Automating the installation of the Cisco DUO RDP client.
If you are getting your clients compliant with GLBA (Gramm-Leach Bliley Act), NIST, CIS or other insurance requirements, you may need to add 2FA to the endpoints. One of the tools to tackle this requirement is Cisco’s DUO. You can use DUO to add 2FA to RDP Login, Console Login, and Privilege Escalation, or any mix of those options. In this video we build out the PowerShell automation to deploy DUO on your windows endpoints and configure per your requirements using your RMM.
The code used in the video is below. Feel free to copy and use the code as needed for your environment.
Join the mailing list to get notified of new content like this.
URLs used in the video
duosecurity.com – Log into your DUO account
https://duo.com/docs/rdp – Document for configuring DUO to protect RDP
https://help.duo.com/s/article/1090 – DUO RDP Silent Install help document
Code used in the video
# Validate Input
If ($env:DUOIKEY -cnotmatch '^[A-Z0-9]{20}$') {
Write-Error 'DUOIKEY site variable not set or incorrect character set, can not proceed' -ErrorAction Stop
}
If ($env:DUOSKEY -notmatch '^[A-Z0-9]{40}$') {
Write-Error 'DUOSKEY site variable not set or incorrect character set, can not proceed' -ErrorAction Stop
}
If ($env:DUOHOST -cnotmatch '^api-[a-z0-9]{8}.duosecurity.com$') {
Write-Error 'DUOHOST site variable not set or incorrect character set, can not proceed' -ErrorAction Stop
}
# Download installer
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://dl.duosecurity.com/duo-win-login-latest.exe" -OutFile "./duo-win-login-latest.exe"
# Install it
$installString = "/S /V`" /qn IKEY=`"$env:DUOIKEY`" SKEY=`"$env:DUOSKEY`" HOST=`"$env:DUOHOST`" $env:DUOSETTINGS`""
$executable = ".\duo-win-login-latest.exe"
Start-Process $executable $installString
# Additional Configuration
# Make DUO send UPN as username
$UPNRegPath = "HKLM:\SOFTWARE\Duo Security\DuoCredProv"
$UPNValue = 2
IF(!(Test-Path $UPNRegPath)){
New-Item -Path $UPNRegPath -Force | Out-Null
New-ItemProperty -Path $UPNRegPath -Name "UsernameFormatForService" -Value $UPNValue -PropertyType DWORD -Force | Out-Null
} else {
New-ItemProperty -Path $UPNRegPath -Name "UsernameFormatForService" -Value $UPNValue -PropertyType DWORD -Force | Out-Null
}
# Set UAC to prompt every time *BUT ONLY IF UAC_PROTECTMODE is a 1 or 2
if ($env:DUOSETTINGS -match 'UAC_PROTECTMODE="#[12]"'){
$UACPromptRegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
$UACValue = 1
IF(!(Test-Path $UACPromptRegPath)){
New-Item -Path $UACPromptRegPath -Force | Out-Null
New-ItemProperty -Path $UACPromptRegPath -Name "ConsentPromptBehaviorAdmin" -Value $UACValue -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $UACPromptRegPath -Name "ConsentPromptBehaviorUser" -Value $UACValue -PropertyType DWORD -Force | Out-Null
} else {
New-ItemProperty -Path $UACPromptRegPath -Name "ConsentPromptBehaviorAdmin" -Value $UACValue -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $UACPromptRegPath -Name "ConsentPromptBehaviorUser" -Value $UACValue -PropertyType DWORD -Force | Out-Null
}
}
Make it better
A couple ideas on how to improve this code.
- Validate the input for $env:DUOSettings
- Only set the DuoCredProv\UsernameFormatForService registry settings if the machine is Azure joined (use an IF statement)