This article explains how to setup Duo Security on a laptop, this will cover both local logins and RDP sessions, however remember that this will affect all logins to the laptop or device, so all users must be active in Duo before you continue and jump straight to the install.
Duo Account
First you need a Duo account, if you are testing they have a free account that allows 10 users to login, the payment for this is on the users, obvously with the free account you get the basics and no "frills"
This guide will not setup creating an account, that is simple, however it will coer certain aspects of the account settings.
Duo Admin Login
First you need to navigate to the Duo website which is here - then you need the Admin Login in the upper right corner...
Then you need to choose your MFA method, this should be Duo Push which is a notification to a phone when unlocked and authenticated, if you have not set this up yet you will get Text and Call, for this you will need to enter the code in the Passcode box.
Then you need the e-mail of the user who will be using the device, enter it and then choose Add user...
You will then end up here, notice the warning about enrollment....
So lets scroll down the e-mail sectoin enter the e-mail and then ensure the Status is "Active"
Scoll down a little more and hit the save button as below:
Then scroll back up the top and choose "Send Enrollement Email"
This will start the enrollement as below:
You require mobil phone enrollement for this user, if you are playing around with mobile devices (mainly Apple) choose Touch ID - this is not covered in this guide.
Then you will need the mobile phone number as below:
Then you get some options, nice, here you need to choose between a call and a text, I have done this as a text but this is up to you, all your need to do is choose one, as isnt the issue choice all the time?
Once you enter this code you will move on to the last section, where you need to choose he option below, to use Duo Push
Duo : Check Enrollment Completed ✔️
Then go back to the Admin panel, then choose Users and click the Users as shown below, right before Add User, this will take you back the user list....
Once this is displayed scroll down until you see this section and you should need your enrollment is healthy and your phone is listed below, if so all done.
So you need to Add a Group as below:
Then give it name, here we will use the name of the application to keep this simple, however you may need to use your corporate requirements or standards, the give a description if required, then click "Add group" as below:
Now you need to add the application or in this case the Windows RDP application, so for this you need Protect and Application as below:
Then in the protect application type Windows and notice that you get the Microsoft RDp, this is the once you require for this guide.....
Choose the protect option on the right as below:
This will then enter the RDP integration, here we can see the Integration Key, Secret Key and API Hostname - you will need the options later in the next section, however you will need to scroll down until you see
Once you find the setting you will need to enter a valid name and choose Simple username normalisation as below, this will change the application name from "Microsoft RDP" to what you enter here...
Once saved we need to set the Group Policy which you can do from this panel, so lets get that sorted as we go!
You want a new policy here
Then you can do this from one screen, give the policy a name, the click new policy and choose Require Enforcement as you can see below, then click create Policy
Be sure to read through these instructions before you download and install Duo for Windows Logon.
Logins at the local console and/or incoming Remote Desktop (RDP) connections
Credentialed User Access Control (UAC) elevation requests (e.g. Right-click + "Run as administrator")
What if I use Bit locker?
Ensure you have your BitLocker recovery key available in the event you need to boot into safe mode to uninstall Duo.
This application communicates with Duo's service on SSL TCP port 443 using TLS v1.2
Install the Agent
https://dl.duosecurity.com/duo-win-login-latest.exe
Once you have the executable you will need to run it as an administrator
Then you will get the welcome screen click next...
Then you need the API hostname and if required you have the option for a proxy server,
Warning: If you are using a proxy server to connect to Duo, it needs to have native internet access because at this stage you will not be logged into the laptop, so if you have a SSO redirect for authentication you will need to NOT use this and have a method of connecting with a user token, user cookie or user interaction!!!
If you ignore the warning above, don't worry Duo will tell you that you have not followed those instructions like this:
When you get it right, you will get the next screen you will need the Integration Key and Secret key, don't worry I have just typed "random" keys on my keyboard for the details below, they are not my actual details at all, but if you wish to copy them you can - sure......
This proves the data you have on is here is fake as you cannot continue the setup as its invalid....
Now you get some options, I choose to disable FailOpen - which means if there is no internet there is no login but for me I always have internet, for you you may need to tick this box, then you have the only to only protect RDP connections, I want all logins intercepted so this is unticked.....
Next you need the UAC activation protection options, here I want it enabled, and I do not want "Protect user Elevation Only" as I want all elevations intercepted, again company requirements here....
Then the last screen is to install, click Install to begin....
Once installed you will need to restart, then you will be protected by Duo and 2FA.