Windows disable DUO for specific user or group

igorcom · ‎07-08-2022

Hi,
Why there is no option on Windows to disable DUO for specific user or group in case if DUO is offline, like it is on Linux? On Linux I can specify some user that are not subject to DUO authentication in any case, on Windows, as far as I know there is no such possibility, and I don’t understand why?

TabBerger · ‎07-08-2022

Hi there @igorcom , welcome to the Community!

I took a look through our Windows documentation and found a setting that may be able to help you restrict access on Windows similar to how you’re able to on Duo Unix. If you check the Only allow offline login from users in certain groups setting in the offline access configuration settings in the “Microsoft RDP” application page in the Duo Admin Panel, you can specify a group or groups of Duo users permitted to use offline access. Users who don’t belong to groups you select here won’t be able to enroll in offline access or login in with MFA when the Windows system is unable to contact Duo. You can learn more about this setting and other setup intructions in our Duo Authentication for Windows Logon and RDP documentation.

Let us know if you have any other questions and have an awesome day!

igorcom · ‎07-09-2022

Sorry if I wasn’t clear. I need on Windows equivalent of “groups” parameter in DUO Linux configuration, something that will allow me to specify users that can bypass DUO offline and online.

TabBerger · ‎07-15-2022

Hi there @igorcom ,

My apologies, I misunderstood your original question! I looked into this further for you and discovered we currently do not have the ability to query groups to determine whether or not to enforce 2FA in our Windows Logon like we do in Duo Unix. I will pass along your feedback to our product team and will add your suggestion to the feature request that has been proposed to add this functionality in the future. Thank you for your suggestion!