Thank you very much, I was freaking out trying to figure out the non-enrolled error, turned out to be the a mismatch between the username I was using in Duo vs the one used to login to the domain-joined pc vs the username stored in the pc as you pointed out.
Your video helped me get this working on my Windows 10 laptop flawlessly and it still works great each time I login. I recently purchased a Windows 11 laptop and tried to get this working on it and failed 4 times - each time I had to reset my laptop. I have now given up. After I go through all the steps, I lock my laptop to log back in using DUO push and login window just disappear - no username, no password on the screen, just the windows wallpaper. Any idea what I could be doing wrong?
@@bearded365guy I sort of figured it out. DUO does not work when we are using Microsoft accounts to log into our Laptops. I will have to switch it over to a local account. The drawback is that I won't have access to some Microsoft features and such on my laptop and my credential will be stored locally on my laptop only.
Hi Jonathan, It's a great video and thank you for that, i have configured Duo as per your suggestion and it is working for login, but i need to enable MFA for web access and share folder access also, could you please guide me how to do. Thanks in advance.
Thank you for the video. Question: what if I don't enable the "bypass duo authentication when office" will it force me to connect to the internet before logging in?
Good day, Can I use hardware tokens for this process instead of mobile phone? We cannot force staff to use their personal phones for MFA without requests for compensation possibly. If it is possible, can you direct me to instructions/guide
Duo is great for remoting, but a pain in the ass if you just want to use you PC locally, hence why we disabled it for a local login at the office years ago.
I’ve got a question regarding the device setup. It looked like when you logged in at the end there was a drop down arrow to have the authentication sent to a different other than the iOS device you setup in the video. Would this be possible to set up with additional devices? Say you have an iPhone and an iPad and wanted to authenticate with either or (say your phone is charging in another room and you’re too lazy so you use your iPad next to you?) That would be convenient for what I am looking for in an Authenticator program.
Hello Jonathan, Thank you so much for the videos. it helps a lot. just one Question: in my Org, we use M365, active directory to login into windows systems. including the password, if i need to have MFA enabled. do we have to look into 3rd party like Duo. Is there any way that this can be done through Active directory or MS intra ID?
Same, I ended up having to reset my PC. Not sure what I did wrong, would have really liked to set up properly but hopefully Microsoft will implement 2fa in the future
Hi Jonathan, I'm struggling right now to get Duo implemented on some Microsoft Surface Pro X tablets for customers as showing Non-compatibility with the Arm 64 -bit processor. Was trying to work around this through M365 portal. So far still working on a solution to meet compliance regulations. If you have any recommendations please let us know.
Thank you for the tutorial. It is very strange that Microsoft doesn't just make this feature available within itself. They clearly have it in place for everything else, except for this? ... Microsoft lol.
@@bearded365guy I spoke to soon. I followed the tutorial, I got the blurred screen of death and nearly got locked out of my computer, and I feared that I made a career ending mistake. I fixed it. No worries. Not your fault. But I highly suggest you should put a HUGE warning that when performing this set up, if a user is connected to a Microsoft Live ID, DUO will not work.
Great video Jonathan. I was looking forward to implementing this for our company. We use complex passwords for our MS365 accounts so users use a PIN or fingerprint for Windows login (Windows Hello). For me, being able to login with just a PIN isn't ideal which is why DUO sounded a great option. However I've just realised that DUO doesn't currently support Windows Hello at this time which is a big disappointment 😥
@@bearded365guy With you being a DUO partner have you heard whether it's something they are maybe looking at in the future? I'm guessing there's some technical issues behind the scenes seen as though Microsoft don't even offer this! ☺
This was really helpful to get my first Duo 2FA set up, but I'm struggling to set up my other computers. Is it possible to link multiple computers to a single Duo user?
