Where to install Duo for Windows Local Logon/Active Directory

Hi all,
we have Duo installed and working to protect access via Microsoft RD Gateway. Now we want to set up Duo also for Windows local logon for all user local logons in the active directory domain. I am not sure about on which server to install? Does it have to be a domain controller or can it be any member server and then push out via GPO? Can I install the Duo Microsoft RDP application on the same server where currently the Duo app for protecting Microsoft RD Gateway is installed?

Hi @gg2,

If your goal is to require login to every Windows computer on the domain you’ll need to look at using our Duo Authentication for Windows Logon and RDP. This will install a client on every machine that can require 2FA before the user logs on using RDP or a local logon.

We’ve got some docs about how to push this out using Group Policy right here: 2FA for Windows Remote Desktop Protocol and Local Logons | Duo Security

1 Like

Hi jamie,

yes, thanks. goal is to require login to every Windows computer on the domain with duo. I couldn’t find the information whether the server side application needs to be installed on the domain controller or can it be any member server?
thanks for your guidance.


Duo does not provide a solution that integrates directly with Active Directory. Duo protects various clients of AD by adding 2FA at the application, and does not directly add 2FA to AD account authentication itself.

We use this as well. It works really well and protects PCs as well as RDP sessions to servers.

  1. You create a protected application in the duo admin portal

  2. You install the login client on the PC to be protected

  3. During installation you are asked for the ikey skey and api-host of the protected application (admin portal settings)

You can automate the install for pushing out via GPO but you need to create a transform file (which will answer the install questions) which can be used with the MSI in the install bundle.

Also, I recommend creating an RMM script that removed Duo in case a user has not created an offline code and your implementation is set to “fail closed” or you will be locked out of the PC if internet access is lost.

Thank you, Michael! Can you point me to the RMM script you mentioned please?

We wrote it inhouse. You need to create a Transform file from the MSI to answer the install questions.

To Install:

@echo off
msiexec /i “\path\to\Duo\Client\Installer\DuoWindowsLogon64.msi” /qn TRANSFORMS="\path\to\Duo\Client\Installer\DuoWindowsLogon64.mst"
echo Install Duo Client [WIN] complete

To Remove:

@echo off
regsvr32 /u “C:\Program Files\Duo Security\WindowsLogon\DuoCredProv.dll”
regsvr32 /u “C:\Program Files\Duo Security\WindowsLogon\DuoCredFilter.dll”
shutdown /r /f
echo Disable Duo [WIN] complete