Windows Logon - conditional access

Hello community,

I am in the process of feature validation for Duo and, related to Windows Logon, I was wondering if we could enfore 2FA for laptop outside the enterprise network.

In other words, if a laptop is connected to our enterprise network (directly - no VPN), 2FA is bypassed but if the user is outside, 2FA is enforced.


Hi @Antony-Gallez ,

The Duo feature that allows the bypass of 2FA from specific networks is provided by the Authorized Networks policy setting.

Which applications support Remembered Devices and Authorized Networks?

When logging into Windows locally (not through RDP), the IP address reported to Duo is Please see the following KB article that explains why this is: Knowledge Base | Duo Security

Since no actual IP address is reported during a Local Winlogon authentication, there is no way to apply the Authorized Networks policy.

I would recommend you have Duo protecting the applications themselves that users log into (to include VPN) and, if possible, move away from viewing specific networks as “trusted” so as to coincide with more of a Zero Trust architecture.

Thanks for trying Duo!


Thank you for your swift reply.

This requirement comes for the customer: they want to protect Windows Logon only when outside their corporate network. 2FA is also used to secure their other business applications (incl. VPN).

Anyway, for what I understand, it is not supported.

Have a nive day.