Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2100
Views
1
Helpful
6
Replies

Where to install Duo for Windows Local Logon/Active Directory

gg21
Level 1
Level 1

‎03-22-2021 03:13 AM

Hi all,
we have Duo installed and working to protect access via Microsoft RD Gateway. Now we want to set up Duo also for Windows local logon for all user local logons in the active directory domain. I am not sure about on which server to install? Does it have to be a domain controller or can it be any member server and then push out via GPO? Can I install the Duo Microsoft RDP application on the same server where currently the Duo app for protecting Microsoft RD Gateway is installed?
thanks!
Georg

Labels:
0 Helpful
6 Replies 6

jamieis
Cisco Employee
Cisco Employee

‎03-22-2021 05:18 AM

Hi @gg2,

If your goal is to require login to every Windows computer on the domain you’ll need to look at using our Duo Authentication for Windows Logon and RDP. This will install a client on every machine that can require 2FA before the user logs on using RDP or a local logon.

We’ve got some docs about how to push this out using Group Policy right here: 2FA for Windows Remote Desktop Protocol and Local Logons | Duo Security

gg21
Level 1
Level 1

‎03-22-2021 08:55 AM

Hi jamie,

yes, thanks. goal is to require login to every Windows computer on the domain with duo. I couldn’t find the information whether the server side application needs to be installed on the domain controller or can it be any member server?
thanks for your guidance.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to gg21

‎03-22-2021 12:26 PM

@gg2

Duo does not provide a solution that integrates directly with Active Directory. Duo protects various clients of AD by adding 2FA at the application, and does not directly add 2FA to AD account authentication itself.

Duo, not DUO.
0 Helpful

mpaine1
Level 1
Level 1

‎03-26-2021 07:51 AM

We use this as well. It works really well and protects PCs as well as RDP sessions to servers.

  1. You create a protected application in the duo admin portal

  2. You install the login client on the PC to be protected

  3. During installation you are asked for the ikey skey and api-host of the protected application (admin portal settings)

You can automate the install for pushing out via GPO but you need to create a transform file (which will answer the install questions) which can be used with the MSI in the install bundle.

Also, I recommend creating an RMM script that removed Duo in case a user has not created an offline code and your implementation is set to “fail closed” or you will be locked out of the PC if internet access is lost.

0 Helpful

gg21
Level 1
Level 1

‎03-26-2021 03:31 PM

Thank you, Michael! Can you point me to the RMM script you mentioned please?

0 Helpful

mpaine1
Level 1
Level 1
In response to gg21

‎05-13-2021 07:22 AM

We wrote it inhouse. You need to create a Transform file from the MSI to answer the install questions.

To Install:

@echo off
msiexec /i “\path\to\Duo\Client\Installer\DuoWindowsLogon64.msi” /qn TRANSFORMS="\path\to\Duo\Client\Installer\DuoWindowsLogon64.mst"
echo Install Duo Client [WIN] complete
exit

To Remove:

@echo off
regsvr32 /u “C:\Program Files\Duo Security\WindowsLogon\DuoCredProv.dll”
regsvr32 /u “C:\Program Files\Duo Security\WindowsLogon\DuoCredFilter.dll”
shutdown /r /f
echo Disable Duo [WIN] complete
exit

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents