Skip links

Duo Authentication for Windows Logon and RDP

Why 2FA is needed for windows logon?

Today, there are a lot of cyber-attack attempts and threats from hackers. Most businesses use computers for their work and it is critical to keep your computers and data safe. You can add a duo security product for computer logon as a second-factor authentication. With this, even if your computer login credentials are compromised, you can still keep your data safe since hackers should go over one more security layer which is your duo 2FA.

 

What is Duo Authentication for Windows Logon?

Duo Authentication for Windows Logon adds Duo two-factor authentication to Windows desktop and server logins, both at the local console and incoming Remote Desktop (RDP) connections. Starting with version 4.1.0, you can optionally require two-factor authentication for credentialed User Access Control (UAC) elevation requests (e.g. Right-click + “Run as administrator”), depending on your organization’s Windows UAC configuration.

 

How to install and activate the Duo Authentication

1. Make sure your workstation matches the system requirements shown below

System Requirements

Duo Authentication for Windows Logon supports both client and server operating systems.

Clients:

  • Windows 8.1
  • Windows 10 (as of v1.1.8)

Servers (GUI and core installs):

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016 (as of v2.1.0)
  • Windows Server 2019 (as of v4.0.0)

Ensure your system’s time is correct before installing Duo.

2. If you already have duo product, proceed to step 3. If not, follow the instruction here.

3. Click here to download the Duo Authentication for Windows Logon installer package.

If your workstation belongs to your company domain, it will request elevated permission for downloading. Please contact your IT department.

4. Sign in to the duo security admin portal, then go to Applications -> Protect an Application -> Search for  RDP -> Click Protect for Microsoft RDP.

5. Go to Applications -> Microsoft RDP.

These details will be used when we configure the Duo Authentication for Windows Logon installer.

 

6. Run the Duo Authentication for Windows Logon installer package downloaded on step 3.

 

a. Click on Next.

b. Copy API Hostname shown on step 5 and paste it in, then click Next.

c. Copy Integration Key & Secret Key shown on step 5 and paste it in, then click Next.

d. Keep the settings as default and click Next.

e. Keep the settings as default and click Next.

f. Keep the settings as default and click Next.

 

What is Password Protected UAC prompt?

When a user tries to do tasks that only system administrators are allowed to do, Windows will require an administrative account credential for security purposes. If you want to enable the duo two-factor authentication for password-protected UAC (User Access Control) prompts, click on Enable UAC Elevation Protection.

 

Verify the Duo 2FA for Windows Logon and RDP

1. Sign out from Windows and try signing in. You will get this prompt when signing in.

2. You will get a login request on your phone. Click on Approve.

 

You are now good to go!

 

Troubleshooting

Why do I not get notifications on the duo mobile app when signing in?

Make sure you have installed the duo mobile app on your phone first. You can simply go to App Store or Google Play Store, search for Duo Mobile, and install the software. If you already installed the software, but you still don’t get the notification, you should check the 2FA device on the duo security admin portal.

Go to 2FA devices -> Your device -> Device Info

This problem is mostly caused since you didn’t activate duo mobile from device info. Try it out after activating the duo mobile. If it still doesn’t work, please visit here for more information.

 

Why can’t I sign in and get this error message?

If you are not able to sign in and get the error message shown below, you probably didn’t add an alias for username on the duo security admin portal.

Go to Users -> Your name -> Username Aliases, then add your computer login username there.

 

 

For more information please contact us

Phone: (604) 757-9823

Email: [email protected]

You might be also interested in this article:

Strong Passwords and Multi-Factor Authentication