topic Re: New User Enrollment with bypass codes in Managing Users

New User Enrollment with bypass codes

doGlooPA — Tue, 03 Feb 2026 18:11:44 GMT

In our environment we use Active Directory to import users into Duo. We use the login MFA application to provide MFA to our Windows devices. When new employees start, our plan was to create a one time bypass code for their account so they can get into Windows and get to their email where their enrollment codes should be so they can enroll their phone in Duo.
We just started this process but pretty sure it worked a few times previously. Currently though, it is not working. When a new user enters their password they are given a prompt in Windows to "Enroll an authentication device to proceed." They are not given an option to use the bypass code to bypass MFA. I am guessing that a bypass code is not considered a device so with no device setup, it stops there. I swear this worked a few times in testing but maybe there were other circumstances involved with the accounts.
Any thoughts or ideas on how to get new users enrolled in our environment? My only other thought is to try to get a phone added to their accounts before hand but that is difficult with new hires.
Thanks!

Re: New User Enrollment with bypass codes

Philip D'Ath — Tue, 03 Feb 2026 19:06:44 GMT

Is there any chance this enrollment is for offline use?

Re: New User Enrollment with bypass codes

doGlooPA — Tue, 03 Feb 2026 19:12:12 GMT

No. Online enrollment. They would be prompted to create an offline token after using MFA the first time as we do allow offline logins.

Re: New User Enrollment with bypass codes

doGlooPA — Tue, 03 Feb 2026 19:22:16 GMT

This is all they get when logging on the first time.

Re: New User Enrollment with bypass codes

Philip D'Ath — Tue, 03 Feb 2026 19:25:17 GMT

Have you got bypass codes enabled under allowed authentication methods?

Re: New User Enrollment with bypass codes

Philip D'Ath — Tue, 03 Feb 2026 19:30:19 GMT

Have you considered using the option ("Activate") to TXT the user the enrollment procedure to get their mobile enrolled?

Re: New User Enrollment with bypass codes

doGlooPA — Tue, 03 Feb 2026 19:31:49 GMT

Yes, Duo Push, Mobile passcode, Hardware tokens and bypass code.

Re: New User Enrollment with bypass codes

doGlooPA — Tue, 03 Feb 2026 19:32:55 GMT

Bypass codes do work fine for those who are already enrolled. Just not for someone who is brand new.

Re: New User Enrollment with bypass codes

doGlooPA — Tue, 03 Feb 2026 19:38:29 GMT

I am not sure what that option is you are referring to. We generally do not import mobile phone data into Duo for new users so if we were do to that, I could manually setup their phones and text them enrollment. Just trying to automate so I don't need to do that for every new user.

Re: New User Enrollment with bypass codes

chickpeafilae — Tue, 03 Feb 2026 19:44:20 GMT

Following

Re: New User Enrollment with bypass codes

Philip D'Ath — Tue, 03 Feb 2026 19:48:31 GMT

You won't be able to complete the enrollment process for Duo Mobile via the Windows Login process.

What about generating a QR enrollment code, printing that out, and giving that to new users to scan in Duo Mobile prior to their first login?
What about TXTing the user the enrollment URL, to complete activation of their phone prior to logging in?

You are going to need to do something to complete the activation of their MFA device prior to them logging in.

Re: New User Enrollment with bypass codes

Philip D'Ath — Tue, 03 Feb 2026 19:51:07 GMT

What about having them web browse to your Duo Central portal on their mobile device, and try to complete enrollment via that process?

Re: New User Enrollment with bypass codes

doGlooPA — Tue, 03 Feb 2026 20:00:48 GMT

That was kind of what I was afraid of. That gets pretty hard for large business to manage. It makes the most sense to allow a bypass code to actually work as a bypass code. We will have to look into the other options. Printing or sending a QR Code is a great idea. I will try that. Thanks!

Re: New User Enrollment with bypass codes

doGlooPA — Tue, 03 Feb 2026 20:03:07 GMT

These are personal phones mostly and I am pretty sure we limit Duo Central access to trusted endpoints only.

