft Learn.