Duo Security - Install with Idemeum agent
— Nik Pot
JIT admin access
When Duo Security agent is installed on a Windows workstation, it disables all credential providers except the native Windows password credential provider. However, there is a way to enable idemeum credential provider via the registry.
- Navigate to the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv
- Create the new
Multi-String Valuekey, name the keyProvidersWhitelistand assign the following value{417C7858-EE65-42AD-9F11-5BA27FB1FF64}
- Once this registry key is set, idemeum credential provider will be enabled, and you will be able to use JIT admin access along with DUO user 2FA.
LAPS accounts
Idemeum creates LAPS local admin and domain admin accounts on Windows workstations. In order to use LAPS accounts you need to make sure they are not using DUO 2FA. To make sure 2FA is bypassed for LAPS accounts:
- Navigate to Duo dashboard
- Create the user with the same account that is configured in idemeum for LAPS
- Enable bypass for this account
If you have any questions, drop us a note in Discord chat.