Duo Authentication for Windows Logon

by Duo Security Inc.v5.3.0.2497

Last updated Jun 8, 2026

Add two-factor authentication to Remote Desktop and local logons and credentialed UAC elevation prompts.

Install with winget

$ winget install --id DuoSecurity.Duo2FAAuthenticationforWindows --exact --version 5.3.0.2497

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Silent install command for Duo Authentication for Windows Logon

Duo Authentication for Windows Logon uses EXE. The silent install switches are /quiet /norestart.

One-line silent install (x64)

duo-win-login-5.3.0.exe /quiet /norestart

See the full silent install reference for Duo Authentication for Windows Logon →

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

About

Duo Authentication for Windows Logon adds Duo two-factor authentication to these Windows and Windows Server logon scenarios:

- Local or domain account logins

- Logins at the local console and/or incoming Remote Desktop (RDP) connections

- Credentialed User Access Control (UAC) elevation requests (e.g. Right-click + "Run as administrator") in v4.1.0 and later

Duo's Windows Logon client does not add a secondary authentication prompt to the following logon types:

- Shift + right-click "Run as different user"

- PowerShell "Enter-PSSession" or "Invoke-Command" cmdlets

- Non-interactive logons (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)

- Pre-Logon Access Providers (PLAPs) such as Windows Always On VPN

- RDP Restricted Admin Mode

Installers · v5.3.0.2497

Architecture	Type	Scope	Download
x86	EXE	-	Direct
x64	EXE	-	Direct
arm64	EXE	-	Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

4 known CVEs via NVD

medium6.2Patched in wingetCVE-2024-20301affects before 4.3.0Mar 6, 2024
A vulnerability in Cisco Duo Authentication for Windows Logon and RDP could allow an authenticated, physical attacker to bypass secondary authentication and access an affected Windows device. This vulnerability is due to a failure to invalidate locally created trusted sessio...
Vendor advisory
medium4.4Patched in wingetCVE-2024-20292affects before 4.3.0Mar 6, 2024
A vulnerability in the logging component of Cisco Duo Authentication for Windows Logon and RDP could allow an authenticated, local attacker to view sensitive information in clear text on an affected system. This vulnerability is due to improper storage of an unencrypted regi...
Vendor advisory
medium6.3Patched in wingetCVE-2023-20123affects before 4.2.2Apr 5, 2023
A vulnerability in the offline access mode of Cisco Duo Two-Factor Authentication for macOS and Duo Authentication for Windows Logon and RDP could allow an unauthenticated, physical attacker to replay valid user session credentials and gain unauthorized access to an affected mac...
Vendor advisory
medium6.6Patched in wingetCVE-2020-3427affects before 4.1.2Oct 14, 2020
The Windows Logon installer prior to 4.1.2 did not properly validate file installation paths. This allows an attacker with local user privileges to coerce the installer to write to arbitrary privileged directories. If successful, an attacker can manipulate files used by Windows...
Vendor advisory

Source: NVD, updated just now. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr.

Frequently asked questions

How do I install Duo Authentication for Windows Logon on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id DuoSecurity.Duo2FAAuthenticationforWindows --exact --version 5.3.0.2497. winget downloads the installer from Duo Security Inc. and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install Duo Authentication for Windows Logon silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id DuoSecurity.Duo2FAAuthenticationforWindows --exact 5.3.0.2497 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

What are the silent install switches for Duo Authentication for Windows Logon?

Duo Authentication for Windows Logon uses EXE. Run the downloaded installer with: duo-win-login-5.3.0.exe /quiet /norestart. The silent switches are /quiet /norestart.

How do I uninstall Duo Authentication for Windows Logon via winget?

Run: winget uninstall --id DuoSecurity.Duo2FAAuthenticationforWindows --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from Duo Authentication for Windows Logon's Apps & Features entry.

Is Duo Authentication for Windows Logon free?

Duo Authentication for Windows Logon is distributed under Proprietary. Refer to the publisher (https://duo.com/docs/rdp) for the full license terms - Wingetly itself does not charge for installation.

Does Duo Authentication for Windows Logon work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls Duo Authentication for Windows Logon directly from the publisher.

How do I keep Duo Authentication for Windows Logon up to date?

Run winget upgrade --id DuoSecurity.Duo2FAAuthenticationforWindows --exact, or winget upgrade --all to update everything winget tracks. We index 3 versions of Duo Authentication for Windows Logon from microsoft/winget-pkgs.

Recent versions

5.3.0.2497latest
5.2.1.2007
4.2.0.1263