Upgrading Duo Authentication for Windows Logon

Upgrading Duo Authentication for Windows Logon
Upgrading Duo Authentication for Windows Logon

Duo Authentication for Windows Logon and RDP is great tool that I like to use to add MFA to Windows systems specifically servers, as it could help prevent lateral movement in the network.

When you only have a few systems running Duo Authentication for Windows Logon and RDP upgrading it is short and painless. When you have many systems it can be a bit of a painful process as the only method seems to be to do it manually.

Naturally to solve this I wrote a PowerShell script to do the work.

PowerShell Script

The PowerShell script will check if Duo Authentication for Windows Logon is installed. If no Duo Authentication for Windows Logon install is found it will just exit.

If the script detects that your Duo Authentication for Windows Logon version is older than 4.1.0 the script will exit. Versions older than 4.1.0 may need manual steps to upgrade. You can read more about what you need to do in this Duo help article.

If the script detects that the installed version of Duo Authentication for Windows Logon is less than 4.2.2 (the current version of Duo Authentication for Windows Logon at the time of writing) it will consider Duo Authentication for Windows Logon as old. (If you edit the variable $newduo you can change which version it checks for)

The script also checks if C:\temp exist and if it doesn’t it will create it.

The script will download a zip file from Duo that contains the MSI installer.

The script will then run the MSI install which will upgrade the installed version of Duo Authentication for Windows Logon. If the upgrade requires a reboot it won’t reboot the system.

I’ve posted the PowerShell script on my GitHub. https://github.com/thedxt/Duo

Extra Info

You can upgrade Duo Authentication for Windows Logon with the EXE method but there doesn’t appear to be a no reboot flag. In my testing sometimes when upgrading Duo Authentication for Windows Logon it needed a reboot.

You can find the links for the most recent MSI or EXE from Duo here.

4 responses to “Upgrading Duo Authentication for Windows Logon

joe

Works great! Is there a way to add in integration key, secret key and api host to this script if its a new install and needs to be added to the correct Duo account?

Daniel Keer

Yay!

For new Duo installs I use another script, I want to clean it up a bit then I’ll post it. But the basics of it are that you make a transform file for the Duo install. Then when you run the install you reference your transform file. It would look something like this

msiexec /i “$Env:SystemDrive\$temp\DuoWindowsLogon64.msi” /qn TRANSFORMS=”duo.mst”

Here’s the Duo documentation about creating the transform file. https://duo.com/docs/winlogon-gpo#deploying-duo-authentication-for-windows-logon-to-clients-using-active-directory

Håkan

Im still waiting on a nice Duo install script 🙂

Daniel Keer

Sorry about that and thank you for the reminder it is still on my list of things to do lol.

Leave a comment

Your email address will not be published. Required fields are marked *