RDP setup with group policy - why add keys to transform or command line?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2019 10:02 AM
After setting up RDP group policy (2FA for Windows Remote Desktop Protocol and Local Logons | Duo Security), the IKEY, SKEY, and HOST values are present in each machine’s local registry, here:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv
So why do those instructions specify going through the laborious process of creating a transform file for the installer?
In my case, I plan to do manual installation from the command line (https://help.duo.com/s/article/1090?language=en_US), but again, the examples only show command lines with all keys and options specified.
Wouldn’t the simple way to do this be
- Set up group policy with all keys and options. Wait for it to sync.
- Deploy on each computer without specifying options:
msiexec.exe /i DuoWindowsLogon64.msi /qn
Am I missing something here? Is it more secure to NOT put the keys in group policy and instead only provide them during the installation on each machine?
Thanks,
Mark Berry
MCB Systems
- Labels:
-
Managing Devices - General

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2019 08:17 AM
The transform instructions are mentioned only in the context of software deployment via GPO.
If you will not use GPO to actually install the software (i.e. if you are using scripted deploy with msiexec), you can do exactly what you described.
Thanks for using Duo!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2019 10:55 AM
Thanks Kristina, but I still don’t get it. If I’m deploying with Group Policy, why would I need a transform file with the keys? Why not just use the bare MSI installer? The keys are specified directly in the group policy. It doesn’t make sense to me that I would have to configure the keys in two places.
In other words, steps 3 and 6 of this procedure seem unnecessary and redundant if you put the keys in the main GPO as shown in the screen shot at the end of this procedure.
Regards,
Mark Berry

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2019 12:31 PM
It was required by the installer when the software publishing instructions were published, but it’s possible that subsequent changes to the installer negated the transform requirement. We can check on that and update the instructions if warranted.
If you are concerned about securing the key information when configuring via GPO, ensure that only those who should be able to view that info can (such as don’t let unprivileged users read the GPO or the RSOP machine scope settings, etc.).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2021 04:34 AM
Did this ever get resolved? I was wondering the same issue as the original poster and it doesn’t look like the documentation has changed. Why can’t you just put the ikey, skey and the api hostname in the GPO and use the standard msi install in the group policy?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2021 01:02 PM
I wound up not doing the actual installation via GPO. I just set up the keys in a GPO and run the regular (un-transformed) installer with a script.
