Duo Authentication for Windows Logon and RDP is great tool that I like to use to add MFA to Windows systems specifically servers, as it could help prevent lateral movement in the network.
When you only have a few systems running Duo Authentication for Windows Logon and RDP upgrading it is short and painless. When you have many systems it can be a bit of a painful process as the only method seems to be to do it manually.
Naturally to solve this I wrote a PowerShell script to do the work.
PowerShell Script
The PowerShell script will check if Duo Authentication for Windows Logon is installed. If no Duo Authentication for Windows Logon install is found it will just exit.
If the script detects that your Duo Authentication for Windows Logon version is older than 4.1.0 the script will exit. Versions older than 4.1.0 may need manual steps to upgrade. You can read more about what you need to do in this Duo help article.
If the script detects that the installed version of Duo Authentication for Windows Logon is less than 4.2.2 (the current version of Duo Authentication for Windows Logon at the time of writing) it will consider Duo Authentication for Windows Logon as old. (If you edit the variable $newduo
you can change which version it checks for)
The script also checks if C:\temp
exist and if it doesn’t it will create it.
The script will download a zip file from Duo that contains the MSI installer.
The script will then run the MSI install which will upgrade the installed version of Duo Authentication for Windows Logon. If the upgrade requires a reboot it won’t reboot the system.
I’ve posted the PowerShell script on my GitHub. https://github.com/thedxt/Duo
Extra Info
You can upgrade Duo Authentication for Windows Logon with the EXE method but there doesn’t appear to be a no reboot flag. In my testing sometimes when upgrading Duo Authentication for Windows Logon it needed a reboot.
You can find the links for the most recent MSI or EXE from Duo here.