I’m having the same problem but posted that earlier in this thread but I thought of something else. I’m using a Windows live login for logging into my PC instead of a local account. Not sure if this would make a difference for trouble shooting or others are setup this way or not.

Good thinking, Alan, I am also using a windows live account or what I think they call Microsoft Accounts more generically, but not a local account anyway.

I also use a PIN for windows Hello, but i turned that off as thought it might be the conflict…

Chiming in as i also have the same issue. Disabling printer forwarding does not work, nor does having dontdisplaylastusername set to 1. I’m also using a windows live account for signing in.

Reading about the type of account people in here is using i decided to test a couple of things - here are my findings:

Creating a local user account and using that RDP actually does bring up the duo prompt. I enrolled this user and got push notifications to my phone. Thus, i can log in with the local user. Trying with my regular Windows Live account resulted in the same failure as previously - no duo prompt. In fact, the login attempt does not even show in the duo portal.

As the next step i logged in to the local user i just created but canceled the login. I’m now passed the NLA CredSSP login provider and have an active RDP session with my host. I change accounts from the local user to my Windows Live account and log in with that, which does give me the duo prompt and the push notification. I can now log into the host.

This leads me to believe that it has something to do with NLA and CredSSP so i disable that on my host and create a .rdp file that has:
enablecredsspsupport:i:0

As i don’t have to authenticate before establishing the rdp session i can now just put in my regular Windows Live account credentials and i get the duo prompt and correlating push request to my phone. I am now able to log in again.

I’m pretty sure it has to do with NLA and the CredSSP provider but i can’t do more tests right now. I’ll get back to it later but I hope this helps you guys in troubleshooting and finding the issue.

I am also using a Microsoft account for authentication. @Dooley Have you tried adding a Microsoft account to your test machines?

After replicating the issue internally with Windows Live Accounts, we have a workaround by whitelisting a specific Microsoft credential provider, allowing RDP and DUO to work together as expected.

Use the Registry Editor (regedit.exe) with administrator privileges to create (or update) the following registry values in

HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv

   Registry Value: ProvidersWhitelist	
    Type: REG_MULTI_SZ	
    Populate the multi string value data with the following GUID: {1ee7337f-85ac-45e2-a23c-37c753209769}

Patrick. Good deal. That fix works…partially. For me after i reinstalled Duo, updated the registry and rebooted I was able to authenticate with DUO 2FA working. However, after breaking the connection to the RDP session and trying again - it failed in the same way as before. If i force a restart and login over DUO RDP 2FA the first time it continues to work but just not to connect to an existing session.

Same problem here unfortunately, the regfix does not solve it for me.

I have the same issue after updating to Windows 10 Fall Creator’s Update. Rebooting the machine would allow me to login but then any succeeding re-connection to the RDP session would fail even though I’m getting the prompt to approve and has been providing my approval. The screen would just get stuck on the lock screen. Funny thing is icons to disconnect, restart, etc. are available and working. My last recourse if the solution from DUO or MS will take time is to restore from backup prior to fall creators update.

I am having the same issue. I am coming in from the Microsoft RDP client in android and a client on Windows 7. The local admin account works, but the live linked account does not. I tried using the local representation of the live account but that had the same result. Next I added the providerswhitelist into regedit, installed 3.1.1 and rebooted. That did not help. All resource forwarding is cancelled.

Has anyone had success with a workaround? Looks like disabling CredSSP is the leading contender.

@PatrickKnight Unfortunately this has not worked for me. I have the same problem as @Duo_RDP_User

I can confirm. After Win10 Fall Update 2FA with DUO does not work. RDP hangs on login screen and waits. When DUO is uninstalled RDP works as expected.

Quick update we are still working on a fix for this issue.

As a workaround without uninstalling you can set the GUID to F8A0B131-5F68-486C-8040-7E8FC3C85BB6
and removing the one posted above. This does not require a reboot.

The expected behavior after setting this will allow Duo to remain installed, protecting non-Microsoft Accounts and allows RDP of Microsoft accounts with no second factor.

Thanks for the update. In lieu of disabling 2FA for microsoft accounts, I have begun rebooting my machine whenever I go to log out of my microsoft account. This works for me as I don’t keep any programs up when I log out.

This workaround has worked for me thus far. If I forget to reboot I can log in with a local account and reboot from there.

HI all, thanks for all of your help with reporting this issue and trying out the various workaround solutions we’ve posted here. Our Engineering Team now has a very good understanding of the issue, but unfortunately a full solution is going to require additional development and collaboration with Microsoft.

We have confirmed that the Fall Creators Update (Version 1709) of Windows 10 breaks Duo for Windows Logon’s support for Microsoft Accounts (previously known as Windows Live ID). This is due to new behavior by the Microsoft Account credential provider which requires it to be loaded for accounts to appear.

As @patrickknight posted earlier, a workaround is available that allows Duo to remain installed and protect non-Microsoft Accounts while allowing access to Microsoft Accounts with no second factor.

To do this, use the Registry Editor (regedit.exe) with administrator privileges to create (or update) the following registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv

• Registry Value: ProvidersWhitelist
• Type: REG_MULTI_SZ
• Populate the multi string value data with the following GUID: F8A0B131-5F68-486C-8040-7E8FC3C85BB6

No reboot is required.

We will continue to update this thread as more information becomes available. Thanks again for your help and patience with this issue.