Background
When you install Duo, other logon credential providers are disabled and hidden (your end-users can refer to this as the "logon tiles" on their Windows sign-in screen).
This hiding feature also hides the "Technician Sign-In" tile used for our Passwordless MFA for technicians solution.
This article will go in-depth with instructions to bring back the "Technician Sign-In" tile so that you may use the Passwordless MFA for technicians solution while Duo is still running on the same machine.
Note: This article was based on and tested with Duo's KB article Can I enable other credential providers after installing Duo Authentication for Windows Logon?
Prerequisites
- Privileged access to the affected system (EG: Administrator access, RMM agent running as System or Administrator)
Manual Method
Powershell Script Method
Manual Method
-
Login with a privileged account
-
Click the Start Menu > Type "Run" > Type “Regedit”
In the registry address bar replace the current path with:
HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv
(you can copy and paste this into the “Path bar” in Regedit)
- In the right-hand screen side of the panel where the key/value pairs are located, right-click free space New > Multi-String Value
- Enter the following information
Name: ProvidersWhitelist
Press enter on your keyboard, then click the "ProvidersWhitelist" to edit the registry entry.
In the "Value data:" section, Populate the multi-string value data with the GUID of CyberQPs credential provider.
{67D6B25B-3419-4C60-A4B5-A7CE535AD300}
Powershell Script Method
Run this PowerShell Script on the system
# Define the paths
$Path1 = "HKLM:\SOFTWARE\Duo Security"
$Path2 = "$Path1\DuoCredProv"
# Define the name of the Multi-String Value
$Name = "ProvidersWhitelist"
# Define the data for the Multi-String Value
$NewValue = "{67D6B25B-3419-4C60-A4B5-A7CE535AD300}"
# Check if the first path exists
if (Test-Path $Path1) {
# Check if the second path exists
if (Test-Path $Path2) {
# Check if the ProvidersWhitelist exists
if ((Get-ItemProperty -Path $Path2).PSObject.Properties.Name -contains $Name) {
# Get the current value
$CurrentValue = Get-ItemProperty -Path $Path2 -Name $Name | Select-Object -ExpandProperty $Name
# Ensure $CurrentValue is an array
if ($CurrentValue -isnot [array]) {
$CurrentValue = @($CurrentValue)
}
# Append new value as a new element
$Value = $CurrentValue + , $NewValue
# Set the new value
Set-ItemProperty -Path $Path2 -Name $Name -Value $Value -Type MultiString -Force
Write-Host "Registry key modified successfully." -ForegroundColor Green -BackgroundColor Blue
} else {
# Create the ProvidersWhitelist with the new value
New-ItemProperty -Path $Path2 -Name $Name -Value $NewValue -PropertyType MultiString -Force | Out-Null
Write-Host "The ProvidersWhitelist was not present but has been created." -ForegroundColor Green -BackgroundColor Blue
}
Write-Host "Registry key added successfully." -ForegroundColor Green -BackgroundColor Blue
} else {
# Create the second path
New-Item -Path $Path2 -Force | Out-Null
# Create the ProvidersWhitelist with the new value
New-ItemProperty -Path $Path2 -Name $Name -Value $NewValue -PropertyType MultiString -Force | Out-Null
Write-Host "The Duo Credential Provider Registry key was not present but has been created." -ForegroundColor Green -BackgroundColor Blue
Write-Host "Registry key added successfully." -ForegroundColor Green -BackgroundColor Blue
}
} else {
Write-Host "The Duo Security Registry key is not present. The remainder of the steps in the script were skipped." -ForegroundColor Red -BackgroundColor Blue
return
}
Save your changes and restart the system. The "Technician Sign-in" tile should now appear.
Comments
1 comment
Can the PowerShell script check to see if the value is already in the array and not add it if it is already in there? I ran the script against one device to make sure it worked, and then against all my devices in an organization which reapplied to the test device. The result was the same value in the array twice.
Please sign in to leave a comment.