Duo | Windows Login

Enroll Users Before Installation

The Duo username (or username alias) should match the Windows username. When you create your new RDP application in Duo the username normalization setting defaults to "Simple", which means that the if the application sends the usernames "jsmith," "DOMAIN\jsmith," and "jsmith@domain.com" to Duo at login these would all resolve to a single "jsmith" Duo user.

Download Link

https://dl.duosecurity.com/duo-win-login-latest.exe
This is to be downloaded onto the computer you wish to connect to remotely.
e.g. Desktop in the office you want to remote into from home.

Run the Installer

(Guidance for silent installation via PS or Command line arguments)

1. Run the Duo Authentication for Windows Logon installer with administrative privileges.
   
2. When prompted, enter your API Hostname from the Microsoft RDP application's details page in the Duo Admin Panel and click Next. The installer verifies that your Windows system has connectivity to the Duo service before proceeding.
   
   When pasting use CTL+C or CMD+C
   
   
   
   
3. Enter your integration key and secret key from the Microsoft RDP application in the Duo Admin Panel and click Next again.
   
   
   
   
   
4. Leave defaults
   
   
   
   
5. Leave all options empty
   
   
   
   
6. Leave all options empty
   Our security agent has this covered
   
   
   
7. Click Next and then Install to complete Duo installation.
   

Network Diagram

1. RDP connection, console logon, or UAC elevation initiated
2. Primary authentication of Windows credentials (domain or local user)
3. Duo Windows Logon credential provider connection established to Duo Security over TCP port 443
4. Secondary authentication via Duo Security’s service
5. Duo Windows Logon credential provider receives authentication response
6. RDP or console session logged in

Reference: https://duo.com/docs/rdp