Re: New User Enrollment with bypass codes

DuoKristina — Wed, 04 Feb 2026 15:53:33 GMT

@doGlooPA Please read through https://help.duo.com/s/article/4518?language=en_US

"Note: Bypass codes are intended for temporary access. A user with only a bypass code configured and no other 2FA device is not considered to be enrolled with Duo. This user falls into the unenrolled category."

Duo for Windows Logon is a client implementation of our AuthAPI. The post to the /preauth endpoint with the username is receiving an "enroll" response (ETA you can see this in the Duo Windows Logon log output in C:\ProgramData\DuoSecurity). That is why the user receives the message they do. This is distinct behavior from the web-based Duo Universal Prompt (Duo Web SDK) seen when accessing apps in a browser.

If the users had any other factor attached then they would be considered "enrolled" and would be able to use the bypass code to log in.

There is a really clunky but achievable way to do this: attach a dummy hardware token to the new user, and then they can log in to Windows with the bypass code. However, since attaching the dummy hardtoken makes the user "enrolled", and emailed enrollment links won't work (they'll get a an error saying they're already enrolled). At this point though, they would need to enter self-service device management in Duo Central or inline during auth to a non-sso web application (using the bypass code to get in, so they would be blocked here if it's a one-time use bypass code). The really clunky part os that while they can add and remove almost any authentication method from the self-service device portal, they can't add or remove a hardware token. So, that dummy token would hang around attached to the user until you (or an Admin API process) removes it.

Ideally you would have collected a user's mobile phone number as part of their onboarding process and put it in AD so that the sync to Duo can add the phone with that number to the new user. They way they could use it to log into Windows and anything else they might need after that.

ETA there is an existing feature request to treat users with a bypass code as enrolled that would address this, as the AuthAPI would no longer return an "enroll" response for a user with only a bypass code. You may contact your Duo/Cisco account or customer success team (or Duo Support if you have neither) to upvote this or provide additional context.

Re: New User Enrollment with bypass codes

doGlooPA — Wed, 04 Feb 2026 16:07:26 GMT

Thanks Kristina. I will reach out and upvote that. It seems the bypass code method would work best if allowed. Allowing new users to enroll using their devices means we need to allow mobile browsers. We specifically blocked those to prevent people from using their personal phones to connect to our Duo Central site and launch SAML apps on their phones. My guess is we will now need to create a new policy surrounding SAML apps for extra security.

Re: New User Enrollment with bypass codes

DuoKristina — Wed, 04 Feb 2026 20:39:33 GMT

> Allowing new users to enroll using their devices means we need to allow mobile browsers

You don't have to do this to get what you want I think.

Have phone # in AD.
Import new user with phone from sync. Don't send an enrollment email.
Create bypass code for new user and communicate it to them somehow (with their AD creds?). You give them maybe 24 hours to reuse the code. You tell the user to use the bypass code to log in if you have not allowed SMS or phone call authentication methods.
User logs in to Windows that day with AD creds and bypass code.
Also that day user launches browser on that Windows system, which I have assumed is trusted, to log into Duo Central and get to self-service management. They use either the bypass code (or use SMS/phone if you allow it) to get into device management.
User activates their phone for push or enrolls whatever other methods you allow (passkeys?).
The bypass code expires but user doesn't need it anymore because they have one or more usable auth methods.

There are multiple possible permutations of this that wouldn't require you letting them use the phones themselves to access Duo Central or any SAML apps.

Re: New User Enrollment with bypass codes

doGlooPA — Wed, 04 Feb 2026 20:43:57 GMT

That is what we have tried but we have the Duo Logon MFA app already installed on all PC's so you need to have MFA to get passed that. Or a bypass code, but for new users, a bypass code with no device enrolled, is not allowed. So we are back to changing bypass codes to allow that. Which I did upvote with support. For now though, we will have to give new employees an enrollment code and link to the enrollment page and they will need to enroll via their cell phone before being able to logon to any PC's. Not convenient but it works.

Re: New User Enrollment with bypass codes

doGlooPA — Wed, 04 Feb 2026 21:13:15 GMT

We did just create a new application level policy that blocks mobile devices for all the apps we don't want them to access in Duo Central with their phones. It was easier than I thought and seems to work well.