Articles in this section

See more

Using DUO with AutoElevate

Avatar
Daniel Rivera
  • Updated
Follow

DUO with Elevations

AutoElevate and DUO can be used together to provide multi-factor authentication (MFA) and approval for elevation requests on Windows systems. Here are instructions for using these tools together to ensure secure access to elevated privileges without conflict:

  • When installing AutoElevate, DUO is not required for elevations. With AutoElevate, the request is MFA approved from the AE admin portal side, as MFA is required to log in.
  • If installing AutoElevate with DUO, it's recommended that you reinstall DUO with UAC level 0. This ensures that DUO does not interfere with User Account Control (UAC) or elevation requests.
  • DUO offers three UAC levels:
    • UAC level 0: This level is recommended for use with AutoElevate. It's windows login only and does not affect UAC or elevation.
    • UAC level 1: This level is elevation-only and does not require MFA processing on Windows login. It's not recommended for use with AutoElevate, as it can cause conflicts with the elevation approval process.
    • UAC level 2: This level requires MFA processing on Windows login and UAC prompts. It's not recommended for use with AutoElevate, as it can cause conflicts with the elevation approval process.
  • When installing AutoElevate with DUO and using DUO with UAC level 0, there are no admin users to elevate except the AE local ~0000AEAdmin user. This is an "over-the-shoulder" account that is not an admin at rest, so it cannot be used to elevate privileges outside of the AutoElevate process.
  • Additionally, you will not need to exclude the AE local ~0000AEAdmin user from the DUO policy, as DUO doesn’t interfere with UAC or elevations in this configuration. Since you're not logging in interactively as the AE admin user, you have a more streamlined and secure process for elevating privileges

DUO with Admin Login

To prevent DUO from blocking the Admin Login credential provider (which is needed for Admin Login to function), you will need to add its GUID to the DUO "ProvidersWhitelist".

The following command will add the GUID of the Admin Login credential provider to the DUO whitelist:

reg add "HKLM\SOFTWARE\Duo Security\DuoCredProv" /v ProvidersWhitelist /t REG_MULTI_SZ /d "{00006D50-0000-0000-B090-00006B0B0000}" /f

The GUID of the Admin Login credential provider is: 00006D50-0000-0000-B090-00006B0B0000

For more detailed information and assistance, you can refer to this support article from DUO: https://help.duo.com/s/article/4041?language=en_US

*Note: Admin rights are required to run this registry command.

 

DUO with SSO Integration

AE/SSO integration in conjunction with DUO MFA is not supported at this time, even with conditional access:
 
"Microsoft does not evaluate authentication with a custom control as part of a Conditional Access multifactor authentication claim requirement. Custom controls, like the Duo custom control for Azure CA, cannot satisfy a CA rule that requires "multifactor"." - Duo Two-Factor Authentication for Microsoft Azure Active Directory | Duo Security
 
Our MFA is currently a requirement with our SSO integration and do not have a workaround for DUO at this time.

Related articles

Comments

0 comments

Article is closed for comments.