Rdp client download windows 10

You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options. Download the Duo Authentication for Windows Logon installer package.

View checksums for Duo downloads here. If you'd like to enable offline access with Duo MFA you can do that now in the "Offline Access Settings" section of the Duo application page, or return to the Admin Panel later to configure offline access after first verifying logon success with two-factor authentication.

Treat your secret key like a password The security of your Duo application is tied to the security of your secret key skey. Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Version 4. When users check this box and complete Duo authentication, they aren't prompted for Duo secondary authentication when they unlock the workstation after that initial authentication until the configured trusted session time expires. If the user changes networks, authenticates with offline access while the workstation is disconnected, logs out of Windows, reboots the workstation, or clicks the "Cancel" button during workstation unlock, Duo for Windows Logon invalidates the current trusted session and the next Windows logon or unlock attempt will require Duo authentication again.

Create a new custom policy or update an existing policy for remembered devices which enables the Remember devices for Windows Logon option, and enter the number of hours or days you want a trusted Windows logon session to last. Click Save Policy when done. If you made the change in your global policy then the setting applies to all your Microsoft RDP Duo applications, unless any of them have a policy assigned with conflicting remembered Windows Logon device settings.

The policy setting takes immediate effect — there is no need to reinstall the Duo Authentication for Windows Logon application after updating the remembered device policy as long as clients have already installed v4. Systems with older versions of Duo for Windows Logon must upgrade to 4. With this policy setting applied, users who log on to the local Windows console see an additional option on the Duo for Windows Logon prompt for remembering the device.

Administrators may revoke the Windows local trusted Duo session by unassigning a remembered devices policy for Windows Logon from a Microsoft RDP application, editing the policy attached to a Microsoft RDP application to disable the Windows Logon remembered devices setting, or by deleting the registry entry for the user session from the Windows client.

To test Duo on your Windows system with a group of pilot users, we suggest setting your application's New User Policy to "Allow Access" while testing. The pilot users that you've enrolled in Duo with an associated 2FA device get prompted to complete Duo authentication, while all other users will be transparently let through. With these two policy settings in place users who have and who have not enrolled in Duo log in to the Windows system as usual without experiencing Duo.

This will prompt all enrolled users to perform Duo 2FA after they type in their usernames and passwords, and prevent users who have not enrolled in Duo from logging in without 2FA. If you chose to enable offline access on your application, then enrolled users who bypass 2FA due to the effective Authentication Policy would still be prompted to complete offline enrollment.

To avoid confusion, we recommend leaving offline access off until you require users to complete Duo 2FA while online. If you receive an "Installation stopped" error from the Duo installer please refer to Duo KB article for remediation steps. The installer verifies that your Windows system has connectivity to the Duo service before proceeding. If you need to use an outbound HTTP proxy in order to contact Duo Security's service, enable the Configure manual proxy for Duo traffic option and specify the proxy server's hostname or IP address and port here.

If you plan to use smart cards on the systems where you install Duo, click to Enable Smart Card Support and select your smart card options:. These options only support the Windows native smart card provider. Available in version 3. If you need to change any of your chosen options after installation, you can do so by updating the registry.

The Duo authentication prompt appears after you successfully submit your Windows credentials. With automatic push enabled the default installation option , the prompt indicates that Duo pushed an approval request to your phone. With automatic push disabled, or if you click the Cancel button on the Duo authentication prompt after a 2FA request was sent, you can select a different device from the drop-down at the top if you've enrolled more than one or select any available factor to verify your identity to Duo:.

If you applied a policy to your Microsoft RDP application that enables remembered devices for Windows Logon, then during Duo authentication at the local system's console you'll see the Remember me for If you check this box when authenticating you won't need to perform Duo second-factor authentication again for the duration specified on the prompt the next time you unlock the workstation to continue the logged-in Windows session.

Duo will prompt you to complete two-factor authentication at the next Windows logon or unlock after the remembered device session ends, and at that time you can choose to begin a new trusted logon session. The application you were trying to launch runs after you approve the Duo two-factor request. If you chose to remember the device at the Windows desktop login, then you won't need to approve Duo authentication for UAC either until the trusted Duo session ends.

Remember: if you find that Duo Authentication for Windows Logon has locked you out of your Windows system e. Duo Authentication for Windows Logon v4. Check the box next to Enable offline login and enrollment to turn on offline access. Check the Only allow offline login from users in certain groups to specify a group or groups of Duo users permitted to use offline access. Users who are not members of the groups you select here won't be able to enroll in offline access or login in with MFA when the Windows system is unable to contact Duo, and instead are subject to your fail mode configuration let in without MFA if you enabled fail open, or prevented from logging in if you disabled fail open.

After you configure this option, when a user logs into a Windows system while it's online and can reach Duo and it has been greater than hours since the last online authentication, Duo for Windows Login will update the offline policies for all users on the system, including deprovisioning them for offline access if they are no longer members of the offline groups selected for offline login in the Duo Admin Panel.

If you also configured permitted groups on your RDP application, users need to be members of both the permitted and the offline login groups to use offline access.

Choose from the two options for expiring offline access in the Prevent offline login after setting:. Enter the maximum number of offline logins allowed to users. With this option, there is no expiration date for offline access. Users may log on to the Duo-protected Windows workstation while offline the number of times you specify here. They'll need to reconnect their offline computer to the internet upon reaching this limit.

Enter the maximum number of days offline, up to With this option, there is no limit to the number of times a user logs in while offline during the allowed period.

Users need to reconnect their offline computer to the internet upon reaching the end of the period you define here. If the user does not perform online Duo authentication before the maximum number of days specified here is reached, they can no longer log in offline , and so must connect to Duo's service in order to log in at all. Both offline authentication methods are allowed unless you uncheck one in the Offline authentication methods setting.

You may not uncheck both options. Any authentication method enabled for offline access is always permitted, overriding any other policy setting restricting authentication methods for the RDP application. No information about logins using offline access is reported in Duo Admin Panel authentication reports while the Windows system is offline.

At the next online authentication, login events that occurred while the system was offline are sent to Duo's service. These events show up in the Authentication Log with other user access results, and show the offline authentication method used.

By default, five 5 users may enroll in offline access. To increase or reduce the number of users that may activate offline access on a given Windows client, use the Registry Editor regedit. Once the maximum number of users have activated offline access, the next user receives an error when attempting to enroll in offline access.

To force offline reactivation for a previously activated user on a given Windows system, use the Registry Editor regedit. You may have Windows systems where no users should log in using offline access, regardless of the application setting in the Duo Admin Panel. To prevent offline authentication for any user on a given Windows client, use the Registry Editor regedit. You can also reactivate offline access from the online Duo prompt.

Note that only one authentication device — a single phone with Duo Mobile or a single security key — may be activated for offline login. Activating a second device via the reactivation process deactivates the first.

You can upgrade your Duo installation over the existing version; there's no need to uninstall first. The installer maintains your existing application information and configuration options.

Download the most recent Duo Authentication for Windows Logon installer package. Run the installer with administrator privileges and follow the on-screen prompts to complete the upgrade installation. If you're upgrading to a version that includes new installer options, the configuration screen for those options won't be shown during an upgrade install. You'll need to configure those new options via Regedit or GPO update. Troubleshooting Need some help? Here's a list of the latest versions of the client apps and where you can download them:.

Before you start using the client of your choice, there are a few things you'll need to do first. Just as you would with a local computer, you'll need to configure your remote computer before you start accessing it with the client. If you have any other questions that this article didn't answer, check out the Remote Desktop client FAQ. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info.

Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Submit and view feedback for This product This page.

View all page feedback.