Duo Authentication for Windows Logon Uninstallation
Summary
This internal monitor identifies computers that are no longer in scope for Duo Authentication for Windows Logon and queues them for automatic cleanup. It runs against all online Windows machines and checks the effective DUO_Auth_Deployment setting (Computer → Location → Client fallback). When the resolved value is Disable, it then verifies whether any remnants remain:
- The Duo Authentication for Windows Logon application is still installed (present in the Software tab).
- The Duo Authentication for Windows Logon Version Check remote monitor still exists.
If either is present, the monitor returns Uninstall. The attached alert template △ Custom - Execute Script - Duo Authentication for Windows Logon Uninstallation immediately launches the Duo Authentication for Windows Logon Uninstallation script. That script removes the application and deletes the remote monitor without opening tickets.
Important: Computers where DUO_Auth_Deployment is not set (left empty at all levels) are not detected. Only an explicit
Disableselection triggers uninstallation.
This monitor replaces the deprecated ProVal - Production - Uninstall DUO internal monitor.
EDFs and Detection Logic
EDFs Used
The monitor relies solely on the DUO_Auth_Deployment Extra Data Fields. All are in the Duo_Auth section.
| Name | Level | Type | Options | Section | Description |
|---|---|---|---|---|---|
| DUO_Auth_Deployment | Client | Dropdown | Workstations · Servers · Both · Disable | Duo_Auth | Default deployment scope for all computers under this client. |
| DUO_Auth_Deployment | Location | Dropdown | Workstations · Servers · Both · Disable | Duo_Auth | Overrides the client setting for a specific location. |
| DUO_Auth_Deployment | Computer | Dropdown | Workstations · Servers · Both · Disable | Duo_Auth | Overrides all higher levels for a specific computer. |
How the Decision is Made
- Resolve the effective deployment – the monitor uses
COALESCE(NULLIF(…), …)to walk the Computer → Location → Client chain, picking the first non‑empty value. - Only act on explicit
Disable– if the resolved value is exactly'Disable', the machine is a candidate for cleanup. If all levels are empty (NULL), the computer is ignored. - Check for remnants – for each candidate, the monitor checks:
- Is Duo Authentication for Windows Logon still listed in the
softwaretable? - Does the Duo Authentication for Windows Logon Version Check remote monitor exist in the
agentstable?
- Is Duo Authentication for Windows Logon still listed in the
- Return action – if either the application or the remote monitor exists, the computer is returned with
TestValue = 'Uninstall'. If both are gone, the computer is already clean and is not returned.
Example Scenarios
| Effective Deployment | App Installed? | Remote Monitor Present? | Action | Reason |
|---|---|---|---|---|
Disable | Yes | Yes | Uninstall | Both remnants exist; full cleanup needed. |
Disable | Yes | No | Uninstall | Application still present even though monitor was already removed. |
Disable | No | Yes | Uninstall | Only the monitor remains; script will remove it. |
Disable | No | No | None (skipped) | Machine is already clean – nothing to do. |
| Not set (NULL) | Yes | Yes | None (skipped) | Deployment was never configured; no uninstall should be performed. |
Workstations / Servers / Both | Any | Any | None (skipped) | Deployment is still enabled; uninstall logic does not apply. |
Dependencies
- Script: Duo Authentication for Windows Logon Uninstallation
- Remote Monitor: Duo Authentication for Windows Logon Version Check
- Solution: Duo Authentication for Windows Logon Deployment
Target
Global
Alert Template
△ Custom - Execute Script - Duo Authentication for Windows Logon Uninstallation
Changelog
2026-07-07
- Initial version of the document.
- Replaces the deprecated ProVal - Production - Uninstall DUO internal monitor.
- Only triggers when deployment is explicitly
Disableand remnants exist.