Which Of The Following Items Are Not Supported As A Method Of Authentication In Windows 10?

Duo integrates with Microsoft Windows client and server operating systems to add two-factor hallmark to Remote Desktop and local logons.

General

Are at that place any issues installing Duo for Windows Logon on Active Directory domain controllers?

There was an issue seen with Duo Hallmark for Windows Logon and RDversion 4.1.0, on Active Directory domain controllers that may trigger user lockouts. Version 4.one.1, released July xiii, 2020, first corrected this issue and is suitable for installation on domain controllers, fellow member servers, and workstations. We recommend first updating whatsoever domain controllers with 4.1.0 installed to four.1.1 before and so attempting to install the latest bachelor version of Duo for Windows Logon.

Does Duo Hallmark for Windows Logon back up offline multifactor authentication?

Yes, MFA using a Duo Mobile passcode or supported U2F security key while a Windows system is unable to attain Duo's service is supported in version four.0 and afterward. Learn more about offline access.

Which security keys are compatible with offline access with MFA?

Offline admission for Windows Logon works with these security keys:

Yubico brand keys supporting U2F/FIDO2
Google Titan
Feitian ePass FIDO
Thetis FIDO

HyperFIDO tokens are not supported for offline access activation, nor are simple OTP passcode tokens or Duo D-100 hardware tokens.

Is it possible to use the same authentication device for both online and offline Windows Logon?

Yep, yous may utilise these authentication devices for both online and offline access with a single device:

An Android or iOS device with Duo Mobile activated for both online and offline 2FA.
A hardware token that supports both OTP and U2F (like the YubiKey 5 series).

Learn more.

Does Duo support Windows 11 and Windows Server 2022?

Yes, Duo for Windows Logon version four.2.0 and afterward support Windows 11 64-bit clients and Windows Server 2022 full desktop GUI and core installs.

Nano (headless) installs remain unsupported.

Does Duo back up Windows 10?

Duo Authentication for Windows Logon versions 1.2 and later support Windows 10.

We strongly recommend that you lot either uninstall Duo version 1.ane.8 and older from your Windows PC or upgrade Duo to version one.2 or later before upgrading your PC to Windows 10. If you exercise not update or remove Duo first you may non exist able to log in to your computer after the Os upgrade completes.

If y'all observe yourself unable to log in to Windows ten with Duo installed, you tin boot into Safe Mode and uninstall the Duo Credential Provider.

Does Duo support Windows Server 2016 or 2019?

Aye, Server 2016 full desktop GUI and cadre installs are supported starting with version 2.ane.0. Duo for Windows Logon version 4.0.0 adds Server 2019 back up.

Nano (headless) installs are not supported.

Does Duo support Windows Vista, Windows vii, Windows Server 2008, or Windows Server 2008 R2?

Microsoft concluded back up for Windows Vista on April 11, 2017, and ended back up for Windows 7, 2008, and 2008 R2 on January 14, 2020. Duo no longer supports installation of any Duo applications on these operating systems. We strongly urge you to upgrade to a supported version of Windows.

Can I use Duo with a Microsoft account?

Important Note for Windows 10 with the Fall Creators Update

At that place is a known issue with using Duo hallmark and Microsoft/Live accounts afterwards installing the Windows 10 Fall Creators Update (version 1709) released 10/17/17.

As a temporary workaround, you can allow the Windows Live credential provider, which restores the login prompt for Microsoft and Live.com accounts.

With this workaround in identify, Microsoft and Live.com account users log in without Duo 2FA! Domain and local accounts still require Duo hallmark.

To enable the Windows Live credential provider for Microsoft and Live.com accounts, use the Registry Editor (regedit.exe) with administrator privileges to create (or update) the following registry values:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Blazon	Description
`ProvidersWhitelist`	REG_MULTI_SZ	{F8A0B131-5F68-486C-8040-7E8FC3C85BB6}

For Windows systems not running the Windows 10 version 1709 update, you can authenticate with Duo Hallmark for Windows Logon using a Microsoft attached account on a standalone organisation if you lot enable the local group policy setting "Interactive logon: Practice not display last user proper noun" and enroll the username of the Microsoft account in Duo.

To edit your local policy (must be a local administrator):

Run the command gpedit.msc to open the Local Group Policy Editor.
Navigate to Local Computer Policy → Calculator Configuration → Windows Settings → Security Settings → Local Policies → Security Options.
Double-click the Interactive logon: Do not display last user proper noun setting.
Select Enabled and click OK.
Close the Local Group Policy Editor window.

You can also enable the setting via the registry. Create a new DWORD value dontdisplaylastusername set to 1 at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

With this setting enabled y'all receive the "Other user" login dialog, where y'all can input your Microsoft account credentials.

On a domain-joined workstation this setting may exist controlled by your administrator.

To make up one's mind the username of the Microsoft business relationship on a Windows 10 computer, open the Windows User Manager (lusrmgr.msc), locate the Microsoft account in the list, and look at the Name field for that user. The Name value of the Microsoft account won't be the full eastward-post accost that you use to sign in, simply instead will be shown as a portion of the local function of the email accost (the information earlier the @ symbol). When yous have found the Proper noun value for the Microsoft account, enroll that account in Duo. If you exercise not enroll the business relationship in Duo with the right username you may not be able to consummate log in with the Microsoft account.

What logon interfaces can Duo protect?

Duo Hallmark for Windows Logon provides ii-factor hallmark for RDP and local console logons, and credentialed UAC elevation prompts (e.1000. Right-click + "Run as ambassador").

Duo's Windows Logon customer does not add a secondary hallmark prompt to the following logon types:

Shift + right-click "Run as different user"
PowerShell "Enter-PsSession" or "Invoke-Command" cmdlets
Non-interactive logons (i.e. Log on every bit a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)
Pre-Logon Admission Providers (PLAPs) such as Windows Always On VPN
RDP Restricted Admin Mode

How does Duo Hallmark for Windows Logon work with NLA (Network Level Authentication)?

Network Level Authentication (NLA) for Remote Desktop Connection is an optional security feature bachelor in Windows Vista and after. When NLA is enabled, remote connections pre-authenticate to the remote system when the RDP client connects earlier displaying a full remote session. When NLA is disabled, the Windows username and password is entered within the RDP client session later on connecting.

When Duo Hallmark for Windows Logon is installed on a system where NLA is enabled the RDP customer prompts for the Windows username and password in a local system dialog. That information is used to connect to the remote system and passed through to the Remote Desktop director. In one case the RDP client has completed primary hallmark the full Remote Desktop session is displayed, and the Duo Security prompt appears for 2-cistron authentication.

When Duo Authentication for Windows Logon is installed on a arrangement where NLA is not required a full Remote Desktop session is displayed when the RDP client connects to the remote organisation. The Windows username and password are entered in the Remote Desktop window, and later on the logon information is accepted the Duo Security prompt appears for 2-factor authentication.

At that place are some security advantages to enabling NLA, just one of the drawbacks is that users with expired passwords are prevented from logging on to the remote arrangement. More information nearly NLA and RDP can exist found at the Microsoft site and on Wikipedia.

Does Duo Authentication for Windows Logon back up spider web proxying?

Duo can use the HTTPS proxy server configured in your system-wide WinHTTP settings. Configure the proxy server(southward) used by WinHTTP with the netsh command.

Duo Authentication version 2.0.0.71 and later as well support proxying only Duo authentication traffic. Refer to the instructions for configuring a Duo only proxy.

Does Duo Authentication for Windows Logon piece of work with 3rd-party disk encryption software or other credential providers?

Duo'south credential provider cannot exist chained with other credential providers present on your system. Disk encryption software that stores the Windows username and password provided earlier boot may no longer use those credentials to automatically log on to Windows.

Duo Authentication for Windows Logon version 2.1.0 permits employ of the Windows smart card login provider as an alternative to Duo, meaning that users may choose to cosign with either Duo 2FA or a PIV/CAC carte. Duo for Windows Logon v3.one.0 adds support for smart cards logon with Duo 2FA at the local console.

Does Duo support Windows XP or Windows 2003?

Microsoft ended support for Windows XP on April eight, 2014 and for Windows Server 2003 on July xiv, 2015. The last Duo release with XP and 2003 compatibility was version i.one.8. Duo no longer supports any applications on Windows XP or Server 2003. We strongly urge you to upgrade to a supported version of Windows.

Are at that place any known issues with Windows 2003 and XP?

Duo'south legacy Windows Logon (RDP) integration for Windows 2003 and XP contained the post-obit limitations:

A reboot is required after installing or uninstalling the Duo Windows Logon integration.
A countersign may be changed from the Windows password expiration alarm dialog or the password expired prompt without beginning completing two-factor authentication.

Duo no longer supports any applications on Windows XP or Server 2003. We urge you to upgrade to a supported version of Windows.

Install and Uninstall

Can I silently install Duo Authentication for Windows Logon from a command line or PowerShell?

Yes, you tin run the .exe or .msi installers from PowerShell or the Command Prompt. This has no required parameters, just if yous practise not supply the IKEY, SKEY, and HOST values from the command line make sure you lot have a Windows group policy object applying values for those settings, or make them present in the registry using another method, or the Duo for Windows Logon application will non office.

Enter the following command into PowerShell or a Control Prompt to silently install Duo Security with automatic push on, fail open enabled, smart cards disabled, and protecting both RDP and panel logons:

          duo-win-login-4.0.two.exe /S /5" /qn IKEY="DIXXXXXXXXXXXXXXXXXXXX" SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" HOST="api-xxxxxxxx.duosecurity.com" AUTOPUSH="#1" FAILOPEN="#i" SMARTCARD="#0" RDPONLY="#0""

Note that the parameter names passed to the installer (IKEY, SKEY, HOST, etc.) are case-sensitive!

The post-obit table lists all the parameters and options that may be set via the command line installer (as of v4.0.ii), noting default values if non specified in the control.

Setting	Description	Default
IKEY	Your Duo RDP application's integration central.	Bare; production will non office
SKEY	Your Duo RDP awarding'due south cloak-and-dagger key.	Blank; product will not function
HOST	Your Duo API hostname.	Bare; production will not role
AUTOPUSH	`1` to automatically transport a push request, or `0` to disable automatic button.	`0`
FAILOPEN	`1` to allow access when Duo'south service is unreachable, or `0` to block access without Duo MFA.	`1`
RDPONLY	`ane` to only crave Duo for remote logons, or `0` to require Duo for console and RDP logons.	`0`
SMARTCARD	`1` to let smart card login equally an alternative to Duo, or `0` to disable the Windows smart carte du jour provider.	`0`
WRAPSMARTCARD	`one` to crave Duo after smart card primary logon at the local console, or `0` to allow smart card logon without Duo approval afterward.	`0`
ENABLEOFFLINE	`1` to enable offline admission (discipline to the configuration in the Admin Console), or `0` to completely disable offline admission on the target system.	`1`
USERNAMEFORMAT	The username format sent to Duo. 1 of: `0` for `sAMAccountName` (`narroway`), `ane` for the NTLM domain and username (`ACME\narroway`), or `2` for the `userPrincipalName` (`narroway@summit.corp`).	`1`
PROXYHOST	The hostname or IP address of an upstream HTTP proxy server for Duo communications	Not set up
PROXYPORT	The port for HTTP proxy communications.	Non set
LOGFILE_MAXCOUNT	Number of rotated log files to be maintained.	Not set
LOGFILE_MAXSIZEMB	Size of rotated log file to be maintained in megabytes (MB).	Not set
UAC_PROTECTMODE	`0` to respect existing Duo authentication settings for logon, `one` to disable Duo at logon and merely prompt during User Superlative, or `2` to enforce Duo 2FA at both logon and User elevation.	`0`
UAC_OFFLINE	`1` to enable offline admission for User Elevation, or `0` to disable offline access for User Elevation.	`1`
UAC_OFFLINE_ENROLL	`one` to enable offline access enrollment during User Elevation, or `0` to prevent Offline Enrollment during User Elevation.	`1`

When specifying a value for one of the DWORD options (a value of 0, 1, or 2), be sure to prefix it with a pound sign #, e.yard. RDPONLY=#1.

This performs the install with the same settings in the previous example from the command line with Windows Installer (msiexec), using the 64-scrap MSI installer included in the Duo Authentication for Windows Logon Group Policy MSI installers, template files, and documentation package. View checksums for Duo downloads here.

          msiexec.exe /i DuoWindowsLogon64.msi IKEY="Integration Primal" SKEY="Hush-hush Central" HOST="API Hostname" AUTOPUSH="#1" FAILOPEN="#1" SMARTCARD="#0" RDPONLY="#0" /qn

The MSI installers and backdrop can likewise be used to create a transform file for use with with Active Directory Group Policy Software Publishing or other automated software deployment utilities. See the Duo Authentication for Windows Logon Grouping Policy documentation for more information.

Tin I silently upgrade Duo Authentication for Windows Logon from a command line?

Enter the following command into a Command Prompt to silently upgrade an existing Duo installation using the MSI of a newer version, preserving the current integration information and installed options (as of v4.0.two):

          msiexec.exe /qn /i "DuoWindowsLogon64.msi"

For MSI upgrade installs of releases prior to v4.0.2, and to upgrade from v4.one.0 to iv.i.ane or later, include the options shown in this control:

          msiexec.exe /quiet /i "DuoWindowsLogon64.msi" REINSTALL=ALL REINSTALLMODE=vomus IS_MINOR_UPGRADE=1

To silently upgrade using a newer installer executable, enter this command:

          duo-win-login-4.1.3.exe /S /v/qn

Can I silently uninstall Duo Authentication for Windows Logon from a command line or PowerShell?

Enter the following command into PowerShell or a Command Prompt to silently uninstall Duo for Windows Logon using the same version of the installer executable that you accept installed on the system (so this case uses the v4.1.iii installer to remove v4.1.3 from the arrangement):

          duo-win-login-4.1.three.exe /South /five/qn /X

If yous no longer have the same installer executable that matches the Duo installation yous wish to remove, apply msiexec to perform the uninstall. You will first need to determine the right product code GUID for your installed version:

Launch the Registry Editor (regedit.exe).
Navigate downward the tree to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
Examine the GUID keys until you lot locate the key with the DisplayName value of "Duo Authentication for Windows Logon".
Copy the UninstallString value for the Duo Authentication for Windows Logon product from the registry (for example: MsiExec.exe /X{BD789CFF-3C7A-4533-90F3-A3E5190A9D43}).

Utilise the information from the registry to construct your silent msi uninstall control:

              MsiExec.exe /qn /x {BD789CFF-3C7A-4533-90F3-A3E5190A9D43}

Tin I deploy or configure Duo Hallmark for Windows Logon using Group Policy?

Yep. Delight refer to the Duo Authentication for Windows Logon Grouping Policy documentation.

How do I disable or uninstall Duo Authentication for Windows Logon in Rubber Mode?

To disable Duo's credential provider on Windows after booting in Safe Style, run the following from an elevated command prompt:

Versions 1.2.0.14 and before

          regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoCredProv.dll" regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoCredFilter.dll"

Version 2.0.0 and after

          regsvr32 /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredProv.dll" regsvr32 /u "C:\Programme Files\Duo Security\WindowsLogon\DuoCredFilter.dll"

You can also uninstall the Duo Windows Logon integration while notwithstanding in safe mode with a registry change and a service offset.

When booted into safe manner, launch the Registry Editor (regedit.exe).
Drill down into the HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal registry hive (if you are booted into regular safe mode) or down to HKLM\Arrangement\CurrentControlSet\Control\SafeBoot\Network (if you are booted into safe mode with networking).
Right-click the Minimal or Network registry key (as appropriate for your currently booted mode) and click New → Key on the context carte du jour. Name the new key MSIServer.
From an elevated command prompt, run the command net start msiserver.
Yous tin now use Programs and Features on the Windows Control Panel to uninstall the Duo application.

For more information almost Safe Way refer to the instructions for your operating system: Windows 10, Windows eight/8.1 and 2012/2012 R2.

Windows x users may need the BitLocker recovery key in club to kicking the system into prophylactic mode. If y'all don't have it bachelor, utilise one of Microsoft's recommendations to locate information technology.

Configuration

Where are the Duo for Windows Logon settings stored in the registry?

Duo Authentication for Windows Logon stores the installation settings in the registry at HKLM\Software\Duo Security\DuoCredProv.

If you lot're managing the Duo client configuration with Windows Group Policy, so whatever setting configured by a GPO is stored as a registry value in HKLM\Software\Policies\Duo Security\DuoCredProv, and overrides the same setting configured at the default registry location.

Since GPO settings get reapplied periodically at the client system, whatever permanent changes to a setting configured via group policy should be made by editing the GPO to update the setting with the new value, not by updating the client registry.

How does offline access in Duo for Windows Logon collaborate with fail mode?

Enabling offline access on the RDP v4.0 or later application overrides the configured fail mode setting for users who activate offline access.

Users who accept not activated offline access are field of study to the fail mode setting e.thou. if set to fail open, a user who did non activate offline access would be able to log in without completing Duo offline authentication. Disable "fail open" if you lot want to prevent users who did not activate offline access from logging in when the computer is offline.

How can I configure the fail mode?

By default, Duo Authentication for Windows Logon will "fail open up" and permit the Windows logon to go along if it is unable to contact the Duo service. Yous tin can set the neglect mode during installation to "fail closed" by deselecting the "Bypass Duo authentication when offline" box during installation. This will deny all login attempts if there is a problem contacting the Duo service.

To change the fail mode after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Type	Description
`FailOpen`	DWORD	Set to one to permit "fail open" for all users or 0 to restrict to "neglect closed" (except for users who take activated offline admission in v4.0 or later). Default: Fail open.

If the Duo settings are managed past Windows Group Policy, those settings override any changes made via regedit. Update the "Duo Service: Neglect Open up if Unable to Contact Duo" setting in the GPO instead.

When modifying the FailOpen registry value on a Windows 2003 or XP system a reboot is required to make the change effective.

How can I configure automatic push button?

When automated push button is enabled, Duo Authentication for Windows Logon automatically sends a push button notification to the Duo Mobile app or a telephone call to the user'due south default device submitting the Windows username and countersign. This is the installation default. Y'all can choose to disable automatic push by deselecting the "Utilize automated push to authenticate if available" box during installation.

To modify the automatic push beliefs subsequently installation, employ the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Type	Clarification
`AutoPush`	DWORD	Set to 0 to disable automatic button or ane to enable it.

If the Duo settings are managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Client: Enable Auto Button" setting in the GPO instead.

When automated button is disabled, Duo does not request logon verification until the user submits the name of an authentication gene at the Duo Authentication prompt.

How practice I enable debug logging?

To enable debug logging, use the Registry Editor (regedit.exe) with ambassador privileges to create the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Type	Clarification
`Debug`	DWORD	Set to 1 to enable debug logging. Default: No debug logging.

If the Duo settings are managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Enable Debug Logging" setting in the GPO instead to enable debug logging globally, or if you simply need to temporarily enable it to capture an effect update the HKLM\Software\Policies\Duo Security\DuoCredProv\debug registry value as well (this may be reverted at the client'south adjacent GPO refresh).

The log file location is %PROGRAMDATA%\Duo Security\duo.log for version 1.one.8 and later, and %ProgramFiles%\Duo Security\DuoCredProv\duo.log for version 1.1.seven and earlier.

How tin can I configure log file rotation?

By default, Duo Authentication for Windows Logon will not rotate log files.

Version 4.0.6 and afterward supports log file rotation. To configure the log file rotation, use the Registry Editor (regedit.exe) with ambassador privileges to create the following registry values:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Type	Description
`LogFileMaxSizeMB`	DWORD	Prepare the size of log file to be maintained in megabytes (MB). Minimum Value: 1 Maximum Value: 4096 (decimal)
`LogFileMaxCount`	DWORD	Set the number of log files to be maintained on disk. Minimum Vale: 1 Maximum Value: 100 (decimal)

Both registry keys must be created and set to a value greater than 0 to enable rotation. Backup logs will increment starting at duo00.log through duo99.log. Log may be slightly larger than the defined size to ensure an hallmark in-procedure is not dissever beyond log files.

Example setting: LogFileMaxSizeMB to 1 and LogFileMaxCount to one will upshot in Duo.log coexisting with duo00.log, both with a maximum size of 1MB.

Can Duo protect local console logins in Windows?

Yes, Duo Authentication for Windows Logon does provide protection for local console logins. However, it can be difficult to prevent an attacker with concrete access to a system from compromising it. In particular, there are 2 significant threats yous should accept care to address:

Duo Authentication for Windows Logon can be bypassed by rebooting a Windows system into Safety Mode. To limit the issue of this, you should foreclose all but a select grouping of users from logging in while Windows is running in Safe Mode (for example, via the registry DWORD value HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Organization\SafeModeBlockNonAdmins set up to 1).
By default, the RDP integration will "fail open" if it is unable to contact the Duo service. A user with local panel access might be able to disrupt a automobile's network connectivity (e.g. by unplugging an ethernet cord), thereby bypassing Duo authentication.

You tin fix the fail mode during installation to "fail close" by deselecting the "Bypass Duo authentication when offline" box in the Duo installer, or past configuring the Registry DWORD value HKLM\Software\Duo Security\DuoCredProv\FailOpen set to 0 to "fail closed". This will deny all login attempts if there is a problem contacting the Duo service.

To enable Duo authentication for both local console and RDP logins, clear the "Merely prompt for Duo hallmark when logging in via RDP" box during installation.

To change which logon connections are required to employ Duo after installation, use the Registry Editor (regedit.exe) with administrator privileges to create or update the post-obit registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Type	Clarification
`RdpOnly`	DWORD	Set to 0 to protect both RDP and local console logons or 1 to protect RDP logons only.

If the Duo settings are managed by Windows Group Policy, those settings override any changes fabricated via regedit. Update the "Client: Limit Two-Factor to RDP Logons Only" setting in the GPO instead.

Tin I choose which username aspect gets sent to Duo?

Duo Hallmark for Windows Logon defaults to sending the username in NTLM (or msDS-PrincipalName) eastward.g. DOMAIN\username to Duo's cloud service equally the Duo username. However, when y'all create your RDP application in Duo, the "Username normalization" option defaults to "Simple" normalization, then that Duo ignores annihilation preceding a backslash or after an at symbol in the username received in a logon request. This means Duo treats "narroway", "Tiptop\narroway", and "narroway@acme.local" as the same "narroway" user in Duo. Therefore, with the default username settings applied at both the Windows customer and to the RDP application in Duo, nosotros try to friction match the username only when looking for an existing user; essentially matching the sAMAccountName.

If the username sent to Duo by our Windows Logon application doesn't match an existing Duo username, the user can't complete Duo authentication. This causes problems when an organization has already enrolled Duo users with a different username format, like userPrincipalName (UPN).

Duo Hallmark for Windows Logon version 3.1 and after allows specifying which Windows username attribute is sent to Duo's service when authenticating.

To change which Windows username attribute gets sent to Duo, apply the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value Type Clarification

Registry Value	Type	Clarification
`UsernameFormatForService`	DWORD	Set to 0 to send the sAMAccountName as the Duo username (due east.g. "narroway"). Prepare to one to send the NTLM domain and username as the Duo username (e.g. "ACME\narroway"). This is the default installation setting. Ready to ii to send the userPrincipalName as the Duo username (due east.g. "narroway@summit.local").

UsernameFormatForService

DWORD

Set to 0 to send the sAMAccountName as the Duo username (due east.g. "narroway").

Prepare to one to send the NTLM domain and username as the Duo username (e.g. "ACME\narroway"). This is the default installation setting.

Ready to ii to send the userPrincipalName as the Duo username (due east.g. "narroway@summit.local").

If the Duo settings are managed by Windows Group Policy, those settings override whatsoever changes made via regedit. Update the "Duo Service: Specify format of username sent to Duo service" setting in the GPO instead.

If y'all want Duo for Windows Logon to send the NTLM or UPN username formats to Duo, and your Duo usernames or aliases are likewise NTLM or UPN format, then be sure to log in to the Duo Admin Panel and change the "Username normalization" choice for your RDP integration from "Simple" to "None".

Whichever username format you choose, ensure that a matching username or username alias exists in Duo.

Tin Duo protect Remote Desktop Connection logons only?

It is possible to but enable Duo authentication for RDP sessions (and not local console logins). This can be set during the installation by checking the "Simply prompt for Duo authentication when logging in via RDP" box.

To change which logon connections are required to use Duo after installation, use the Registry Editor (regedit.exe) with ambassador privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Blazon	Description
`RdpOnly`	DWORD	Set to 1 to protect RDP logons merely or 0 to protect both RDP and local console logons.

If the Duo settings are managed by Windows Group Policy, those settings override whatsoever changes fabricated via regedit. Update the "Client: Limit Two-Gene to RDP Logons But" setting in the GPO instead.

When modifying the RdpOnly registry value on a Windows 2003 or XP system a reboot may be required to make the change effective.

Is it possible to use a spider web proxy just for Duo Authentication for Windows Logon traffic?

Yes, Duo Hallmark for Windows Logon version 2.0.0.71 and later supports proxying just Duo hallmark traffic. This can exist gear up during the installation past checking the "Configure transmission proxy for Duo traffic" box and inbound your proxy host and port information.

To alter the HTTP proxy settings for the Duo application after installation, use the Registry Editor (regedit.exe) with ambassador privileges to create or update the post-obit registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Blazon	Clarification
`HttpProxyHost`	Cord	Hostname or IP accost of an HTTP proxy. If set, will exist used for communicating with Duo Security's service. Must support the CONNECT protocol. Default: practice non use a proxy.
`HttpProxyPort`	DWORD	Port to connect to on `http_proxy_host`. Enter port number as decimal. Default: 'fourscore'.

If the Duo settings are managed by Windows Group Policy, those settings override whatsoever changes made via regedit. Update the "Duo Service: HTTP Proxy Hostname" and "Duo Service: HTTP Proxy Port" settings in the GPO instead.

If you practice not already have an HTTP proxy deployed on your network y'all tin use the Duo Authentication Proxy application to act equally an HTTP proxy for Duo Windows Logon client connections. Install the Authentication Proxy on a server in your network that has directly cyberspace access, add the HTTP proxy settings to the Authentication proxy configuration, and and so update the Duo for Windows Logon proxy settings to point to that Authentication Proxy. Encounter the HTTP Proxy instructions in the Authentication Proxy Reference for more than information.

