Specops Client and Duo Authentication for Windows Login
*This works as of DUO version 4.3.1
The Specops Client provides enhancements to the Windows logon experience by wrapping the built-in Windows credential provider (GINA). This includes allowing users to reset their passwords from the login screen, as well as enhancing the feedback users receive when changing their password via CTRL+ALT+DEL.
The Specops Client also supports wrapping third party credential providers, as long as that credential provider supports being wrapped. Certain credential providers, such as Duo Security’s Authentication for Windows Logon, require additional configuration in order to allow the Specops Client to wrap them.
We begin by setting a registry key in the Duo client order to allow wrapping by the Specops Client. On a machine with the Duo client installed, create or update the following registry key:
Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv
Value name: ProvidersWhitelist
Value type: REG_MULTI_SZ
Value data: enter (or add) the following two GUIDs on separate lines — these are the GUIDs that identify the Specops Client:
{00002ba3-bcc4-4c7d-aec7-363f164fd178}
{4834dbc7-4a06-424d-a67f-20ddebcf08e1}
Next, use the Specops Client ADMX Template to specify that we should wrap the Duo credential provider. Under Specops Client/Windows logon screen and set GUID of credential provider to wrap to the GUID of the Duo client, including the curly brackets: {44E2ED41-48C7-4712-A3C3-250C5E6D5D84}.
Note the Specops Client, ADMX templates, and instructions for installing both can be found on our support site.
Once the group policy has been applied to the affected computers, both Duo login functionality and Specops Authentication functionality for password change and password reset should work seamlessly together. For uReset customers, this means you can continue to use the Reset Password link at the logon screen just as you would on workstations without the Duo client.
For Dynamic Feedback at Password Change (available to both uReset and Password Policy customers with Specops Client version 7.15 or later) the dynamic feedback will be displayed. Duo will prompt for MFA after the password change is submitted as it would normally.
If the above does not work, try upgrading the ADMX templates:
From time to time when Specops releases a new client is important to ensure you are using the latest ADMX templates to ensure any settings changed within them are compatible with the version of the Specops Client that is installed. These are also backwards compatible.
You can find them on the download page on the Password Policy support page:
https://specopssoft.com/support/en/password-policy/download.htm
Once the templates are downloaded and extracted locally, we recommend that you copy them to the ADMX Central Store on your AD’s SYSVOL share. This will make them available from any admins Group Policy Management Console. You would copy the files to the following locations:
Specops.Client.admx would be copied to \\[domain]\SYSVOL\[domain]\Policies\PolicyDefinitions
Specops.Client.adml would be copied to \\[domain]\SYSVOL\[domain]\Policies\PolicyDefinitions\en-US