How to wrap Duo Windows Logon client with the ADSelfService Plus login agent
Objective
This article provides instructions on configuring the Duo Windows Logon client and ADSelfService Plus login agent to coexist on Windows systems. This ensures the ADSelfService Plus login agent appears on the Windows login and lock screen, even when the Duo Windows Logon client is installed.
Why is this important?
By default, the Duo Windows Logon client may take precedence, hiding the ADSelfService Plus login agent. This configuration allows both providers to operate seamlessly without conflicts.
Prerequisites
Supported OS versions: Windows 10, 11, Server 2016, Server 2019, Server 2022
Administrator privileges on the target Windows machine
Access to the Windows Registry Editor (regedit.exe)
Steps to follow
For manual deployment on individual machines
Step 1: Configure the Duo Windows Logon client
Open the Registry Editor (regedit.exe) by clicking the Windows icon in the bottom-left corner. In the search bar, type Registry Editor and press Enter. You can also find the Registry Editor by navigating to Control Panel > All Control Panel Items > Windows Tools > Registry Editor.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv.
In the right pane, right-click and select New > Multi-String Value.
Name the new value ProvidersWhiteList.
Double click ProvidersWhiteList and enter the following value: {B80B099C-62EA-43CD-9540-3DD26AF3B2B0}.
Click OK.
Close the Registry Editor.
Step 2: Configure the ADSelfService Plus login agent
Open Registry Editor (regedit.exe).
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ZOHO CORP\ADSelfService Plus Client Software.
In the right pane, right-click and select New > String Value.
Name the new value WrappingProvider.
Double-click WrappingProvider and enter the following value: {44E2ED41-48C7-4712-A3C3-250C5E6D5D84}
Click OK.
Close the Registry Editor.
For bulk deployment via Group Policy Object (GPO)
Open Group Policy Management Console (GPMC) (gpmc.msc).
Right-click the desired OU and select Create a GPO in this domain, and Link it here...
Name the GPO Wrap Duo with ADSelfService Plus and click OK.
Step 2: Configure Duo Security Registry settings
Edit the newly created GPO.
Navigate to Computer Configuration > Preferences > Windows Settings > Registry.
Right-click and select New > Registry Item.
Configure the settings as follows:
Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Duo Security\DuoCredProv
Value Name: ProvidersWhiteList
Value Type: Multi-String Value (REG_MULTI_SZ)
Value Data: {B80B099C-62EA-43cd-9540-3DD26AF3B2B0}
Click OK to save.
Step 3: Configure ADSelfService Plus Registry settings
Right-click again in the Registry section and select New > Registry Item.
Configure the settings as follows:
Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Wow6432Node\ZOHO CORP\ADSelfService Plus Client Software
Value Name: WrappingProvider
Value Type: String Value (REG_SZ)
Value Data: {44E2ED41-48C7-4712-A3C3-250C5E6D5D84}
Click OK to save.
Step 4: Apply the GPO
Close the Group Policy Editor.
Run the following command on the domain controller to apply the policy immediately:
gpupdate /force Restart the target machines for changes to take effect.
Validation and confirmation
- Verify that the ADSelfService Plus login agent is visible alongside the Duo Security Windows Logon client on the Windows login and lock screens.
- Test ADSelfService Plus functionality by performing a password reset or account unlock.
Troubleshooting tips
If the ADSelfService Plus login agent does not appear, re-check the registry entries for typos or missing values.
If the Duo Security prompts override ADSelfService Plus, confirm that ProvidersWhiteList is correctly set in Duo Security’s registry settings.
Ensure the GPO is applied correctly by running gpresult/r on the target machine.
Best practices
Always backup the registry before making modifications.
Use group policy or automated scripts to deploy registry changes on multiple machines.
Test changes on a non-production system before rolling out to all users.
How to reach support
If the issue persists, contact our support team here.New to ADSelfService Plus?
Related Articles
How to reset forgotten Windows passwords from the login screen using ADSelfService Plus
Empowering users with a Windows password reset tool According to recent research, organizations are spending close to one million dollars annually on resolving password-related tickets. This isn’t that surprising, as the Microsoft-approved methods to ...Whitelisting the DUO credential provider for proper functioning of the ADSelfService Plus' self-service password reset feature
If you are using Duo Security's credential provider for MFA during machine logins, and want to use ADSelfService Plus' self-service password reset and account unlock feature from login screens, merely configuring the self-service password feature and ...Sequential ADSelfService Plus Windows agent login installation process
This article highlights the process sequence for the ADSelfService Plus Windows login agent installation via the admin portal and the prerequisites to be addressed to successfully complete each step. Additionally, we're also discussing some common ...Updating the ADSelfService Plus Login Agent in Windows
The ADSelfService Plus login agent can be installed on machines running Windows manually, through the ADSelfService Plus admin portal, via GPOs, SCCM, and tools like Endpoint Central. You can update the Windows login agent to its latest version in ...Forgot your Mac password? Reset it from the login screen with ADSelfService Plus
f users can't remember their macOS login password, they won't be able to log in to their Active Directory (AD) account either, which negatively affects their productivity. To reset Mac passwords, users can use any of the methods supported by ...