Notified: April 22, 2019 Updated: June 18, 2019
The Windows login/lock screens are secured by credential providers that collect credentials and perform other authentication-related activities,such as multi-factor authentication(MFA). Some are provided by Microsoft—the most common one being the password provider that usually collects the password as part of login. Other third-party providers,such as Duo,work similarly to the Microsoft providers,but add an additional element of MFA to the login. With changes introduced in v1803 of Windows 10 and Server 2019,Microsoft has decided to use the credentials cached on the client machine to both re-authenticate the connection and unlock the previously-locked desktop,upon reconnecting Remote Desktop Protocol(RDP)sessions. In doing so,Microsoft has hindered credential providers from being able to prompt when a machine is unlocked in this context. By forcing the use of cached credentials,Microsoft has broken functionality used by credential providers to add resilience to this workflow. To be clear,this is not a vulnerability or defect in Duo's service,but rather,it is a defect in how Microsoft has decided to unlock reconnected RDP sessions that have cached,valid authentication credentials without prompting the user. We are unaware of Microsoft providing any effective workarounds for this unexpected change,but will continue to evaluate options to provide an integration as was previously achieved. We hope that Microsoft will provide appropriate configuration to allow those that want the previous functionality to be restored to be able to do so.
We are not aware of further vendor information regarding this vulnerability.