Upgrading Duo Authentication for Windows Logon
Duo Authentication for Windows Logon and RDP is great tool that I like to use to add MFA to Windows systems specifically servers, as it could help prevent lateral movement in the network.
When you only have a few systems running Duo Authentication for Windows Logon and RDP upgrading it is short and painless. When you have many systems it can be a bit of a painful process as the only method seems to be to do it manually.
Naturally to solve this I wrote a PowerShell script to do the work.
PowerShell Script
The PowerShell script will check if Duo Authentication for Windows Logon is installed. If no Duo Authentication for Windows Logon install is found it will just exit.
If the script detects that your Duo Authentication for Windows Logon version is older than 4.1.0 the script will exit. Versions older than 4.1.0 may need manual steps to upgrade. You can read more about what you need to do in this Duo help article.
If the script detects that the installed version of Duo Authentication for Windows Logon is less than 4.2.2 (the current version of Duo Authentication for Windows Logon at the time of writing) it will consider Duo Authentication for Windows Logon as old. (If you edit the variable $newduo
you can change which version it checks for)
The script also checks if C:\temp
exist and if it doesn’t it will create it.
The script will download a zip file from Duo that contains the MSI installer.
The script will then run the MSI install which will upgrade the installed version of Duo Authentication for Windows Logon. If the upgrade requires a reboot it won’t reboot the system.
I’ve posted the PowerShell script on my GitHub. https://github.com/thedxt/Duo
Extra Info
You can upgrade Duo Authentication for Windows Logon with the EXE method but there doesn’t appear to be a no reboot flag. In my testing sometimes when upgrading Duo Authentication for Windows Logon it needed a reboot.
You can find the links for the most recent MSI or EXE from Duo here.
4 responses to “Upgrading Duo Authentication for Windows Logon”
Works great! Is there a way to add in integration key, secret key and api host to this script if its a new install and needs to be added to the correct Duo account?
Yay!
For new Duo installs I use another script, I want to clean it up a bit then I’ll post it. But the basics of it are that you make a transform file for the Duo install. Then when you run the install you reference your transform file. It would look something like this
msiexec /i “$Env:SystemDrive\$temp\DuoWindowsLogon64.msi” /qn TRANSFORMS=”duo.mst”
Here’s the Duo documentation about creating the transform file. https://duo.com/docs/winlogon-gpo#deploying-duo-authentication-for-windows-logon-to-clients-using-active-directory
Im still waiting on a nice Duo install script 🙂
Sorry about that and thank you for the reminder it is still on my list of things to do lol.