As per the topic title, I’ve a full updated Windows 2019 server running DUO authentication for RDP connections.
There is a single sign on method for DUO PINs which uses a manually entered TOTP hardware key.
The server appears to be getting compromised, while the DUO authentication logs on duo.com show no sign of an authorised login with the TOTP. When installed, the block shell access box was ticked and no other services are running on the server that should allow access.
How to proceed?