Duo integrates with Microsoft Windows client and server operating systems to add two-factor authentication to Remote Desktop and local logins.
- Installing Duo’s Windows Logon protection adds two-factor authentication to all Windows login attempts, whether via a local console or over RDP, unless you select the “Only prompt for Duo authentication when logging in via RDP” option in the installer. If two-factor is enabled for both RDP and console logons, it may be bypassed by restarting Windows into Safe Mode (e.g. in case of a configuration error). If you wish to protect local console logins with Duo, please see the FAQ for some guidance on securing your Windows installation appropriately.
- Duo’s protection for Windows Logon doesn’t support inline self-service enrollment. We recommend using bulk enrollment to send your users unique self-enrollment links via email. Read the enrollment documentation to learn more.
- Additional configuration may be required to log in using a Microsoft attached account. See Can I Use Duo with a Microsoft Account? for more information.
This integration communicates with Duo’s service on TCP port . Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service’s high availability.
This installer may also need to send an outgoing request on port 80 for root certificate validation.
Check your server versions before starting. This integration supports Windows Vista to Windows 10 clients and Windows server operating systems from 2008 to 2012 R2.
- Sign up for a Duo account.
- Log in to the Duo Admin Panel and create a new Microsoft RDP application to get an integration key, secret key, and API hostname. (See Getting Started for help.)
- Download the Duo RDP Installer Package:
Enroll a User
Run the Installer
Run the installer with administrative privileges to run it. Accept the license agreement and enter your integration key, secret key, and API hostname when prompted:
Test Your Setup
To test your setup, attempt to log in to your newly-configured system as the user you enrolled in the previous step.
When auto-push is enabled (the default option), a popup will appear notifying you that a login request has been pushed to your phone.
If auto-push is disabled or if you click the Cancel button on the auto-push dialog, a popup will appear asking for a Duo passcode (either generated with Duo Mobile, sent via SMS, or generated with a hardware token).
Alternatively, type “push” into the “Duo Passcode” box to use Duo Push.
Here’s a full list of what you can type into the “Duo Passcode” box:
|A passcode||Log in using a passcode, either generated with Duo Mobile, sent via SMS (include the first letter), generated by your hardware token, or provided by an administrator.|
Perform Duo Push authentication
You can use Duo Push if you’ve installed Duo Mobile on your device and enrolled your account.
|“phone”||Perform phone callback authentication|
|“sms”||Send a new batch of SMS passcodes. Your authentication attempt will be denied. You can then authenticate with one of the newly-delivered passcodes.|
You can also specify a number after the factor name if you have more than one device enrolled. So you can enter phone2 or push2 if you have two phones enrolled.
Remember: if you find that the Credential Provider has locked you out of your Windows system (e.g. due to a configuration error), you can reboot into Safe Mode to bypass it.
- RDP connection initiated
- Primary authentication
- Duo RDP credential provider connection established to Duo Security over TCP port 443
- Secondary authentication via Duo Security’s service
- Duo RDP credential provider receives authentication response
- RDP session logged in