This article explains how to setup Duo Security on a laptop, this will cover both local logins and RDP sessions, however remember that this will affect all logins to the laptop or device, so all users must be active in Duo before you continue and jump straight to the install.
Duo Account
First you need a Duo account, if you are testing they have a free account that allows 10 users to login, the payment for this is on the users, obvously with the free account you get the basics and no "frills"
This guide will not setup creating an account, that is simple, however it will coer certain aspects of the account settings.
Duo Admin Login
First you need to navigate to the Duo website which is here - then you need the Admin Login in the upper right corner...
You then need to login with your e-mail and password,
Then you need to choose your MFA method, this should be Duo Push which is a notification to a phone when unlocked and authenticated, if you have not set this up yet you will get Text and Call, for this you will need to enter the code in the Passcode box.
Add a user to Duo
Next you need to add a user, for that from the menu choose Users then Add User as below:
Then you need the e-mail of the user who will be using the device, enter it and then choose Add user...
You will then end up here, notice the warning about enrollment....
So lets scroll down the e-mail sectoin enter the e-mail and then ensure the Status is "Active"
Scoll down a little more and hit the save button as below:
Then scroll back up the top and choose "Send Enrollement Email"
Duo : Confirm Account
Once you get the confirmation notificatoin the e-mail is sent, check that mailbox and you will get an enrollment e-mail with a link in it, click this link to start enrollment....
This will start the enrollement as below:
You require mobil phone enrollement for this user, if you are playing around with mobile devices (mainly Apple) choose Touch ID - this is not covered in this guide.
Then you will need the mobile phone number as below:
Then you get some options, nice, here you need to choose between a call and a text, I have done this as a text but this is up to you, all your need to do is choose one, as isnt the issue choice all the time?
Once you enter this code you will move on to the last section, where you need to choose he option below, to use Duo Push
You will then get some confetti, yayyy, let move on.......
Duo : Check Enrollment Completed ✔️
Then go back to the Admin panel, then choose Users and click the Users as shown below, right before Add User, this will take you back the user list....
Then find the user you just created and click on the username you entered earlier...
Once this is displayed scroll down until you see this section and you should need your enrollment is healthy and your phone is listed below, if so all done.
Create the Group
Then give it name, here we will use the name of the application to keep this simple, however you may need to use your corporate requirements or standards, the give a description if required, then click "Add group" as below:
This will then confirm that the group has been created as you can see below:
Now you need to scroll down until you see the users section, when you find it click the option to add users to the group as below:
Then find the user you created earlier which will show all the users when you click in the field, once selected click the Add button on the right as below:
Then confirm the user is indeed added as below....
Add the Application
Now you need to add the application or in this case the Windows RDP application, so for this you need Protect and Application as below:
Then in the protect application type Windows and notice that you get the Microsoft RDp, this is the once you require for this guide.....
Choose the protect option on the right as below:
This will then enter the RDP integration, here we can see the Integration Key, Secret Key and API Hostname - you will need the options later in the next section, however you will need to scroll down until you see
Once you find the setting you will need to enter a valid name and choose Simple username normalisation as below, this will change the application name from "Microsoft RDP" to what you enter here...
Once saved we need to set the Group Policy which you can do from this panel, so lets get that sorted as we go!
You want a new policy here
Then you can do this from one screen, give the policy a name, the click new policy and choose Require Enforcement as you can see below, then click create Policy
This will return you to the "new" panel as below, select the policy you just created and the group from earlier as below, this click Apply Policy
Caveats to note and what is not supported
What if I use Bit locker?
Ensure you have your BitLocker recovery key available in the event you need to boot into safe mode to uninstall Duo.
Install the Agent
Once you have the executable you will need to run it as an administrator
Then you will get the welcome screen click next...
Then you need the API hostname and if required you have the option for a proxy server,
Warning: If you are using a proxy server to connect to Duo, it needs to have native internet access because at this stage you will not be logged into the laptop, so if you have a SSO redirect for authentication you will need to NOT use this and have a method of connecting with a user token, user cookie or user interaction!!!
If you ignore the warning above, don't worry Duo will tell you that you have not followed those instructions like this:
When you get it right, you will get the next screen you will need the Integration Key and Secret key, don't worry I have just typed "random" keys on my keyboard for the details below, they are not my actual details at all, but if you wish to copy them you can - sure......
This proves the data you have on is here is fake as you cannot continue the setup as its invalid....
Now you get some options, I choose to disable FailOpen - which means if there is no internet there is no login but for me I always have internet, for you you may need to tick this box, then you have the only to only protect RDP connections, I want all logins intercepted so this is unticked.....
This will start the enrollement as below:
You require mobil phone enrollement for this user, if you are playing around with mobile devices (mainly Apple) choose Touch ID - this is not covered in this guide.
Then you will need the mobile phone number as below:
Then you get some options, nice, here you need to choose between a call and a text, I have done this as a text but this is up to you, all your need to do is choose one, as isnt the issue choice all the time?
