Objective   

Prerequisites   

• Administrative privileges on the target machine
• Administrator access to the Group Policy Management Console (GPMC)

Steps to follow 

Manual method : Update settings on a single machine

1. Press Windows + R to open the Run dialog box.
   
2. Type regedit and press Enter.
3. If prompted by User Account Control, click Yes to allow the Registry Editor to make changes.
4. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ZOHO CORP\ADSelfService Plus Client Software.
5. Locate the key named Bypass.
6. Modify the value of Bypass to true.
7. Click OK.
   

Using a GPO: Update settings on multiple machines 

1. Log in to the domain controller with administrative credentials.
2. Press Windows + R to open the Run dialog box.
3. Type gpmc.msc and press Enter to open the GPMC.
4. On the left pane, navigate to Group Policy Objects.
5. Right-click Group Policy Objects and select New.
6. In the New GPO dialog box, enter a name for the GPO (e.g., ADSSP_LoginAgent_Bypass_Enable).
7. Click OK.

1. Right-click the GPO you just created.
2. Select Edit. This will open the Group Policy Management Editor.
3. In the Group Policy Management Editor, navigate to Computer Configuration > Preferences > Windows Settings > Registry.

1. Right-click Registry on the left pane.
2. Navigate to New > Registry Item.
3. In the New Registry Properties window, configure the following:
• Action: Update
• Hive: HKEY_LOCAL_MACHINE
• Key Path: SOFTWARE\WOW6432Node\ZOHO Corp\ADSelfService Plus Client Software
• Value name: Bypass
• Value type: REG_SZ
• Value data: true
• Base: String (default option)
4. Click Apply, then OK.

1. Close the editor.
2. Link the GPO to the relevant OU or domain.
3. Apply the GPO to the target machines by running the following:

gpupdate /force 

Validation and confirmation 

• Once the GPO is deployed, verify if the above settings are deployed by using the command gpresult /r.
• Reboot or log out of a test client machine. Disconnect the machine from the network to simulate server unavailability. When attempting to log in, the MFA prompt should not block the login, and the user should be allowed to log in using cached credentials.
• You may also check the registry on the client by navigating to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ZOHO Corp\ADSelfService Plus Client Software. Ensure the Bypass key exists and is set to true.
  

 Tips 

• This setting is a fail-safe mechanism and should be carefully deployed in environments with intermittent connectivity.
• Be cautious when configuring this setting in privileged environments to avoid account hacking scenarios.
• Consider combining this GPO with monitoring and alerts to identify when fallbacks are being triggered.

How to reach support