Install-DuoAuthForWinLogon
Overview
This script automates the installation and upgrade of Duo Authentication for Windows Logon. It downloads the latest installer directly from Duo, verifies its cryptographic signature via SHA‑256 hash, and performs a silent installation with the supplied integration key, secret key, and API hostname. All optional configuration parameters are passed through to the installer only when explicitly provided, allowing you to tailor the deployment without altering the installer’s own defaults. Temporary files are cleaned up automatically after validation.
Requirements
- PowerShell 5.1 or later
- Administrative privileges (runs as SYSTEM or elevated user)
- Active internet connection (to download the installer and retrieve the authentic hash)
- Duo RDP application credentials: integration key (
IKEY), secret key (SKEY), and API hostname (DUOHOST)
Process
-
Environment preparation
- TLS 1.2 (or 1.3, when available) is enforced for all web requests.
- The
Strappermodule is installed or updated to provide structured logging.
-
Argument assembly
- Mandatory parameters
IKEY,SKEY, andDUOHOSTare always included. - Optional parameters (e.g.,
AUTOPUSH,FAILOPEN, proxy settings) are appended only when explicitly passed to the script, preserving the installer’s defaults for everything else.
- Mandatory parameters
-
Working directory
- A folder is created under
%ProgramData%\_Automation\App\Duo_Authentication_for_Windows_Logonto stage the installer.
- A folder is created under
-
Version comparison
- The script queries the installed version from the registry and determines the latest available version by inspecting the download URL’s
Content-Dispositionheader. - If the installed version is up‑to‑date, the script exits gracefully without re‑installation.
- The script queries the installed version from the registry and determines the latest available version by inspecting the download URL’s
-
Download and hash verification
- The installer is downloaded from
https://dl.duosecurity.com/duo-win-login-latest.exe. - The SHA‑256 hash of the downloaded file is compared against the authentic checksum published at
https://duo.com/docs/checksums#duo-windows-logon. The script will abort if the hash does not match.
- The installer is downloaded from
-
Installation
- Any pending MSI operations are terminated to avoid conflicts.
- The installer is launched silently with the assembled arguments.
-
Post‑installation validation
- The script re‑checks the registry to confirm the installed version matches the expected latest version.
-
Cleanup
- The working directory and all staged files are removed.
Payload Usage
Minimal installation with mandatory parameters only:
.\Install-DuoAuthForWinLogon.ps1 -IKEY "DIABCDEFGHIJKLMNOP" -SKEY "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6" -DUOHOST "api-XXXXXXXX.duosecurity.com"
Disable automatic push, enable fail‑open, and require Duo for RDP only:
.\Install-DuoAuthForWinLogon.ps1 -IKEY "DIABCDEFGHIJKLMNOP" -SKEY "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6" -DUOHOST "api-XXXXXXXX.duosecurity.com" -AUTOPUSH 0 -FAILOPEN 1 -RDPONLY 1
Configure an upstream HTTP proxy:
.\Install-DuoAuthForWinLogon.ps1 -IKEY "DIABCDEFGHIJKLMNOP" -SKEY "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6" -DUOHOST "api-XXXXXXXX.duosecurity.com" -PROXYHOST "proxy.corp.local" -PROXYPORT 8080
Enforce Duo at logon and UAC elevation, with offline access enabled for elevation prompts:
.\Install-DuoAuthForWinLogon.ps1 -IKEY "DIABCDEFGHIJKLMNOP" -SKEY "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6" -DUOHOST "api-XXXXXXXX.duosecurity.com" -UAC_PROTECTMODE 2 -UAC_OFFLINE 1
Use custom log file rotation settings:
.\Install-DuoAuthForWinLogon.ps1 -IKEY "DIABCDEFGHIJKLMNOP" -SKEY "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6" -DUOHOST "api-XXXXXXXX.duosecurity.com" -LOGFILE_MAXCOUNT 10 -LOGFILE_MAXSIZEMB 50
Parameters
| Parameter | Required | Default | Type | Description |
|---|---|---|---|---|
IKEY | True | (none) | String | Duo RDP application integration key. |
SKEY | True | (none) | String | Duo RDP application secret key. |
DUOHOST | True | (none) | String | Duo API hostname (e.g. api-XXXXXXXX.duosecurity.com). |
AUTOPUSH | False | 1 | Int (0/1) | Automatically send a push request (1) or disable automatic push (0). |
FAILOPEN | False | 0 | Int (0/1) | Allow access if Duo is unreachable (1) or block without MFA (0). |
RDPONLY | False | 0 | Int (0/1) | Require Duo only for remote logons (1) or for console and RDP (0). |
SMARTCARD | False | 0 | Int (0/1) | Enable smart card login as an alternative to Duo (1) or disable it (0). |
WRAPSMARTCARD | False | 0 | Int (0/1) | After smart card primary logon, require Duo (1) or allow without Duo (0). |
ENABLEOFFLINE | False | 1 | Int (0/1) | Enable offline access (1) or disable it completely (0). |
USERNAMEFORMAT | False | 1 | Int (0‑2) | Username format: 0=sAMAccountName, 1=NTLM domain\username, 2=userPrincipalName. |
PROXYHOST | False | (not set) | String | Hostname or IP of an upstream HTTP proxy for Duo communications. |
PROXYPORT | False | (not set) | Int | Port number for the HTTP proxy. |
LOGFILE_MAXCOUNT | False | (not set) | Int | Number of rotated log files to retain. |
LOGFILE_MAXSIZEMB | False | (not set) | Int | Maximum size (MB) of a rotated log file. |
UAC_PROTECTMODE | False | 0 | Int (0‑2) | UAC behavior: 0=respect existing Duo logon control, 1=disable Duo at logon (only UAC elevation), 2=enforce Duo at both logon and UAC elevation. |
UAC_OFFLINE | False | 1 | Int (0/1) | Enable offline access for UAC elevation (1) or disable it (0). |
UAC_OFFLINE_ENROLL | False | 1 | Int (0/1) | Allow offline enrollment during UAC elevation (1) or prevent it (0). |
ENABLECERTPINNING | False | 1 | Int (0/1) | Enable certificate pinning (1) or disable it (0). |
Notes
- The script must be run from an elevated PowerShell console (Administrator).
- Internet connectivity is required to download the installer and retrieve the authentic SHA‑256 hash. If a proxy is needed for the script’s own downloads, ensure the system proxy is configured or pass the
-Proxyparameter toInvoke-WebRequestif you modify the script. (CurrentlyPROXYHOSTandPROXYPORTare forwarded only to the Duo installer.) - The integrity of the downloaded installer is always verified against the official Duo checksum. If the check fails, the script throws a terminating error.
- If the latest version is already installed, no installation is performed and the script exits with a success message.
- Only parameters that you explicitly supply are appended to the installer command line. For all other settings, the Duo installer uses its own documented defaults.
- Logging is handled by the Strapper module. The log files are written directly to the folder from which the script is executed (e.g.,
.\Install-DuoAuthForWinLogon-log.txtand.\Install-DuoAuthForWinLogon-error.txt). - The working directory
%ProgramData%\_Automation\App\Duo_Authentication_for_Windows_Logonis removed entirely after a successful (or failed) run.
Output
-
Logs (created in the same directory as the script):
.\Install-DuoAuthForWinLogon-log.txt.\Install-DuoAuthForWinLogon-error.txt
-
Installed product: Appears as “Duo Authentication for Windows Logon” in Programs and Features.
-
Temporary files: All files under
%ProgramData%\_Automation\App\Duo_Authentication_for_Windows_Logonare deleted at the end of the script.
References
- Duo Windows Logon latest installer
- Duo Windows Logon checksum verification
- Duo Authentication for Windows Logon documentation (knowledge base article)
Changelog
2026-07-08
- Renamed HOST parameter to DUOHOST to avoid conflict with the native PowerShell variable $HOST
2026-07-01
- Initial version of the document