Solved: Re: Duo for Windows Logon: Auto Remove Oldest Cached Offline User?

Dan Smith COB · ‎01-09-2025

Here's our situation:

We've set the local configuration to permit up to 50 cached offline users (the max):
HKLM\SOFTWARE\Duo Security\DuoCredPro\OfflineMaxUsers to 50
We have several laptops running Duo for Windows Logon which spend about 50% of their time within a state of connectivity and the other 50% of time in areas without connectivity.
We have 70-80 employees who rotate through the use of these laptops.
Due to the nature the work they perform, we cannot disable Duo's offline access feature on these devices
We're hitting the 50 user maximum and have had to manually clear the local registry of each device periodically.

Feature Request: We need a way to automatically "bump-off" the oldest cached registration in order to make way for the next user who may need to use the laptop.

Thanks for any help, tips or hacks that y'all have come across to alleviate this problem!

DuoKristina · ‎01-09-2025

Offline access in Duo Authentication for Windows Logon was developed as a way to provide continued access for the primary user of a given Windows client who is temporarily offline. Your use case of 50% offline wasn't the intended use, which is why (as you have observed) it doesn't scale well.

ETA: Here's our blog post announcing the feature, which mentions the "occasionally offline" use case. https://duo.com/blog/announcing-offline-multi-factor-authentication-for-windows

To submit this feature request for Duo, please contact your Duo Care team or Cisco Duo account exec. If you do not have these contacts, you may contact Duo Support to submit the feature request.

While the registry key and values created by the Duo application for offline access don't explicitly state the creation date, Windows itself does maintain a LastWriteTime for registry keys. You may be able to script removal of the keys with the oldest LastWriteTime values using PowerShell.

https://learn-powershell.net/2014/12/18/retrieving-a-registry-key-lastwritetime-using-powershell/

Duo, not DUO.

View solution in original post

DuoKristina · ‎01-09-2025

Offline access in Duo Authentication for Windows Logon was developed as a way to provide continued access for the primary user of a given Windows client who is temporarily offline. Your use case of 50% offline wasn't the intended use, which is why (as you have observed) it doesn't scale well.

ETA: Here's our blog post announcing the feature, which mentions the "occasionally offline" use case. https://duo.com/blog/announcing-offline-multi-factor-authentication-for-windows

To submit this feature request for Duo, please contact your Duo Care team or Cisco Duo account exec. If you do not have these contacts, you may contact Duo Support to submit the feature request.

While the registry key and values created by the Duo application for offline access don't explicitly state the creation date, Windows itself does maintain a LastWriteTime for registry keys. You may be able to script removal of the keys with the oldest LastWriteTime values using PowerShell.

https://learn-powershell.net/2014/12/18/retrieving-a-registry-key-lastwritetime-using-powershell/

Duo, not DUO.

Dan Smith COB · ‎01-09-2025

Thank you, I just sent in a support ticket for this feature request.

I was looking that the registry key and the values Duo documents for each user... You're right, there's no value that would store a timestamp for the user's offline registration. I'll look at the last write time for each key and see if we can pursue that angle while we wait to hear from the developers.

Thank you for the quick response! -Dan

Dan Smith COB · ‎01-09-2025

Received word that this is already a known feature request and that they've added our organization as an interested party. If anyone else has this concern, I'd encourage you to also enter a support ticket asking to be added to the list? Thanks everyone!