https://community.cisco.com/t5/deployment-strategy/disable-duo-for-windows-local-admin/m-p/4879465#M73 <DIV class="duo-migrated-content"><P>Excellent suggestion, <A class="mention" href="https://community.duo.com/u/macolinob">@macolinob</A> ! Bypassing the local administrator account in the Duo Admin Panel (either via <A href="https://duo.com/docs/policy#authentication-policy" rel="noopener nofollow ugc">Policy</A> or setting the user to <A href="https://duo.com/docs/administration-users#changing-user-status" rel="noopener nofollow ugc">Bypass status</A>) can permit logon without 2FA.</P> <P>It may be a good idea to set your <A href="https://duo.com/docs/rdp-faq#how-can-i-configure-the-fail-mode?" rel="noopener nofollow ugc">Fail Mode</A> to <EM>open</EM> in the event the local administrator needs to log in while the server is offline since Duo’s cloud service needs to be accessible in order to perform the bypass. Enrolling in <A href="https://duo.com/docs/rdp#offline-access" rel="noopener nofollow ugc">Offline Access</A> may be a cumbersome process if multiple server admins need to log in with the local admin account at any given (offline) time. The ability to exempt users locally via the Duo for Winlogon client (from the above process) is not available at this time.</P></DIV> Mon, 29 Nov 2021 18:42:56 GMT DuoPablo 2021-11-29T18:42:56Z https://community.cisco.com/t5/deployment-strategy/disable-duo-for-windows-local-admin/m-p/4879462#M70 <DIV class="duo-migrated-content"><P>I am testing deploying to our fleet of Windows devices for our domain admin, server admin and maybe for RDP for regular users.</P> <P>We do leave the local admin account enabled on all systems and rotate the passwords weekly with LAPS.</P> <P>I can’t figure out how to exclude this account?</P></DIV> Sat, 20 Nov 2021 18:32:10 GMT https://community.cisco.com/t5/deployment-strategy/disable-duo-for-windows-local-admin/m-p/4879462#M70 LipidFault 2021-11-20T18:32:10Z https://community.cisco.com/t5/deployment-strategy/disable-duo-for-windows-local-admin/m-p/4879463#M71 <DIV class="duo-migrated-content"><P>Hi <A class="mention" href="https://community.duo.com/u/lipidfault">@LipidFault</A> ,</P> <P>Installing Duo Authentication for Windows Logon adds two-factor authentication to <STRONG>all</STRONG> interactive user Windows login attempts, whether via a local console or over RDP: <A href="https://duo.com/docs/rdp#important-notes" class="inline-onebox" rel="noopener nofollow ugc">Duo Authentication for Windows Logon and RDP | Duo Security</A>. At this time, there is no way to exclude certain accounts. Please also see <A href="https://help.duo.com/s/article/1088?language=en_US" class="inline-onebox" rel="noopener nofollow ugc">Knowledge Base | Duo Security</A>.</P> <P>Please feel free to submit a feature request asking for this functionality via your Account Executive, Customer Success Manager if applicable, or our Support Team.</P> <P>Thank you!</P></DIV> Mon, 22 Nov 2021 21:12:22 GMT https://community.cisco.com/t5/deployment-strategy/disable-duo-for-windows-local-admin/m-p/4879463#M71 DuoPablo 2021-11-22T21:12:22Z https://community.cisco.com/t5/deployment-strategy/disable-duo-for-windows-local-admin/m-p/4879464#M72 <DIV class="duo-migrated-content"><P>Why not make that user in Duo (example admin) and place them in a Duo group (example local admins) and set the group to bypass. Add that group to the RDP logon groups. That should allow that user to bypass Duo security. Does that make sense?</P></DIV> Wed, 24 Nov 2021 12:48:26 GMT https://community.cisco.com/t5/deployment-strategy/disable-duo-for-windows-local-admin/m-p/4879464#M72 macolinob 2021-11-24T12:48:26Z https://community.cisco.com/t5/deployment-strategy/disable-duo-for-windows-local-admin/m-p/4879465#M73 <DIV class="duo-migrated-content"><P>Excellent suggestion, <A class="mention" href="https://community.duo.com/u/macolinob">@macolinob</A> ! Bypassing the local administrator account in the Duo Admin Panel (either via <A href="https://duo.com/docs/policy#authentication-policy" rel="noopener nofollow ugc">Policy</A> or setting the user to <A href="https://duo.com/docs/administration-users#changing-user-status" rel="noopener nofollow ugc">Bypass status</A>) can permit logon without 2FA.</P> <P>It may be a good idea to set your <A href="https://duo.com/docs/rdp-faq#how-can-i-configure-the-fail-mode?" rel="noopener nofollow ugc">Fail Mode</A> to <EM>open</EM> in the event the local administrator needs to log in while the server is offline since Duo’s cloud service needs to be accessible in order to perform the bypass. Enrolling in <A href="https://duo.com/docs/rdp#offline-access" rel="noopener nofollow ugc">Offline Access</A> may be a cumbersome process if multiple server admins need to log in with the local admin account at any given (offline) time. The ability to exempt users locally via the Duo for Winlogon client (from the above process) is not available at this time.</P></DIV> Mon, 29 Nov 2021 18:42:56 GMT https://community.cisco.com/t5/deployment-strategy/disable-duo-for-windows-local-admin/m-p/4879465#M73 DuoPablo 2021-11-29T18:42:56Z