skip to main content
Caltech
Information Management Systems and Services
IMSS  /  Services  /  Information Security  /  Duo Multi-factor Authentication  /  Deploying Duo  /  Deploying Duo on Windows

Deploying Duo on Windows

If you are the administrator of a Caltech-owned system and would like to implement Duo multi-factor authentication to protect Windows (local logins, RDP connections, and/or credentialed UAC requests), IMSS can help.

Getting started

  • Local usernames on your system should match access.caltech usernames. This is necessary for a smooth setup and low maintenance deployment. Please discuss this with Information Security if you have any questions or concerns.
  • When you are ready to begin, email security@caltech.edu with the following information:
    • Duo integration type (e.g. Windows, Linux):
    • Number of systems you plan on deploying Duo on:
    • Descriptive name of the system or group of systems:
    • List other contacts responsible for these systems:
    • Confirm whether the usernames on these systems match each person's access.caltech username:
  • Information Security will respond with a secure link using Caltech 1Password containing a set of Duo API keys. If you have not yet used Caltech 1Password, you will first receive an invitation to sign up for an account.

Installing Duo

At this point, you should have already received a set of Duo API keys from Information Security including: API Hostname, Integration Key, and Secret Key

  1. Download the Duo for RDP installer. Run the installer with administrative privileges.
  2. When prompted, enter your API Hostname as provided by Information Security, and click Next. The installer will check for connectivity at this point. If the check fails, ensure that the Windows firewall and any applicable hardware firewall is allowing traffic to Duo.
  3. Enter your integration key and secret key as provided by Information Security, and click Next again.
  4. Consider the integration options on this page.
    1. Bypass Duo authentication when offline: FailClosed (unchecked) is more secure, but could potentially result in loss of RDP access in the event of a connectivity issue. However, in the unlikely event of an extended outage, an admin with console access could reconfigure Duo.
    2. Use auto push to authenticate if available: if the majority of the users will be using the smartphone app push authentication method, this option is adds convenience. If more users will be using a hardware token, you should disable auto push.
    3. Only prompt for Duo authentication when logging in via RDP: will allow local users to continue logging in using username and password only, without requiring Duo. Depending on your preference and the workstation's physical location, this may be an appropriate choice.
  5. Click next through the remaining screens to complete the process. If you selected "Only prompt for Duo authentication when logging in via RDP", you should be prompted for Duo next time you log in via RDP. Otherwise, you should be prompted for Duo for any log in to the system.

More information