I’m currently trying to protect administrative Remote Desktop, UAC, and console access to our organization’s servers with Duo Winlogon. Most of our servers act as Remote Desktop Session hosts, and in testing I’ve found that Duo prompts for both full Remote Desktop sessions as well as RemoteApp sessions. Now the obvious solutions is to make a bypass policy for the application and an enforce policy for the administrative group which I have done and works fine.
However I’m trying to plan ahead for when we want to protect RemoteApp and Remote Desktop logons for all users. I’m concerned that I won’t be able to differentiate between the two types of traffic in Duo for creating policies that differ between applications. Is it possible to have Winlogon only pick up on full Remote Desktop sessions and ignore RemoteApp sessions?