@@bearded365guy it was due to my rdp account was from a live id and apparently duo blurs out the login screen if you set up the microsoft rdp protection for an account that is registered with a live id. It only works on a local account. So to really use this servi d for me, i would need to clone my account to a local account and then delete everything important from the main account and set up rdp protection for the local account. The fact that most people register thier accounts with a live id, im suprised that this is not a common precaution for all installs. Would have been a time saver if it was stated by the company in an obviously visible way like most warnings in life.
Sorry for being obtuse. I'm looking for something to replace Windows AD on prem. I just want anyone who has an active acount to be able to log into any of our comuters and people without accounts or disabled accounts not to be able to log in. SO it wouldn't matter if Mary wants to log in on Joe's old PC - as long as she was active (like it works with Active Directory) she could log into that computer. I'd also like to be able to decide which users have local admin rights on their PC remotely. Can duo do this? I'd like to get all servers off prem.
If you have no log on servers, there would be no centralized logon. What you are describing is Active Directories sole purpose, centralized user and device management. Duo doesn't manage accounts on your devices and why he emphasized the username you register MUST be correct. As far as I have seen there isn't a solid replacement for Active Directory. Every solution I was told to check out had at least one downfall/incompatibility, but you would need some type of directory service to manage the devices and users. Duo is only a middleman or added layer to authentication. If you do find a good AD solution tho, I'd be interested in hearing about it for some smaller clients I support.
Stupid question. Does DUO accomplish this irregardless of the Microsoft License associated with the account? Kiosk, Plan 1, E3, P1/P2, etc. Since it has to be installeded locally to accomplish the MFA. Second question, is there a "tamper proof" setting to prevent the user from removing Duo from the PC?
Yes, you can have MFA with any Microsoft license, so DUO will work. We recommend that users don’t have local admin access to their computers so they can’t go in and uninstall anything.
If you unplug the network cable or turn off wifi it lets your right in. Dont understand why its that east to bypass. Why even use it? Also safe mode appears to bypass it as well.
@@bearded365guy I agree it shouldn't but it does. It actually states it works that way in their documentation. Have you tested any other 2FA apps for windows logins? I am trying to find one that is simple enough for end users but also is actually secure. Any ideas would be greatly appreciated. Thanks
For cyber security insurance reasons, I setup and installed the DUO Windows login for specific computers used by people with privileged AD accounts. Unfortunately it's required for anyone that signs into that computer, Not just specific accounts. But I also now have DUO for all remote access, so everyone now has DUO anyway. From what I could tell, DUO windows login is machine and not account based.@@codyappell24
It's too easy man, thank you so much for this very important video
Thanks for the video. Very useful. Oddly, I find you more understandable with playback speed set to 1.25.
Thank you very much, I was freaking out trying to figure out the non-enrolled error, turned out to be the a mismatch between the username I was using in Duo vs the one used to login to the domain-joined pc vs the username stored in the pc as you pointed out.
Thanks Jonathan. Great tutorial.
Your video helped me get this working on my Windows 10 laptop flawlessly and it still works great each time I login. I recently purchased a Windows 11 laptop and tried to get this working on it and failed 4 times - each time I had to reset my laptop. I have now given up. After I go through all the steps, I lock my laptop to log back in using DUO push and login window just disappear - no username, no password on the screen, just the windows wallpaper. Any idea what I could be doing wrong?
Not sure why, I haven’t tested this on a Win11 laptop.
@@bearded365guy I sort of figured it out. DUO does not work when we are using Microsoft accounts to log into our Laptops. I will have to switch it over to a local account. The drawback is that I won't have access to some Microsoft features and such on my laptop and my credential will be stored locally on my laptop only.
Well made video, thanks!
Thanks Jonathan. Straight forward and useful.
do you know how I can add the Windows Hello feature to duo security?
Does it support AD on premise and local user without domain?
If AD is on premise, there should be a domain?
@@bearded365guy perhaps local admin?
Hi Jonathan, It's a great video and thank you for that, i have configured Duo as per your suggestion and it is working for login, but i need to enable MFA for web access and share folder access also, could you please guide me how to do.
Thanks in advance.
this works on windows 10?
Yes
@@bearded365guy much appreciated
Does it work with headless core servers? I mean i have a plenty of Hyper-V Server 2019, and i want to make it more secure.
Thank you for the video.
Question: what if I don't enable the "bypass duo authentication when office" will it force me to connect to the internet before logging in?
Good day, Can I use hardware tokens for this process instead of mobile phone? We cannot force staff to use their personal phones for MFA without requests for compensation possibly. If it is possible, can you direct me to instructions/guide
Yes, a Yubikey.
@@bearded365guy I have the Duo Tokens, will that work?
@@librarygirldigitalworld I didn’t know DUO did their own tokens?
@@bearded365guy I am still learning. Which is why I love watching your channel. But yes, we purchased the Duo Hardware Token (DUO-TOKEN) by Cisco
Duo is great for remoting, but a pain in the ass if you just want to use you PC locally, hence why we disabled it for a local login at the office years ago.
Thank You , You have explained it very well
I’ve got a question regarding the device setup. It looked like when you logged in at the end there was a drop down arrow to have the authentication sent to a different other than the iOS device you setup in the video. Would this be possible to set up with additional devices? Say you have an iPhone and an iPad and wanted to authenticate with either or (say your phone is charging in another room and you’re too lazy so you use your iPad next to you?) That would be convenient for what I am looking for in an Authenticator program.
Hello Jonathan,
Thank you so much for the videos. it helps a lot. just one Question: in my Org, we use M365, active directory to login into windows systems. including the password, if i need to have MFA enabled. do we have to look into 3rd party like Duo. Is there any way that this can be done through Active directory or MS intra ID?
@@harvey7241 Check out my video on Windows Hello for Business. There is a feature called Multi-Factor unlock.
When I tried setting this up this this caused my login screen to be a blank blurry page with no options
I’ve not seen that before!
Same, I ended up having to reset my PC. Not sure what I did wrong, would have really liked to set up properly but hopefully Microsoft will implement 2fa in the future
This just happened to me, anything learned?
It might have had something to do with using Microsoft account vs a local account, I ended up going with a local account and just using a yubikey
This happened even for me , any fixes ?
How to do.with Microsoft auth
Wow
Excellent video, thank you!
I’ve been binging all your videos while improving my environment. Thank you 💯.
Can you make a video like this for install on Mac?
Maybe one day….
Hi Jonathan,
I'm struggling right now to get Duo implemented on some Microsoft Surface Pro X tablets for customers as showing Non-compatibility with the Arm 64 -bit processor. Was trying to work around this through M365 portal. So far still working on a solution to meet compliance regulations. If you have any recommendations please let us know.
Thank you for the tutorial. It is very strange that Microsoft doesn't just make this feature available within itself. They clearly have it in place for everything else, except for this? ... Microsoft lol.
Yes, it would be useful.
@@bearded365guy I spoke to soon. I followed the tutorial, I got the blurred screen of death and nearly got locked out of my computer, and I feared that I made a career ending mistake. I fixed it. No worries. Not your fault. But I highly suggest you should put a HUGE warning that when performing this set up, if a user is connected to a Microsoft Live ID, DUO will not work.
Agree I got the same problem took me hours to figure out what I did wrong and get back into my work station @@HyperionBadger
How can I purchase one and only one instance of DUO?
@@marklharmon Direct from DUO.
@@bearded365guy Thanks. So far, I've seen no response at all from their sales department. I'll keep trying.
Well done demonstration!
Epic beard.
Great video Jonathan. I was looking forward to implementing this for our company. We use complex passwords for our MS365 accounts so users use a PIN or fingerprint for Windows login (Windows Hello). For me, being able to login with just a PIN isn't ideal which is why DUO sounded a great option. However I've just realised that DUO doesn't currently support Windows Hello at this time which is a big disappointment 😥
Yes, it is!
