Windows Logon Excessive 2FA Challenges

mattford · ‎04-03-2024

Just recently, our Windows Logon duo integration has been challenging users for 2FA every time they log in, even if it's just unlocking a session they just locked. We've changed no policies in DUO or GPO. Thinking it was maybe a software version thing (we were on a 4.2.x) I upgraded everyone's duo windows logon app to the latest 4.3.x and the problem continues to spread.

I engaged support but they're just linking me to articles about verified push (which we do not use) and I'm just frustrated since it's SaaS and it's doing unintended behavior that we didn't cause (it has worked fine for months). Has anyone else run across the issue with the Windows Logon being challenged excessively?

Pulkit Mittal · ‎04-04-2024

Not seen this issue, but I suggest using How do I enable remembered devices for Windows Logon? (duo.com) so that users are not prompted repeatedly every time they see lock screen.

Set it to 1 day if you like or 8 hours,

If you find this useful, please mark it helpful and accept the solution.

mattford · ‎04-05-2024

We have that enabled and set to 1 day, users are checking the box. It's just not being honored

DuoKristina · ‎04-08-2024

If you enable debug logging the output should show a reason for not honoring an established trust session. Instructions for that and more explanation of the reasons why a session gets invalidated found here: https://help.duo.com/s/article/7237

Duo, not DUO.

DuoKristina · ‎04-08-2024

Actually, we're prepping the 4.3.1 release now which includes a fix for trusted session invalidation. Look for it later this week https://duo.com/docs/rdp-notes.

Duo, not DUO.

DuoKristina · ‎04-16-2024

We released 4.3.1 on April 9. Note though there is an issue with the installer where if you upgrade from 4.3.0 to 4.3.1 directly then both versions are present in Add/Remove Programs. You can safely just uninstall 4.3.0 from Add/Remove Programs, and it leaves 4.3.1 intact.

Duo, not DUO.