How to wrap Entrust MFA Credential Provider with the ADSelfService Plus login agent
Objective
This article provides instructions on configuring the Entrust MFA Credential Provider and ADSelfService Plus login agent to coexist on Windows systems. This ensures the ADSelfService Plus login agent appears on the Windows login and lock screen, even when the Entrust MFA Credential Provider is installed.
Why is this important?
By default, the Entrust MFA Credential Provider may take precedence, hiding the ADSelfService Plus login agent. This configuration allows both providers to operate seamlessly without conflicts.
Prerequisites
Supported OS versions: Windows 10, Windows 11, Server 2016, Server 2019, Server 2022
Administrator privileges on the target Windows machine.
Access to the Windows Registry Editor (regedit.exe).
Steps to follow
Manual deployment on single machines
Open the Registry Editor (regedit.exe) by clicking the Windows icon in the bottom-left corner. Search for Registry Editor in the search bar, then press Enter. You can also find the Registry Editor by navigating to Control Panel > All Control Panel Items > Windows Tools > Registry Editor.
Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Entrust > WIGL > AllowCPs.
Right-click in the right pane, and select New > String Value.
Name the new value as ADSelfService Plus.
Double click ADSelfService Plus and enter the following value: {B80B099C-62EA-43CD-9540-3DD26AF3B2B0}
Click OK.
Close the Registry Editor.
Step 2: Configure ADSelfService Plus login agent
Open Registry Editor (regedit.exe).
Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > ZOHO Corp > ADSelfService Plus Client Software.
Right-click in the right pane and select New > String Value.
Name the new value as WrappingProvider.
Double-click WrappingProvider and enter the following value: {126DA98F-1690-49c1-91A0-D704D7EEAEBB}
Click OK.
Close the Registry Editor.
Bulk deployment via Group Policy Object (GPO)
Step 1: Create a new GPO
Open Group Policy Management Console (GPMC) (gpmc.msc).
Right click the desired OU and select Create a GPO in this domain, and Link it here...
Name the GPO Wrap Entrust MFA with ADSelfService Plus and click OK.
Step 2: Configure Entrust MFA registry settings
Edit the newly created GPO.
Navigate to Computer Configuration > Preferences > Windows Settings > Registry.
Right click and select New > Registry Item.
Configure the settings as follows:
Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Entrust\WIGL\AllowCPs
Value Name: ADSelfService Plus
Value Type: String Value
Value Data: {B80B099C-62EA-43cd-9540-3DD26AF3B2B0}
Click OK to save.
Step 3: Configure ADSelfService Plus Registry Settings
Right click again in the Registry section and select New > Registry Item.
Configure the settings as follows:
Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Wow6432Node\ZOHO CORP\ADSelfService Plus Client Software
Value Name: WrappingProvider
Value Type: String Value (REG_SZ)
Value Data: {126DA98F-1690-49c1-91A0-D704D7EEAEBB}
Click OK to save.
Step 4: Apply the GPO
Close the Group Policy Editor.
Run the following command on the domain controller to apply the policy immediately:
gpupdate /force Restart the target machines for changes to take effect.
Validation and confirmation
Verify that the ADSelfService Plus Credential Provider is visible alongside the Entrust MFA Credential Provider on the Windows login and lock screens.
Test ADSelfService Plus functionality by performing a password reset or account unlock.
Troubleshooting tips
If the ADSelfService Plus login agent does not appear, re-check the registry entries for typos or missing values.
If the Entrust MFA prompts override ADSelfService Plus, confirm that ProvidersWhiteList is correctly set in Entrust MFA’s registry settings.
Ensure the GPO is applied correctly by running gpresult/r on the target machine.
Best practices
Always backup the registry before making modifications.
Use Group Policy or automated scripts to deploy registry changes on multiple machines.
Test changes on a non-production system before rolling out to all users.
How to reach support
If the issue persists, contact our support team here.New to ADSelfService Plus?
Related Articles
Whitelisting the DUO credential provider for proper functioning of the ADSelfService Plus' self-service password reset feature
If you are using Duo Security's credential provider for MFA during machine logins, and want to use ADSelfService Plus' self-service password reset and account unlock feature from login screens, merely configuring the self-service password feature and ...Multi-factor authentication techniques in ADSelfService Plus
Let's take a look into the various authentication methods supported by ADSelfService Plus for enterprise multi-factor authentication (MFA). Why should you use MFA? Authentication based solely on usernames and passwords is no longer considered secure. ...Updating the ADSelfService Plus Login Agent in Windows
The ADSelfService Plus login agent can be installed on machines running Windows manually, through the ADSelfService Plus admin portal, via GPOs, SCCM, and tools like Endpoint Central. You can update the Windows login agent to its latest version in ...Installing the ADSelfService Plus login agent through WMI or PAExec services instead of RemCom
The Windows login agent that comes bundled with ADSelfService Plus must be installed on users' machines to enable: Self-service password reset and account unlock options from the Windows login screen. MFA during machine login. Cached credentials ...Configuring the ADSelfService Plus login agent for machine MFA and password self-service in Linux
Securing data and resources on the corporate network is of paramount importance to organizations. In a world where most corporate attacks originate at an endpoint, ADSelfService Plus offers 20 MFA factors to protect endpoints by allowing access only ...