Cisco Duo Desktop - Advanced Configuration
Looking to configure Cisco Duo Desktop settings like the IKEY, Shared Secret, API Hostname, etc.?
Because this is an Auto Download package, you will be unable to modify the Parameters, so you have the following options:
-
OPTION 1 - Convert the package to a Standard Download
- This will allow you to modify the Parameters, but the installer will no longer auto update. Probably not what you want.
-
OPTION 2 - Use the Duo Group Policy Objects
- You can use the Duo Group Policy Objects to set the IKEY, Secret Key, AP and other settings. You can download the GPO's from here: https://duo.com/docs/winlogon-gpo. This way, you aren't entirely relying on the installer to properly set those Registry keys. The GPO will set them, and they will be present and used when the app gets installed. This is the recommended approach if you have Group Policy configured in your environment.
-
OPTION 3 - Use Post Deployment Steps to add the appropriate keys to the Registry
- This provides the same functionality as using the GPO’s. Instead of using Group Policy to configure the appropriate Registry keys, you use PowerShell or a Command step to add them.
-
PowerShell
-
Use a PowerShell step to add each entry as necessary. For example:
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Duo Security\DuoCredProv" -Name "AutoPush" -PropertyType DWORD -Value 0 -Force- This will add the additional registry keys at HKLM\Software\Policies\Duo Security\DuoCredProv.
- Repeat as necessary for each key. You don't need to create additional steps for each Registry key unless you want to. They can be added as addtional lines in the same PowerShell Step.
-
Command
- For each Registry key, create your entry. For example:
-
reg add "HKLM\SOFTWARE\Policies\Duo Security\DuoCredProv" /v AutoPush /t REG_DWORD /d 0 /f - This will add the additional registry keys at HKLM\Software\Policies\Duo Security\DuoCredProv.
- Repeat as necessary for each key. You don't need to create additional steps for each Registry key unless you want to. They can be added as addtional lines in the same Command Step.
-
Cisco Duo Desktop Registry Keys
The table below lists the Cisco Duo Desktop Registry Keys available as of version 4.3.0.
| Policy Name | Category | Registry Location | Type | Values | Description |
| Client: Enable Auto Push | Client Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\AutoPush | REG_DWORD |
0 or not set = No Duo requests are sent until the user initiates secondary authentication. 1 = A Duo authentication request is automatically sent to a user's device after primary authentication. (Installer Default) |
When enabled, Duo Authentication for Windows Logon sends a Duo authentication request to the user's primary device as soon as the window is displayed instead of waiting for the user to click Login. The user must have at least one push-capable device for AutoPush to work. Default: Enabled |
| Client: Enable Debug Logging | Client Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\Debug | REG_DWORD |
0 or not set = No debug logging. (Default) 1 = Debug logging is enabled. |
Enables diagnostic logging, describing all interaction with the Duo cloud service. The file is named "Duo.log" and is saved to the Duo Security subdirectory of the machine's Application Data directory, typically c:\ProgramData. There is no support for rollover or size capping. No sensitive data is written to the log. Default: Disabled. |
| Client: Limit Two-Factor to RDP Logons Only | Client Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\RdpOnly | REG_DWORD |
0 or not set = Protect local and remote logons. (Default) 1 = Protect remote logons only. |
If enabled, uses Duo two-factor authentication only for Remote Desktop logons. Otherwise, it is used for both local and remote logons. Default: Disabled. |
| Client: Offline Access Available | Client Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\OfflineAvailable | REG_DWORD |
0 = Disable Offline Access 1 = Enable Offline Access |
If enabled, Duo Authentication for Windows Logon allows for Offline Access. If disabled, users cannot logon utilizing Offline Access. Default: Enabled |
| Client: Enable Max Offline Users | Client Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\OfflineMaxUsers | REG_DWORD |
Minimum value = 1 Maximum value = 50 |
If enabled, allows for the configuration of Max number of Offline Users of Duo Authentication for Windows Logon allows for Offline Access. Default: 5 |
| Client: Passwordless Offline Access Available | Client Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\PwlOfflineAvailable | REG_DWORD |
0 = Disable Passwordless Offline Access 1 = Enable Passwordlesss Offline Access |
If enabled, Duo Authentication for Windows Logon allows for Passwordless Offline Access. If disabled, users cannot logon utilizing Passwordless Offline Access. Default: Enabled |
| Client: Specifies the Protection Level for User Elevation | Client Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\ElevationProtectionMode | REG_DWORD |
0 = Respect existing Duo authentication control around logon. 1 = Disable Duo at logon and only prompt during UAC User Elevation 2 = Enforce Duo at logon and UAC elevation. |
Specifies the Protection Mode for a system. UAC credential prompt must be enabled. Default: 0 |
| Client: Enable Offline Access for User Elevation | Client Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\ElevationOfflineEnable | REG_DWORD |
0 = Disable Offline Access for User Elevation 1 = Enable Offline Access for User Elevation |
If enabled, allows Offline Access during User Elevation. Default: Enabled |
| Client: Enable Offline Enrollment during User Elevation | Client Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\ElevationOfflineEnrollment | REG_DWORD |
0 = Disable Offline Enrollment during User Elevation 1 = Enable Offline Enrollment during User Elevation |
If enabled, allows for Offline Access enrollment during User Elevation attempts. This must be used in conjunction with "ElevationOfflineLogon" Default: Enabled |
| Client Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\InactivityTimeoutSeconds | REG_DWORD | 0 or not set = Disable Inactivity Timeout |
If set to a value greater than 0, Client will close when inactivity time reaches the amount of seconds set. Default: 0 |
|
| Client Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\ParseUsernameAndDomain | REG_DWORD |
0 or not set = Send username from logon token 1 = Parse username and domain from login string |
If enabled, parse the username and domain from the username login string instead of the logon token. Enable this setting when devices joined to Entra ID send an incorrect username value to Duo. Default: Disabled |
|
| Duo Service: Certificate Pinning Available | Duo Service Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\EnableCertPinning | REG_DWORD |
0 or not set = Certificate pinning is disabled 1 = Certificate pinning is enabled |
If enabled, Duo Authentication for Windows Logon allows certificate pinning for all Duo service calls. If disabled, certificate pinning is disabled. Default: Disabled |
| Duo Service: Fail Open if Unable to Contact Duo | Duo Service Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\FailOpen | REG_DWORD |
0 or not set = Logon denied when the Duo service can not be contacted. 1 = Logon permitted when the Duo service can not be contacted. (Installer Default) |
If enabled, permits device access if unable to contact the Duo service, or any communication errors occur. If disabled, users cannot logon to Windows unless they have Internet access at the logon screen and can contact the Duo service. Default: Enabled |
| Duo Service: Enable Smart Cards | Duo Service Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\EnableSmartCards | REG_DWORD |
0 or not set = Duo disables all other credential providers. 1 = The Windows smart card credential provider is enabled. |
If enabled, permits use of the Windows smart card credential provider for user logon as an alternative to Duo authentication. If disabled, only Duo authentication is allowed. Default: Disabled |
| Duo Service: Wrap Smart Cards | Duo Service Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\WrapSmartCards | REG_DWORD |
0 or not set = Duo authentication and smart card authentication is mutually exclusive. 1 = Duo authentication and smart card authentication are chained. |
If enabled, Windows smart card provider is followed by Duo authentication if disabled, smart card authentication and Duo authentication are mutually exclusive. Requires Duo Service: Enable Smart Cards to be enabled. Default: Disabled |
| Duo Service: Specify format of username sent to Duo service | Duo Service Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\UsernameFormatForService | REG_DWORD |
0 or not set = sAMAccountName 1 = NTLM domain and username 2 = userPrincipalName |
Specifies the username format to be sent to Duo. Configuration values are: - Send the sAMAccountName only, removing any domain specifier (e.g. "narroway"). - Send the NTLM domain and username (e.g. "ACME\narroway") - Send the userPrincipalName (e.g. "narroway@acme.local") Default: sAMAccountName |
| Duo Service: Duo API Hostname | Duo Service Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\Host | REG_SZ | String Example: api-xxxxxxxx.duosecurity.com |
The DNS name of the Duo API host as shown on the application's properties page in the Duo Admin Panel. Required. |
| Duo Service: Duo Integration Key | Duo Service Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\IKey | REG_SZ | String Example: DIX0XXXXXXX0XXXX0XXX |
The Duo integration key (ikey) as shown on the application's properties page in the Duo Admin Panel. Required. |
| Duo Service: Duo Secret Key | Duo Service Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\SKey | REG_SZ | String Example: X00XXx0xxx00XXxXX0XxXxxxXXXxXxxXXX000xX0 |
The Duo secret key (skey) as shown on the application's properties page in the Duo Admin Panel. Required. |
| Duo Service: HTTP Proxy Hostname | Duo Service Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\HttpProxyHost | REG_SZ | Not set = Do not use HTTP proxy host (default) |
If specified, all Duo web requests are sent via this HTTP proxy. This does not affect web browsing or any other application. Default: Disabled |
| Duo Service: HTTP Proxy Port | Duo Service Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\HttpProxyPort | REG_DWORD | Not set = 80 (default) |
If HTTP Proxy Hostname is specified, the port used to connect to the HTTP proxy. Default: Port 80. |
| Duo Service: Log File Max Count | Duo Service Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\LogFileMaxCount | REG_DWORD |
Minimum value = 1 Maximum value = 100 |
If enabled, allows a maximum number of backup logs to be maintained. This must be used in conjunction with LogFileMaxSizeMB. |
| Duo Service: Log File Max Size MB | Duo Service Settings | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Duo Security\DuoCredProv\LogFileMaxSizeMB | REG_DWORD |
Minimum value = 1 Maximum value = 4096 |
If enabled, allows for a maximum size in Megabytes (MB) of Duo.log. This must be used in conjunction with LogFileMaxSizeMB. |
David Jordan
Was this article helpful?