Re: New User Enrollment with bypass codes

doGlooPA · ‎02-03-2026

In our environment we use Active Directory to import users into Duo. We use the login MFA application to provide MFA to our Windows devices. When new employees start, our plan was to create a one time bypass code for their account so they can get into Windows and get to their email where their enrollment codes should be so they can enroll their phone in Duo.
We just started this process but pretty sure it worked a few times previously. Currently though, it is not working. When a new user enters their password they are given a prompt in Windows to "Enroll an authentication device to proceed." They are not given an option to use the bypass code to bypass MFA. I am guessing that a bypass code is not considered a device so with no device setup, it stops there. I swear this worked a few times in testing but maybe there were other circumstances involved with the accounts.
Any thoughts or ideas on how to get new users enrolled in our environment? My only other thought is to try to get a phone added to their accounts before hand but that is difficult with new hires.
Thanks!

Philip D'Ath · ‎02-03-2026

Is there any chance this enrollment is for offline use?

doGlooPA · ‎02-03-2026

No. Online enrollment. They would be prompted to create an offline token after using MFA the first time as we do allow offline logins.

doGlooPA · ‎02-03-2026

This is all they get when logging on the first time.

Philip D'Ath · ‎02-03-2026

Have you considered using the option ("Activate") to TXT the user the enrollment procedure to get their mobile enrolled?

doGlooPA · ‎02-03-2026

I am not sure what that option is you are referring to. We generally do not import mobile phone data into Duo for new users so if we were do to that, I could manually setup their phones and text them enrollment. Just trying to automate so I don't need to do that for every new user.

Philip D'Ath · ‎02-03-2026

What about having them web browse to your Duo Central portal on their mobile device, and try to complete enrollment via that process?

doGlooPA · ‎02-03-2026

These are personal phones mostly and I am pretty sure we limit Duo Central access to trusted endpoints only.

Philip D'Ath · ‎02-03-2026

Have you got bypass codes enabled under allowed authentication methods?

doGlooPA · ‎02-03-2026

Yes, Duo Push, Mobile passcode, Hardware tokens and bypass code.

doGlooPA · ‎02-03-2026

Bypass codes do work fine for those who are already enrolled. Just not for someone who is brand new.

chickpeafilae · ‎02-03-2026

Following

Philip D'Ath · ‎02-03-2026

You won't be able to complete the enrollment process for Duo Mobile via the Windows Login process.

What about generating a QR enrollment code, printing that out, and giving that to new users to scan in Duo Mobile prior to their first login?
What about TXTing the user the enrollment URL, to complete activation of their phone prior to logging in?

You are going to need to do something to complete the activation of their MFA device prior to them logging in.

doGlooPA · ‎02-03-2026

That was kind of what I was afraid of. That gets pretty hard for large business to manage. It makes the most sense to allow a bypass code to actually work as a bypass code. We will have to look into the other options. Printing or sending a QR Code is a great idea. I will try that. Thanks!

DuoKristina · ‎02-04-2026

@doGlooPA Please read through https://help.duo.com/s/article/4518?language=en_US

"Note: Bypass codes are intended for temporary access. A user with only a bypass code configured and no other 2FA device is not considered to be enrolled with Duo. This user falls into the unenrolled category."

Duo for Windows Logon is a client implementation of our AuthAPI. The post to the /preauth endpoint with the username is receiving an "enroll" response (ETA you can see this in the Duo Windows Logon log output in C:\ProgramData\DuoSecurity). That is why the user receives the message they do. This is distinct behavior from the web-based Duo Universal Prompt (Duo Web SDK) seen when accessing apps in a browser.

If the users had any other factor attached then they would be considered "enrolled" and would be able to use the bypass code to log in.

There is a really clunky but achievable way to do this: attach a dummy hardware token to the new user, and then they can log in to Windows with the bypass code. However, since attaching the dummy hardtoken makes the user "enrolled", and emailed enrollment links won't work (they'll get a an error saying they're already enrolled). At this point though, they would need to enter self-service device management in Duo Central or inline during auth to a non-sso web application (using the bypass code to get in, so they would be blocked here if it's a one-time use bypass code). The really clunky part os that while they can add and remove almost any authentication method from the self-service device portal, they can't add or remove a hardware token. So, that dummy token would hang around attached to the user until you (or an Admin API process) removes it.

Ideally you would have collected a user's mobile phone number as part of their onboarding process and put it in AD so that the sync to Duo can add the phone with that number to the new user. They way they could use it to log into Windows and anything else they might need after that.

ETA there is an existing feature request to treat users with a bypass code as enrolled that would address this, as the AuthAPI would no longer return an "enroll" response for a user with only a bypass code. You may contact your Duo/Cisco account or customer success team (or Duo Support if you have neither) to upvote this or provide additional context.

Duo, not DUO.