12-21-2022 08:11 AM
Does Duo support user “run-as” and RSAT commands in AD with elevated rights? If so, are there instructions on how to set this up.
I am looking to support Active Directory Administrators with MFA for when they use administrative tools with their Server Admin account or running commands using run as and their AD admin accounts.
01-04-2023 11:39 AM
This FAQ item may answer your question:
What logon interfaces can Duo protect?
Duo Authentication for Windows Logon provides two-factor authentication for RDP and local console logons, and credentialed UAC elevation prompts (e.g. Right-click + “Run as administrator”).
Duo’s Windows Logon client does not add a secondary authentication prompt to the following logon types:
- Shift + right-click “Run as different user”
- PowerShell “Enter-PsSession” or “Invoke-Command” cmdlets
- Non-interactive logons (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)
- Pre-Logon Access Providers (PLAPs) such as Windows Always On VPN
- RDP Restricted Admin Mode
Enabling UAC elevation protection is a checkbox in the Duo installer, described in step 6 here:
01-24-2024 05:39 AM
Thanks for this information, it's exactly what we were looking for.
I have a question: We want to configure this on a large number of PCs. Can the installation be configured to select specific check boxes shown above without touching each PC? Something like a config file, with the options pre-specified that would be selected during the installation. Thanks in advance.
02-01-2024 01:16 AM
Yes you can do it with gpo. Here's the guide from duo with the resources needed to do it.
https://duo.com/docs/winlogon-gpo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide