Background
When you install Duo Authentication for Windows Logon application to allow MFA access to system resources, an option can be enabled for End User Elevation on the UAC Prompt. This function will interfere with the CyberQP End User Elevation product.
This article will go in-depth with instructions to disable the Duo End User Elevation while Duo is still running on the same machine.
Note: This article was based on and tested with Duo's KB article on which registry entries control the function.
Prerequisites
- Privileged access to the affected system (EG: Administrator access, RMM agent running as System or Administrator)
Manual Method
Powershell Script Method
Duo GPO Method
Manual Method
-
Login with a privileged account
-
Click the Start Menu > Type "Run" > Type “Regedit”
In the registry address bar replace the current path with:
HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv
(you can copy and paste this into the “Path bar” in Regedit)
- In the right-hand screen side of the panel where the key/value pairs are located, find the ElevationProtectionMode Key.
- Double Click to edit the Key
- Change the value to 0
- Click OK to save
- Depending on the OS and configuration, a reboot of the system may be required for the registry value change to be read.
Powershell Script Method
Run this PowerShell Script on the system to force the registry value to 0.
This script makes sure that the existing entry exists, and if it doesn't exist, it creates the entry. However if the "Duo Security" registry entry does NOT exist, it will skip the change of value and display a message that it skipped the process. This should make it safe to run via RMM/Scripted process against any machine, even if you are not certain that Duo Credential provider was ever installed.
# Define the registry path and value
$rootPath = "HKLM:\SOFTWARE\Duo Security\DuoCredProv"
$entryName = "ElevationProtectionMode"
$entryValue = 0
# Check if the root registry path exists
if (Test-Path $rootPath) {
# Check if the specific entry exists
if (Get-ItemProperty -Path $rootPath -Name $entryName -ErrorAction SilentlyContinue) {
# Modify the existing entry
Set-ItemProperty -Path $rootPath -Name $entryName -Value $entryValue
Write-Output "The registry entry has been modified."
} else {
# Create the entry if it does not exist
New-ItemProperty -Path $rootPath -Name $entryName -PropertyType DWORD -Value $entryValue
Write-Output "The registry entry has been created."
}
} else {
# Display a message if the root registry path does not exist
Write-Output "The Duo Security registry entry does not exist."
}
You may have restart the system for the updated registry entry to be read.
Duo Group Policy Method
Based upon the KB supplied by Duo for Group Policy Deployment and Configuration.
- Log onto any Domain Controller that can read the ADMx and ADML files supplied by Duo.
- Open the Group Policy Management Console
- Find the Deployment GPO that you currently have configured for Duo deployments.
- Edit the GPO
- Expand Computer Configuration -> Policies -> Administrative Templates -> Duo Authentication for Windows Logon
- Find the GPO entry: Client: Specifies the Protection Mode for User Elevation and Double Click/Edit the value.
- Change the value to "Enabled" and select the "Respect existing Duo authentication control around logon" value from the drop down.
- Click Ok.
- Perform any operation that will force the changed GPO Policy value to be read by the client machines the GPO affects. (ex: running gpupdate /force on the system)
- Spot check/randomly verify that the Registry entry values have changed on the systems (see above)
- Expand Computer Configuration -> Policies -> Administrative Templates -> Duo Authentication for Windows Logon
Comments
0 comments
Please sign in to leave a comment.