Objective  

• Trust the ADSelfService Plus portal URL for the NT AUTHORITY\SYSTEM account to prevent issues where users are unable to perform password reset, account unlock, or MFA via the Windows login agent directly from the login screen.
• Disable certificate revocation checks to prevent delays in launching the Windows login agent, especially in restricted or offline environments.

Prerequisite   

• Administrative privileges in Active Directory (AD).

Steps to follow   

1. Log in to the domain controller with administrative credentials.
2. Press Win+R to open the Run dialog box.
3. Type gpmc.msc and press Enter to open the Group Policy Management Console.
4. In the left pane, navigate to Group Policy Objects.
5. Right-click Group Policy Objects and select New.
6. In the New GPO dialog box, enter a name for the GPO (e.g., ADSSP_Trust_Settings).
7. Click OK.

1. Right-click the newly created GPO and select Edit.
2. In the Group Policy Management Editor, navigate to Computer Configuration > Preferences > Windows Settings > Registry.

1. Right-click Registry > New > Registry Item.
2. Configure the following settings in the New Registry Properties window:

• Action: Create
• Hive: HKEY_USERS
• Key Path: HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\password.example.com\www

Note: Replace password.example.com with your actual ADSelfService Plus portal URL (e.g., if your URL is https://adselfservice.yourdomain.com, use yourdomain.com). 

• Value Name: https
• Value Type: REG_DWORD
• Value Data: 2 (this value represents the Trusted Sites zone)
• Base: Hexadecimal

3. Click Apply, then OK.

1. Right-click Registry in the left pane, then select New > Registry Item.
2. In the New Registry Properties window, configure the General tab settings as follows:

• Action: Create
• Hive: HKEY_USERS
• Key Path: HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  
• Value Name: CertificateRevocation
  
• Value Type: REG_DWORD
  
• Value Data: 0 (this value disables the revocation check)
  
• Base: Hexadecimal
  

3. Click Apply, then OK.

1. Right-click Registry in the left pane, then select New > Registry Item.
2. In the New Registry Properties window, configure the General tab settings as follows:

• Action: Update
• Hive: HKEY_USERS
• Key Path: HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
  
• Value Name: State (auto-populated)
  
• Value Type: REG_DWORD
  
• Value Data: 0x00023E00 (Hex)
  

3. Click Apply, then OK.

• Link the GPO to the appropriate OU or domain.
• Ensure target systems have the policy applied after the next refresh cycle or force it with the following command:

 gpupdate /force 

Validation and confirmation 

• On a client machine, open Command Prompt and run gpresult /r to verify if the GPO is applied.
• Open Registry Editor on the target machine and confirm the following entries exist:

• Trusted site registry key for ADSelfService Plus under ZoneMap\Domains
• CertificateRevocation = 0
• State = 0x00023E00

• Launch the Windows login screen to confirm reduced wait times.

How to reach support