The Duo username (or username alias) should match the Windows username. Unenrolled users, that is, users that do not yet exist in Duo with an attached 2FA device, must be created manually by an administrator, imported by an administrator or self-enrolled through another application which supports Duo’s self-service enrollment (see Test Your Setup) before those users can log in with Duo for Windows Logon. Enroll Users Before Installationĭuo Authentication for Windows Logon doesn't support inline self-service enrollment for new Duo users. U2F security key support is limited to Offline Access only. Hardware Token OTP passcodes (including Yubikey OTP).Duo Factor Supportĭuo for Windows Logon supports these factor types for online two-factor authentication: System Processorĭuo Authentication for Windows Logon does not support devices with ARM processors, like the Surface Pro X. System Requirements Windows Versionsĭuo Authentication for Windows Logon supports both client and server operating systems.Įnsure your system's time is correct before installing Duo. See the article Guide to TLS support for Duo applications and TLS 1.0 and 1.1 end of support for more information. The current version of Duo for Windows Authentication supports TLS 1.2 when installed on a version of Windows that also supports and uses TLS 1.2 or higher. TLS RequirementsĮffective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.Įffective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. This application communicates with Duo's service on SSL TCP port 443.įirewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. Duo application features like failmode, offline access, and UAC protection may be configured during installation or post-installation via Regedit or Group Policy.Can Duo protect local console logins in Windows?.Guide to Duo Authentication for Windows Logon and RDP Integration Security.How can I prevent an attacker with compromised administrative credentials from disabling Duo for Windows Logon and bypassing MFA?.Review these Duo Knowledge Base articles for additional security recommendations:.Installing Duo for Windows Logon on these devices may block logins, requiring uninstallation from Safe Mode. This application doesn't support Surface Pro X or other devices with ARM processors.It's a good idea to have your BitLocker recovery key available in the event you need to boot into safe mode to uninstall Duo.Users with blank passwords may not login after Duo Authentication installation. Windows users must have passwords to log in to the computer.See Can I Use Duo with a Microsoft Account? for more information. Additional configuration may be required to log in using a Microsoft attached account.If you wish to protect local console logons with Duo, please see the FAQ for some guidance on securing your Windows installation appropriately. If two-factor is enabled for both RDP and console logons, it may be bypassed by restarting Windows into Safe Mode (e.g. Installing Duo Authentication for Windows Logon adds two-factor authentication to all interactive user Windows login attempts, whether via a local console or over RDP, unless you select the "Only prompt for Duo authentication when logging in via RDP" option in the installer.Please review all these compatibility and installation notes before proceeding. Pre-Logon Access Providers (PLAPs) such as Windows Always On VPN. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |