11-20-2021 10:32 AM
I am testing deploying to our fleet of Windows devices for our domain admin, server admin and maybe for RDP for regular users.
We do leave the local admin account enabled on all systems and rotate the passwords weekly with LAPS.
I can’t figure out how to exclude this account?
11-22-2021 01:12 PM
Hi @LipidFault ,
Installing Duo Authentication for Windows Logon adds two-factor authentication to all interactive user Windows login attempts, whether via a local console or over RDP: Duo Authentication for Windows Logon and RDP | Duo Security. At this time, there is no way to exclude certain accounts. Please also see Knowledge Base | Duo Security.
Please feel free to submit a feature request asking for this functionality via your Account Executive, Customer Success Manager if applicable, or our Support Team.
Thank you!
11-24-2021 04:48 AM
Why not make that user in Duo (example admin) and place them in a Duo group (example local admins) and set the group to bypass. Add that group to the RDP logon groups. That should allow that user to bypass Duo security. Does that make sense?
11-29-2021 10:42 AM
Excellent suggestion, @macolinob ! Bypassing the local administrator account in the Duo Admin Panel (either via Policy or setting the user to Bypass status) can permit logon without 2FA.
It may be a good idea to set your Fail Mode to open in the event the local administrator needs to log in while the server is offline since Duo’s cloud service needs to be accessible in order to perform the bypass. Enrolling in Offline Access may be a cumbersome process if multiple server admins need to log in with the local admin account at any given (offline) time. The ability to exempt users locally via the Duo for Winlogon client (from the above process) is not available at this time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide