Re: Scripting DUO with PowerShell

Oldtrekky · ‎07-27-2025

I have a PS script that downloads the installer from "https://dl.duosecurity.com/duo-win-login-latest.exe" and sets
$installerPath = "$env:TEMP\duo-win-login-latest.exe"

I have tried 3 following different ways but each always gives a return code of 0, but the program has not actually run. (I test for the existence of the DUO Security registry entry here: "HKLM:\SOFTWARE\Duo Security\DuoCredProv")

$run_version=1
$duo_normal_setup_args = "/QUIET /RDP_ONLY=yes /IKEY=$ikey /SKEY=$skey /HOST=$apiHost"
switch ($run_version)
		{
			1 {
				Write-Host "Normal processing v1"
				$duoprocess=Start-Process  -FilePath $installerPath -Wait -PassThru -ArgumentList `
				  "/QUIET", `
				  "/RDP_ONLY=yes", `
				  "/IKEY=$ikey", `
				  "/SKEY=$skey", `
				  "/HOST=$apiHost" 
				$instcode=$($duoprocess.ExitCode)
			}
			2 {	# 2nd way
				Write-Host "Normal processing v2"
				$duoprocess= Start-Process -FilePath $installerPath -ArgumentList $duo_normal_setup_args -Wait -Passthru
			}
			3 {# 3rd way
				Write-Host "Normal processing v3"
				& $installerPath     /ArgumentList $duo_normal_setup_args /Wait /Passthru *> "$env:TEMP\duo_install_log.txt"
			}
		}
	}

I suspect I am not passing the arguments correctly (single string or multiple strings). I have validated all the variables and they have the correct values. I have run the installer manually and it worked for one user but I need to re-do it several more times for other users. I would appreciate any suggestions or corrections.

DuoKristina · ‎07-28-2025

Did you compare your options and syntax to the PowerShell example in https://help.duo.com/s/article/1090 ? You might want to read through that closely.

Duo, not DUO.

Oldtrekky · ‎08-02-2025

Since my previous post, I discovered that I should not have the / symbols before the arguments (except for /S /qn and /V So they now look like this (with the "xx"s replaced with actual values):

/S /V" /qf RDP_ONLY="#1" FAILOPEN="#1" IKEY="DICxxxxx" SKEY="xxxxxx" HOST="xxxxxxx" FAILOPEN="#1""

And yes, I have compared every argument. They work perfectly when executed from the command line, but when run in a PowerShell script, the installer just displays the MSIEXEC parameter rules in a window, then exits with NO return code (yes, it actually empty, not 0). Checked with this:

$instcode=$($duoprocess.ExitCode)
if ($instcode -eq 0 -or $instcode -eq "") 
					{Write-Output "retcode 0 or empty" 
					exit 1}

There is no MSI log. I suspect it has something related to PS parameter passing and the DUO requirement of /V" with "quoted" strings inside.

Oldtrekky · ‎08-05-2025

I looked at the DUO docs and saw a comment that there is no longer an installer .MSI file. Just the .EXE files. Has anyone gotten the .EXE installer to work from inside a PS script?

Ken Stieers · ‎08-05-2025

MSI's exist here: https://duo.com/docs/checksums#unified-x86-x64-installer , along with the group policy stuff you'd need.

I suspect if you run the exe with the command line you'll have better luck...or use the MSI, and control it with GPO (which is what we do for workstations)

Here's my command line that I push to servers. Note the list of quoted things are wrapped in quotes.

%PATHTOFIXES%duo-win-login-latest.exe /S /V" /qn IKEY="##ikey##" SKEY="##skey##" HOST="api-xxxxxxx.duosecurity.com" AUTOPUSH="#1" FAILOPEN="#1" SMARTCARD="#0" RDPONLY="#0""