How practise I allow smart carte du jour login instead of Duo Authentication?

Duo Hallmark for Windows Logon v2.1.0 and later permits use of the Windows smart card login provider as an alternative to Duo. When this is enabled, user may choose to log on with either the built-in Windows smart card authentication and a DOD CAC or other PIV carte, or with Windows master username and password credentials followed by Duo two-factor authentication.

Yous can turn on smart bill of fare login during a clean install of Duo for Windows Logon by selecting the "Enable Smart card support" pick followed by selecting "Enable smart bill of fare login without Duo" in the installer.

To enable smart carte support after upgrading or installing v2.1.0 or later, utilise the Registry Editor (regedit.exe) with administrator privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Type	Description
`EnableSmartCards`	DWORD	Set to 0 to disable smart cards and merely allow Duo authentication. Default: 0.

If the Duo settings are managed by Windows Grouping Policy, those settings override whatsoever changes made via regedit. Update the "Duo Service: Enable Smart Cards" setting in the GPO instead.

How practice I enable smart menu login plus Duo Authentication?

With Duo Hallmark for Windows Logon v3.1.0 and afterward, you can require Duo two-factor authentication for smart card users logging in at the local console. When this is enabled, user may choose to log on with either the congenital-in Windows smart card authentication and a DOD CAC or other PIV bill of fare, or with Windows chief username and password credentials. Both smart bill of fare and username/password main login is followed by Duo 2-factor authentication.

Y'all can turn on smart card login during a clean install of Duo for Windows Logon by selecting the "Enable Smart card support" option followed past selecting "Enable smart menu login wit Duo" " in the installer.

To enable smart card + Duo support afterward upgrading or installing v3.1.0 or later, utilize the Registry Editor (regedit.exe) with administrator privileges to create (or update) both of the following registry values:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Type	Clarification
`EnableSmartCards`	DWORD	Set to 1 to enable the smart carte credential provider. This may already exist washed if you selected the "Enable Smart carte du jour support" choice during installation.
`WrapSmartCards`	DWORD	Set to 1 to require Duo authentication after logging in with the smart carte credential provider. Default: 0.

If the Duo settings are managed by Windows Group Policy, those settings override any changes fabricated via regedit. Update the "Duo Service: Wrap Smart Cards" setting in the GPO instead.

Can I permit use of other credential providers after installing Duo?

Installing Duo disables all other installed logon credential providers. Y'all can enable the Windows smart carte du jour login provider in the Duo installer, simply other credential providers (what your users may refer to as "logon tiles") are subconscious.

Duo Authentication for Windows Logon version 3.1 and later allows re-enabling access to a hidden credential provider via the registry. A common use case for this would be to restore access to a password reset tool from the Windows logon screen.

Exist aware that any third-party credential provider you allow may then be accessed without Duo two-factor hallmark!

Use the Registry Editor (regedit.exe) with administrator privileges to create (or update) the following registry values:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Blazon	Description
`ProvidersWhitelist`	REG_MULTI_SZ	Populate the multi string value data with the GUIDs of the 3rd-party credential providers to allow. You lot can detect GUIDs for all registered credential providers on a system in HKLM\Software\Microsoft\Windows\CurrentVersion\Hallmark\Credential Providers, or contact the application's vendor for help determining the GUID for their credential provider. Supports multiple permitted GUIDs.

Example registry value that permits the Microsoft FIM Password Reset client:

Duo Windows Logon ProvidersWhiteList

How many users tin can enroll in offline access with MFA per Windows customer?

Past default, v (5) users may enroll in offline admission. To increment or reduce the number of users that may activate offline access on a given Windows client, use the Registry Editor (regedit.exe) with administrator privileges to create or update the post-obit registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Type	Clarification
`OfflineMaxUsers`	DWORD	Create this value and set to the number of users you would similar to be take the ability to enroll in offline access on a given Windows system. Minimum value: 1; Maximum value: fifty. If not set the default is 5.

Once the maximum number of users have activated offline admission, the next user receives an mistake when attempting to enroll in offline access.

How tin I remove a user's existing offline activation?

To force offline reactivation for a previously activated user on a given Windows organization, use the Registry Editor (regedit.exe) with administrator privileges to delete the unabridged registry cardinal that includes the username from HKLM\SOFTWARE\Duo Security\DuoCredProv\Offline.

How can I completely prevent offline admission with MFA at the Windows client?

You may accept Windows systems where no users should log in using offline access, regardless of the application setting in the Duo Admin Panel. To foreclose offline authentication for whatsoever user on a given Windows client, use the Registry Editor (regedit.exe) with ambassador privileges to create or update the following registry value:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Type	Description
`OfflineAvailable`	DWORD	Create this value and set to 0 to disable offline admission for all users. Your fail mode configuration applies to offline logins (either fail open or neglect closed).

How do I enable and configure User Elevation to add Duo hallmark to UAC prompts?

Available in version four.one and afterward, User Top adds Duo two-factor hallmark to password-protected Windows UAC top attempts. By default. Duo UAC elevation protection is disabled. When enabled, Duo Authentication for Windows Logon volition prompt for MFA on credentialed UAC superlative attempts.

You can enable and configure User Elevation during a clean install of Duo for Windows Logon by selecting the "Enable UAC Elevation Protection" option, followed by selecting your desired User Tiptop configuration settings in the installer.

To enable and configure User Acme after upgrading or installing v4.1.0 or later, utilize the Registry Editor (regedit.exe) with ambassador privileges to create (or update) the following registry values:

Location: HKLM\SOFTWARE\Duo Security\DuoCredProv:

Registry Value	Type	Clarification
`ElevationProtectionMode`	DWORD	Create this value and set to 0 to disable UAC protection and simply prompt for Duo 2FA at login, 1 to enable Duo only for UAC protection (no Duo 2FA at login) or 2 to enable Duo 2FA for both logon and UAC. Default: 0
`ElevationOfflineEnable`	DWORD	Create this value and set to 0 to disable offline access for UAC elevation, or one to enable offline access for UAC elevation. Requires offline access enabled and `ElevationProtectionMode` set to 1 or ii. Default: 1
`ElevationOfflineEnrollment`	DWORD	Create this value and set to 0 to permit enrollment in offline access during UAC superlative, or 1 to disable enrollment in offline access during UAC elevation. Requires offline access enabled and `ElevationProtectionMode` set to one or 2. Default: 1

How exercise I enable User Business relationship Control credentialed elevation in Windows?

User Account Control (UAC) protects Windows systems and users from malicious software by prompting for additional approval before running an awarding with administrator privileges. Duo Authentication for Windows Logon v4.1.0 and later optionally adds ii-factor hallmark to password-protected UAC prompts. If you lot've enabled Duo User Top simply you're just getting asked to approve UAC elevation requests ("Prompt for consent"), and aren't required to enter your Windows password to approve the top asking, you won't be prompted for Duo when approving the UAC superlative asking either.

You can configure User Account Control to require a countersign to approve summit requests via registry edit or local/domain Grouping Policy.

To require countersign entry for UAC meridian with the Registry Editor, launch regedit.exe with administrator privileges to create (or update) the following registry values:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:

Registry Value	Blazon	Description
`ConsentPromptBehaviorAdmin`	DWORD	Create this value and set to i to prompt administrators for credentials on the secure desktop (recommended), or iii to prompt administrators for credentials on the interactive desktop.
`ConsentPromptBehaviorUser`	DWORD	Create this value and set to one to prompt standard users for credentials on the secure desktop (recommended), or 3 to prompt standard users for credentials on the interactive desktop.

To require password entry for UAC elevation with Group Policy, enable the post-obit policy settings with Group Policy Management Console (gpmc.msc) or local Grouping Policy Editor (gpedit.msc):

Location: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Policy Setting	Description
User Account Control: Behavior of the elevation prompt for administrators in Admin Blessing Mode	Set to Prompt for credentials on the secure desktop or Prompt for credentials.
User Account Command: Beliefs of the superlative prompt for standard users	Prepare to Prompt for credentials on the secure desktop or Prompt for credentials.

Please refer to User Business relationship Control Group Policy and registry key settings for boosted information about UAC settings.

How do I enable remembered devices for Windows Logon?

Duo MFA, Access, and Beyond customers can apply a remembered devices policy to their Microsoft RDP Duo applications with the Remember devices for Windows Logon setting enabled and fix to the number of hours or days desired.

Duo Hallmark for Windows Logon version 4.2.0 and later will apply this policy setting to online authentications at the local console, offer the "Remember me" pick in the prompt.

Earlier versions of Duo Authentication for Windows Logon must be upgraded to v4.2.0 or later to apply this feature.

Can remembered devices exist used over RDP (Remote Desktop Protocol) connections?

No, RDP logins will not see the selection to remember the device in the Duo for Windows 2FA prompt. Consider applying an authorized networks policy to the Duo Microsoft RDP application to minimize interactive Duo authentication for RDP users.

Do offline sessions work with remembered devices?

No, a trusted device session created with the "Recall me" option during online Duo authentication does not maintain the trusted session for offline access, and an offline access login will not show the selection to remember the device.

How are local trusted sessions created past the remembered device option invalidated or revoked?

An existing device trust session ends under any of the following atmospheric condition:

Changes to the operating arrangement session state: When initialized the Duo credential provider determines if the Windows logon type is a workstation unlock or a new logon session. A new logon session will require Duo multi-factor authentication (MFA), and subsequent workstation unlocks bypass interactive MFA for the duration of the "Remember me" session.
Alter to network location: At each logon authentication endeavor Duo snapshots and compares the network state of the user's device to determine whether it differs from the most contempo network used to create a local trusted session. If the network country has inverse, Duo prompts for interactive MFA.
Use of offline authentication: If a user logs in to or unlocks the workstation with Duo offline access, Duo prompts for interactive MFA at the next online login.
User action: If a user clicks the "Cancel" button during login of a local trusted session, Duo prompts for interactive MFA.
Policy change: If a Duo ambassador removes the remembered devices policy from the Duo Microsoft RDP application or edits the policy to disable the "Recall devices for Windows Logon" setting, at the next logon or workstation unlock the local Duo application applies the policy modify and prompts for interactive MFA.
Registry edit: The trusted session created past remembering the device adds a registry primal at HKLM\Software\Duo Security\DuoCredProv\Users\<UserSID>. If that registry key for a user is deleted, Duo prompts for interactive MFA.

What logging is available for device authentication during a trusted session?

Duo records logins authenticated as a local trusted session in the Admin Panel Authentication Log with "Remembered Device" as the second factor. The local Windows Logon client log, plant at %PROGRAMDATA%\Duo Security\duo.log, also shows the authentication type for the logon action as a "Remembered Device".

Troubleshooting

Using the Support Tool

If you open a example with Duo Support for an effect involving Duo Hallmark for Windows Logon (RDP), your support engineer will need yous to submit your registry configuration, recent debug log output demonstrating the issue, and other organisation configurations. Sensitive data, such as your Duo application'southward SKEY, should not be sent to support.

Nosotros've made collecting troubleshooting information easy with a script that gathers all the necessary files, scrubs them of sensitive data, and creates a zip package ready for you to ship to Duo Support. The script is included in version 4.0.6 and later at C:\Plan Files\Duo Security\WindowsLogon\Winlogon-Diag.ps1. The support script is also bachelor for download here.

The back up tool performs the following deportment:

Runs Invoke-Webrequest to decide if a connexion to Duo is available.
Creates a nix file that contains all of the collected data.
Captures the following data:
- Installed version and if it is deployed with GPO configuration.
- Debug status.
- Host data to DuoSupport.log:
  - Hostname
  - Username
  - Domain
  - Organisation/Browser proxy settings
  - Operating system version, build and chip
  - Bitlocker status
  - AV product
  - TPM availability
  - Timezone
Exports list of all credential providers and filter from registry to credprov.txt in cipher file.
Copies C:\ProgramData\Duo Security\duo.log to zip file.
Exports Duo Registry keys from HKLM\Software\Duo Security\DuoCredProv to DuoSupport.log in nada file (excluding your SKEY).
Exports Duo Offline Registry keys from HKLM\Software\Duo Security\DuoCredProv\Offline to DuoSupport.log in zip file.
Optional: Consign Application and/or Security Result logs to zip file.
Saves the cypher file to the current CMD location or chosen directory every bit DuoSupport-twelvemonth-calendar month-date-time.zip.
- For example: On Windows, the back up file would be C:\SupportScript\DuoSupport2019-06-06-04-28-17.zip.

Additional PowerShell control options

Setting	Clarification
-duodebug	Default is off; $truthful only enables debug in registry; $imitation but disables debug in registry.
-out	Sets the preferred log path; defaults to Desktop if not prepare.
-eventlogs	Exports application and/or security logs. Options: all, awarding, security
-days	Defines a selected number of days to export from both Duo native logs and event logs.
-tls	Exports Client TLS settings from registry.

Running the Support Tool

Hither's an example of how you lot can use the Support Tool. In this example, debug is enabled, and security event logs from the last 2 days are exported.

Open an administrative PowerShell command-line session on the system where Duo is installed.

Enable debug.

              PS C:\>.\Winlogon-Diag.ps1 -duodebug $true

Reproduce the Duo consequence y'all are experiencing.

Run a script to export the logs:**

              PS C:\>.\Winlogon-Diag.ps1 -out C:\testing -eventlogs security -days two

Disable debug:

              PS C:\>.\Winlogon-Diag.ps1 -duodebug $simulated

Why am I unable to log in to Windows after installing Duo?

In order for the Duo service to properly authenticate a Windows user account the username in Windows must match the username in the Duo account. If y'all receive the message "The Duo native Windows customer does not currently support unknown users" or "The username you have entered is not enrolled with Duo Security" and so the account you are using to log into Windows does non friction match an enrolled Duo user.

Log in to the Duo Admin Panel and make sure that you've added a user with a username that matches the Windows username.
You volition likewise need to manually enroll this user'south phone number so that the user tin can receive passcodes or telephone calls, which are needed in guild to cosign.
One time the user's phone number has been added y'all may optionally install and enroll the Duo Mobile smartphone app, which will enable the "push" functionality for an RDP login.
At present attempt to log in to Windows over again.

If y'all receive the message "Unknown devices are not permitted by your administrator" then a Duo policy may exist restricting your Windows arrangement or 2FA approval device.

Please review your global policy, equally well as whatever policies associated with your "RDP" application in the Duo Admin Panel. Ordinarily, issues occur with application or global policies that restrict allowed hallmark methods or restrict operating systems by blocking access from Windows or specific Windows versions.

Users receive the mistake "Logon failure: the user has not been granted the requested logon type at this reckoner" when attempting to log in.

This fault may exist seen in Duo Windows Logon version i.1.5 or later. Ensure that the users have been delegated the "Permit log on locally" rights for console logins, or have been delegated both the "Allow log on locally" and "Allow log on through Remote Desktop Connection" rights in the reckoner's local or domain-level security policy. Delight see the Group Policy Settings Reference for Windows and Windows Server for more information about these user rights assignments.

When logging in via Remote Desktop, my authentication is accustomed but the Remote Desktop session is disconnected. How do I prepare this?

You can increment the logon timeout if actress time is needed to complete authentication (for example, if users must type in a hardware token passcode). Create a new registry DWORD value HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\LogonTimeout and set it to a decimal value greater than 60. You may need to bike the TermService service or restart Windows recognize the change.

To increase the Remote Desktop logon timeout for multiple computers joined to an Active Directory domain with Group Policy, add the HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\LogonTimeout value to a GPO (Group Policy object) every bit a registry preference detail. Please see "Configure a Registry Detail" at the Microsoft TechNet site for more information.

Boosted Troubleshooting

Demand more than assist? Attempt searching our Windows Logon Knowledge Base manufactures or Community discussions. For further aid, contact Support.