How to Enable MFA on Windows Logon with DUO
HTML-код
- Опубликовано: 24 июл 2024
- I talk on my channel about enabling multi-factor authentication for cloud services such as Microsoft 365. But have you ever considered MFA for logging onto your computer? Can you even do this? Yes, you can by using a product called DUO.
I will show you how in today's video.
00:00 Introduction
00:40 What is MFA?
02:35 How to Configure DUO for Windows Logon
03:53 Enroll with DUO Security
05:30 Protect an application in DUO
07:04 Install DUO software on a Windows computer
#microsoft365 #twofactorauthentication #duo
--------
So who am I and what do I do?
I am an IT expert with over 20 years of industry experience across a multitude of different areas. I am the Founder & Managing Director of Integral IT. Our mission is to deliver IT services that bring real value to each and every one of our customers, no matter how big or small.
If you need IT support, we can help. We can help you wherever you are in the world; you just need an internet connection.
Contact Us Today ► hello@integral-it.co.uk
www.integral-it.co.uk/
-- Make Sure To Follow Me On My Socials Below --
► INSTAGRAM: / jonathanedwardsit
► FACEBOOK: / jonathanedwardsit
If you have any video ideas, or if you'd like me to make a video on anything specific make sure to let me know in the comments below!
It's too easy man, thank you so much for this very important video
Well done demonstration!
Wow
Excellent video, thank you!
Thanks Jonathan. Great tutorial.
Thanks for the video. Very useful. Oddly, I find you more understandable with playback speed set to 1.25.
Well made video, thanks!
Thanks for the video. It is beneficial
I’ve been binging all your videos while improving my environment. Thank you 💯.
Can you make a video like this for install on Mac?
Maybe one day….
Thanks Jonathan. Straight forward and useful.
I’ve got a question regarding the device setup. It looked like when you logged in at the end there was a drop down arrow to have the authentication sent to a different other than the iOS device you setup in the video. Would this be possible to set up with additional devices? Say you have an iPhone and an iPad and wanted to authenticate with either or (say your phone is charging in another room and you’re too lazy so you use your iPad next to you?) That would be convenient for what I am looking for in an Authenticator program.
Thank you very much, I was freaking out trying to figure out the non-enrolled error, turned out to be the a mismatch between the username I was using in Duo vs the one used to login to the domain-joined pc vs the username stored in the pc as you pointed out.
This was really helpful to get my first Duo 2FA set up, but I'm struggling to set up my other computers. Is it possible to link multiple computers to a single Duo user?
Great video Jonathan. I was looking forward to implementing this for our company. We use complex passwords for our MS365 accounts so users use a PIN or fingerprint for Windows login (Windows Hello). For me, being able to login with just a PIN isn't ideal which is why DUO sounded a great option. However I've just realised that DUO doesn't currently support Windows Hello at this time which is a big disappointment 😥
Yes, it is!
@@bearded365guy With you being a DUO partner have you heard whether it's something they are maybe looking at in the future? I'm guessing there's some technical issues behind the scenes seen as though Microsoft don't even offer this! ☺
🔥
How would we be able to mix duo and non duo users on a single box?
Hi Jonathan,
I'm struggling right now to get Duo implemented on some Microsoft Surface Pro X tablets for customers as showing Non-compatibility with the Arm 64 -bit processor. Was trying to work around this through M365 portal. So far still working on a solution to meet compliance regulations. If you have any recommendations please let us know.
do you know how I can add the Windows Hello feature to duo security?
Stupid question. Does DUO accomplish this irregardless of the Microsoft License associated with the account? Kiosk, Plan 1, E3, P1/P2, etc. Since it has to be installeded locally to accomplish the MFA. Second question, is there a "tamper proof" setting to prevent the user from removing Duo from the PC?
Yes, you can have MFA with any Microsoft license, so DUO will work. We recommend that users don’t have local admin access to their computers so they can’t go in and uninstall anything.
Can DUO be setup so only specific user account in AD are forced to use DUO when signing on to any computer on the domain?
Did you ever find an answer to this? I’m in need of seeing something up at work and settled on this but I’m lost.
For cyber security insurance reasons, I setup and installed the DUO Windows login for specific computers used by people with privileged AD accounts. Unfortunately it's required for anyone that signs into that computer, Not just specific accounts. But I also now have DUO for all remote access, so everyone now has DUO anyway. From what I could tell, DUO windows login is machine and not account based.@@codyappell24
Duo is great for remoting, but a pain in the ass if you just want to use you PC locally, hence why we disabled it for a local login at the office years ago.
Hi Jonathan, It's a great video and thank you for that, i have configured Duo as per your suggestion and it is working for login, but i need to enable MFA for web access and share folder access also, could you please guide me how to do.
Thanks in advance.
do you still use a password policy, in which you still have the users change their password every 30,60 or 90 days?
No we don’t. Here in the UK the advice is for users not to change their passwords. Choose a strong random password with MFA is the way to go.
@@bearded365guy Another question, if the computer goes to sleep, you still have to use the 2fa, correct, or no?
@@scottfortune1132 if the computer locks, then yes.
Sorry for being obtuse. I'm looking for something to replace Windows AD on prem. I just want anyone who has an active acount to be able to log into any of our comuters and people without accounts or disabled accounts not to be able to log in. SO it wouldn't matter if Mary wants to log in on Joe's old PC - as long as she was active (like it works with Active Directory) she could log into that computer. I'd also like to be able to decide which users have local admin rights on their PC remotely. Can duo do this? I'd like to get all servers off prem.
If you have no log on servers, there would be no centralized logon. What you are describing is Active Directories sole purpose, centralized user and device management. Duo doesn't manage accounts on your devices and why he emphasized the username you register MUST be correct. As far as I have seen there isn't a solid replacement for Active Directory. Every solution I was told to check out had at least one downfall/incompatibility, but you would need some type of directory service to manage the devices and users. Duo is only a middleman or added layer to authentication. If you do find a good AD solution tho, I'd be interested in hearing about it for some smaller clients I support.
Good day, Can I use hardware tokens for this process instead of mobile phone? We cannot force staff to use their personal phones for MFA without requests for compensation possibly. If it is possible, can you direct me to instructions/guide
Yes, a Yubikey.
@@bearded365guy I have the Duo Tokens, will that work?
@@librarygirldigitalworld I didn’t know DUO did their own tokens?
@@bearded365guy I am still learning. Which is why I love watching your channel. But yes, we purchased the Duo Hardware Token (DUO-TOKEN) by Cisco
Does it support AD on premise and local user without domain?
If AD is on premise, there should be a domain?
@@bearded365guy perhaps local admin?
Have you experienced Samsung not able to read and run QR code for offline access? The menu list won't appear...
No I haven’t experienced that.
Is it possible to use this as passwordless instead of password?
Yes it is with Windows Hello
guide.duo.com/passwordless
Epic beard.
When I tried setting this up this this caused my login screen to be a blank blurry page with no options
I’ve not seen that before!
Same, I ended up having to reset my PC. Not sure what I did wrong, would have really liked to set up properly but hopefully Microsoft will implement 2fa in the future
This just happened to me, anything learned?
It might have had something to do with using Microsoft account vs a local account, I ended up going with a local account and just using a yubikey
This happened even for me , any fixes ?
If you unplug the network cable or turn off wifi it lets your right in. Dont understand why its that east to bypass. Why even use it? Also safe mode appears to bypass it as well.
It shouldn’t work like that…..
@@bearded365guy I agree it shouldn't but it does. It actually states it works that way in their documentation. Have you tested any other 2FA apps for windows logins? I am trying to find one that is simple enough for end users but also is actually secure. Any ideas would be greatly appreciated. Thanks
Thank you for the tutorial. It is very strange that Microsoft doesn't just make this feature available within itself. They clearly have it in place for everything else, except for this? ... Microsoft lol.
Yes, it would be useful.
@@bearded365guy I spoke to soon. I followed the tutorial, I got the blurred screen of death and nearly got locked out of my computer, and I feared that I made a career ending mistake. I fixed it. No worries. Not your fault. But I highly suggest you should put a HUGE warning that when performing this set up, if a user is connected to a Microsoft Live ID, DUO will not work.
Agree I got the same problem took me hours to figure out what I did wrong and get back into my work station @@HyperionBadger
this works on windows 10?
Yes
@@bearded365guy much appreciated
I did this and now my password screen is blurred and i cannot log in to my laptop
Oh no. Not sure where it went wrong there?
@@bearded365guy it was due to my rdp account was from a live id and apparently duo blurs out the login screen if you set up the microsoft rdp protection for an account that is registered with a live id. It only works on a local account. So to really use this servi d for me, i would need to clone my account to a local account and then delete everything important from the main account and set up rdp protection for the local account. The fact that most people register thier accounts with a live id, im suprised that this is not a common precaution for all installs. Would have been a time saver if it was stated by the company in an obviously visible way like most warnings in life.
Same here, did you find a solution ?
Same plz help
Scam I got loged out