@@bearded365guy With you being a DUO partner have you heard whether it's something they are maybe looking at in the future? I'm guessing there's some technical issues behind the scenes seen as though Microsoft don't even offer this! ☺
This was really helpful to get my first Duo 2FA set up, but I'm struggling to set up my other computers. Is it possible to link multiple computers to a single Duo user?
do you still use a password policy, in which you still have the users change their password every 30,60 or 90 days?
No we don’t. Here in the UK the advice is for users not to change their passwords. Choose a strong random password with MFA is the way to go.
@@bearded365guy Another question, if the computer goes to sleep, you still have to use the 2fa, correct, or no?
@@scottfortune1132 if the computer locks, then yes.
Thanks for the video. It is beneficial
I did this and now my password screen is blurred and i cannot log in to my laptop
Oh no. Not sure where it went wrong there?
@@bearded365guy it was due to my rdp account was from a live id and apparently duo blurs out the login screen if you set up the microsoft rdp protection for an account that is registered with a live id. It only works on a local account. So to really use this servi d for me, i would need to clone my account to a local account and then delete everything important from the main account and set up rdp protection for the local account. The fact that most people register thier accounts with a live id, im suprised that this is not a common precaution for all installs. Would have been a time saver if it was stated by the company in an obviously visible way like most warnings in life.
Same here, did you find a solution ?
Same plz help
How would we be able to mix duo and non duo users on a single box?
Sorry for being obtuse. I'm looking for something to replace Windows AD on prem. I just want anyone who has an active acount to be able to log into any of our comuters and people without accounts or disabled accounts not to be able to log in. SO it wouldn't matter if Mary wants to log in on Joe's old PC - as long as she was active (like it works with Active Directory) she could log into that computer. I'd also like to be able to decide which users have local admin rights on their PC remotely. Can duo do this? I'd like to get all servers off prem.
If you have no log on servers, there would be no centralized logon. What you are describing is Active Directories sole purpose, centralized user and device management. Duo doesn't manage accounts on your devices and why he emphasized the username you register MUST be correct. As far as I have seen there isn't a solid replacement for Active Directory. Every solution I was told to check out had at least one downfall/incompatibility, but you would need some type of directory service to manage the devices and users. Duo is only a middleman or added layer to authentication. If you do find a good AD solution tho, I'd be interested in hearing about it for some smaller clients I support.
Stupid question. Does DUO accomplish this irregardless of the Microsoft License associated with the account? Kiosk, Plan 1, E3, P1/P2, etc. Since it has to be installeded locally to accomplish the MFA. Second question, is there a "tamper proof" setting to prevent the user from removing Duo from the PC?
Yes, you can have MFA with any Microsoft license, so DUO will work. We recommend that users don’t have local admin access to their computers so they can’t go in and uninstall anything.
Have you experienced Samsung not able to read and run QR code for offline access? The menu list won't appear...
No I haven’t experienced that.
If you unplug the network cable or turn off wifi it lets your right in. Dont understand why its that east to bypass. Why even use it? Also safe mode appears to bypass it as well.
It shouldn’t work like that…..
@@bearded365guy I agree it shouldn't but it does. It actually states it works that way in their documentation. Have you tested any other 2FA apps for windows logins? I am trying to find one that is simple enough for end users but also is actually secure. Any ideas would be greatly appreciated. Thanks
Is it possible to use this as passwordless instead of password?
Yes it is with Windows Hello
guide.duo.com/passwordless
🔥
Can DUO be setup so only specific user account in AD are forced to use DUO when signing on to any computer on the domain?
Did you ever find an answer to this? I’m in need of seeing something up at work and settled on this but I’m lost.
For cyber security insurance reasons, I setup and installed the DUO Windows login for specific computers used by people with privileged AD accounts. Unfortunately it's required for anyone that signs into that computer, Not just specific accounts. But I also now have DUO for all remote access, so everyone now has DUO anyway. From what I could tell, DUO windows login is machine and not account based.@@codyappell24
Scam I got loged out