cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5296
Views
3
Helpful
15
Replies

Duo for Windows Breaks SSPR at Login Screen

nacho3
Level 1
Level 1

We’ve been testing Duo for Windows Logon (RDP) for a while now. When it is installed on a Windows Device (Win10 or Win11), the ability to perform a self-service password reset directly from the logon screen is broken.

Microsoft states that that “Some third party credential providers are known to cause problems with this feature”. I’m guessing that Duo is one of these which can cause trouble.

Self-service password reset for Windows devices - Azure Active Directory | Microsoft Docs

Might it be possible to update the Duo client for Windows to allow SSPR from the logon screen?

Thank you!

15 Replies 15

DuoKristina
Cisco Employee
Cisco Employee

You can configure Duo for Windows Logon so it can coexist with other credential providers (to allow access to the MS SSPR provider after installing Duo).

Learn more about this here: Can I permit use of other credential providers after installing Duo?

Duo, not DUO.

glenharrison8
Level 1
Level 1

I’m not sure that link is helpful, as it explains to enter the credential provider (obtained through the registry) into a whitelist. The Azure SSPR doesn’t work that way, unless I’m mistaken? If so, what is the key to enter please? Thanks.

glenharrison8
Level 1
Level 1

@nacho did you ever figure out a way to make this work?

@glenharrison8 Unfortunately, no. I’m not aware of an GUID which accurately represents the SSPR component of Azure.

We’ve tried {86D2F0AC-2171-46CF-9998-4E33B3D7FD4F} (which is referenced in Microsoft’s troubleshooting documentation) but that doesn’t work either:

We’re currently telling our users to find an on-premises desktop computer without Duo installed in order to work around this issue. Not ideal.

unertlt
Level 1
Level 1

I have reached out to Microsoft as well hoping they could provide anything to assist as well. They have not yet found anything to assist with this. It would be very helpful to have this tool working with Duo.

nacho3
Level 1
Level 1

Hello,

Does anyone at Duo have an update on this issue? This is a showstopper for our users as they’re dependent on the ability to reset passwords via Azure SSPR on Windows logon screen.

Any information would be greatly appreciated!

Howdy, this question is a bit stale. Are there any updates on this?

barkerman
Level 1
Level 1

Has there been any activity on this front? i’m attempting to implement SSPR and find that it only works on PC’s where I have uninstalled Duo. Which is a dealbreaker for us.

nacho3
Level 1
Level 1

Hello,

Can anyone at Duo please give us an update on the status of this issue? Most of our users are now working remote with company-issued laptops. None are able to use Azure’s SSPR functionality via the Windows 10/11 login screen when the Duo client for Windows is installed. We’ve contacted Microsoft and they’re referring us back to Duo for assistance with this.

Please help?

Thank you!

While we do have a feature request for Duo Windows Logon and Azure SSPR interoperability marked for future consideration, but not active development.

If you have not already done so, please contact your Account Executive, Customer Success Manager if applicable, or our Support Team to ensure that you have been added as a supporter to that feature request with your use case information captured.

Duo, not DUO.

Hello Kristina, thank you for the reply.

I did open a ticket w/Duo support (case 01302858), but they’re saying something different from what you just described. Duo Support is saying that this is a problem from Microsoft that Duo can’t address, and Microsoft says that this is a problem that Duo must address. Can you help to provide clarity on this subject? We now have a ton of users who are no longer able to use Azure SSPR when the Duo client for windows is installed.

Thank you! -Dan

Hmm, there are two use cases around Azure SSPR and Duo and I wonder if they got conflated by Support…

One use case is where users of the Duo custom control for Azure Conditional Access would like to require that control before accessing the Azure SSPR online flow in a similar way to how you can require Azure MFA before accessing the Azure SSPR online flow. Microsoft doesn’t have a way to assign custom controls to that Azure SSPR flow, which is why we would encourage those interested in that functionality to contact Microsoft. Allow use of custom controls/conditional access with self service password reset

The other use case is for customers who have the Azure SSPR credential provider installed on a workstation and find it’s mutually exclusive with the Duo Authentication credential provider (what this community topic is about). We do have a feature request on our side for this, and the support engineer should have been able to add your org to it.

Duo, not DUO.

Thank you for this clarification. I’ve updated our support case with Duo with this information. Hopefully this can be prioritized as this is having a big impact on our organization.

nacho3
Level 1
Level 1

Update: Duo verified that this is a problem and has a feature request in place to address this. They asked for other organizations to submit tickets of interest in order to elevate this problem for a fix in a future update to the client.

Quick Links