Once you enter this code you will move on to the last section, where you need to choose he option below, to use Duo Push
You will then get some confetti, yayyy, let move on.......
Duo : Check Enrollment Completed ✔️
Then go back to the Admin panel, then choose Users and click the Users as shown below, right before Add User, this will take you back the user list....
Then find the user you just created and click on the username you entered earlier...
Once this is displayed scroll down until you see this section and you should need your enrollment is healthy and your phone is listed below, if so all done.
Now you have the account setup and verified. You will need to create a group which will then be assigned to the user we created earlier, remember, Duo is about identity for access.
So you need to Add a Group as below:
So you need to Add a Group as below:
Then give it name, here we will use the name of the application to keep this simple, however you may need to use your corporate requirements or standards, the give a description if required, then click "Add group" as below:
This will then confirm that the group has been created as you can see below:
Now you need to scroll down until you see the users section, when you find it click the option to add users to the group as below:
Then find the user you created earlier which will show all the users when you click in the field, once selected click the Add button on the right as below:
Then confirm the user is indeed added as below....
Add the Application
Now you need to add the application or in this case the Windows RDP application, so for this you need Protect and Application as below:
Then in the protect application type Windows and notice that you get the Microsoft RDp, this is the once you require for this guide.....
Choose the protect option on the right as below:
This will then enter the RDP integration, here we can see the Integration Key, Secret Key and API Hostname - you will need the options later in the next section, however you will need to scroll down until you see
Once saved we need to set the Group Policy which you can do from this panel, so lets get that sorted as we go!
Group Policy Creation
This is where you need to create the group policy for Duo, do not worry its very simple, so after you click the "Add a policy"
You want a new policy here
Then you can do this from one screen, give the policy a name, the click new policy and choose Require Enforcement as you can see below, then click create Policy
This will return you to the "new" panel as below, select the policy you just created and the group from earlier as below, this click Apply Policy
Then the application panel you will see the application with the group policy applied to the application as you can see below:
Add Application to Device
Now you need to add the software to the actual device to complete this you need to use the reference here - note the tag here, this is important...
Be sure to read through these instructions before you download and install Duo for Windows Logon.
Be sure to read through these instructions before you download and install Duo for Windows Logon.
What this applies to on the device!
Local or domain account logins
Logins at the local console and/or incoming Remote Desktop (RDP) connections
Credentialed User Access Control (UAC) elevation requests (e.g. Right-click + "Run as administrator")
Logins at the local console and/or incoming Remote Desktop (RDP) connections
Credentialed User Access Control (UAC) elevation requests (e.g. Right-click + "Run as administrator")
Shift + right-click "Run as different user"
PowerShell "Enter-PsSession" or "Invoke-Command" cmdlets
Non-interactive logons (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings)
Pre-Logon Access Providers (PLAPs) such as Windows Always On VPN
What if I use Bit locker?
Ensure you have your BitLocker recovery key available in the event you need to boot into safe mode to uninstall Duo.
How does the Agent talk to Duo?
This application communicates with Duo's service on SSL TCP port 443 using TLS v1.2
This application communicates with Duo's service on SSL TCP port 443 using TLS v1.2
Install the Agent
Ig you are happy with the above, which I am for this guide then you can download the agent in this case from the link below:
https://dl.duosecurity.com/duo-win-login-latest.exe
https://dl.duosecurity.com/duo-win-login-latest.exe
Once you have the executable you will need to run it as an administrator
Then you will get the welcome screen click next...
Then you need the API hostname and if required you have the option for a proxy server,
Warning: If you are using a proxy server to connect to Duo, it needs to have native internet access because at this stage you will not be logged into the laptop, so if you have a SSO redirect for authentication you will need to NOT use this and have a method of connecting with a user token, user cookie or user interaction!!!
If you ignore the warning above, don't worry Duo will tell you that you have not followed those instructions like this:
When you get it right, you will get the next screen you will need the Integration Key and Secret key, don't worry I have just typed "random" keys on my keyboard for the details below, they are not my actual details at all, but if you wish to copy them you can - sure......
This proves the data you have on is here is fake as you cannot continue the setup as its invalid....
Now you get some options, I choose to disable FailOpen - which means if there is no internet there is no login but for me I always have internet, for you you may need to tick this box, then you have the only to only protect RDP connections, I want all logins intercepted so this is unticked.....
If you use smart-cards enabled it here, I do not, so its disabled for me:
Next you need the UAC activation protection options, here I want it enabled, and I do not want "Protect user Elevation Only" as I want all elevations intercepted, again company requirements here....
Then the last screen is to install, click Install to begin....
Once installed you will need to restart, then you will be protected by Duo and 2FA.
Next you need the UAC activation protection options, here I want it enabled, and I do not want "Protect user Elevation Only" as I want all elevations intercepted, again company requirements here....
Then the last screen is to install, click Install to begin....
Once installed you will need to restart, then you will be protected by Duo and 2FA.