Self-service client installation guide

Adaxes self-service client provides secure access to the self-password reset system and enables users to reset their own Active Directory or Entra ID passwords from the Windows/macOS login and unlock screens without any intervention of administrative staff. If certain users haven't enrolled for password self-service, the self-service client can periodically remind them to do so in the system notification area.

This guide provides the information you need to install, configure, and troubleshoot the Adaxes self-service client.

How it works

Adaxes self-service client allows users to reset their passwords without logging in to the operating system by clicking on a special link on the login screen. When a user clicks the link, they get anonymous access to the Adaxes password self-service site opened in Microsoft Edge or Safari.

The web browser session used to access the service is restricted, preventing insecure actions. The most noticeable restrictions applied to this session include:

  • Inability to follow links to other sites from the self-password reset page

  • Limited context menus on Windows

  • Disabled context menus on macOS

  • Disabled shortcuts

  • Disabled Open in New Window option

Offline / out of office password self-service

Self-service password reset can be performed on a computer that is not connected to a domain controller or has no network access at all.

When the Out of Office password reset and/or Offline password reset options are enabled, Adaxes self-service client updates the local credentials cache on the user's computer so the user can log in immediately after resetting their password. Since updating the cache is a security-sensitive operation, it can only be performed after making sure that the password has been updated in Active Directory or Entra ID. This is done by using a request-response authentication model.

When Adaxes self-service client initiates a password reset, it generates a Request Key that is passed to the Adaxes service. After the user resets their password using self-service password reset, the Adaxes service creates a Response Key that contains the hash of the password. That key can be decrypted only on the computer where the corresponding Request Key was created. The self-service client decrypts the Response Key and compares the password hash contained there with the hash of the password provided to the client. If both hashes are identical, the client updates the domain credentials cache on the user's computer.

To ensure that the process is secure, the Adaxes service generates a key pair (2048-bit RSA) and publishes the public key in Active Directory. The self-service client generates a 1024-bit secret key, encrypts it using the Adaxes public key, and publishes the encrypted key in Active Directory. The key can be decrypted back only with the help of the Adaxes private key, which is known exclusively to the Adaxes service.

The Response Key generated on the server side is encrypted using the computer's secret key (HMAC SHA-512). Since the secret key is known to the Adaxes service and self-service client only, the Response Key can be decrypted back only on the user's computer, and only if it was encrypted by the Adaxes service. Thus, by checking the password hash contained in the key, the client verifies that the password has already been updated in Active Directory via the Adaxes service.

Traffic encryption

During password reset, users enter security-sensitive information, such as answers to security questions and the new password. Adaxes encrypts all the security-sensitive data passed between the user's web browser and the web interface, even if you don't use SSL. On the client side (web browser), the data is encrypted using a public key that is known to everyone. The encrypted data can be decrypted back only with the help of the private key that is never passed across the network and known exclusively to the web interface.

FileVault on macOS

If FileVault full-disk encryption is enabled on a Mac, the self-service client will not be launched until FileVault unlocks the disk. This means the Reset password button will not be displayed right after such a Mac is powered on or rebooted. To unlock the disk, the user should log in with another account whose credentials they know (e.g. local administrator account). After the disk is unlocked, the user can sign out from that account and reset their password from the login screen as normal.

After resetting the account password, the FileVault password will remain as it was. This means if the Mac is rebooted again, the user will not be able to unlock the disk with their new password. Adaxes self-service client will offer the user to synchronize the new password to FileVault and complete the password reset. The user will need to enter the credentials of a SecureToken administrator (e.g. local administrator account), as only such accounts have the permissions to update FileVault data. The notification that prompts the user to complete the password reset can be customized.

System requirements

Platform Software requirements Hardware requirements
Windows Windows 7 and higher
  • Minimum 5 MB disk space
  • Minimum 512 KB free RAM
Mac macOS 11.7.10 Big Sur and higher
  • Minimum 5 MB disk space
  • Minimum 512 KB free RAM

Installation

For evaluation, proof-of-concept, and testing purposes, you can install the Adaxes self-service client on one or several computers manually. Simply launch the installation package and follow the instructions in the wizard.

You can also install the self-service client from the command line:

 Windows
msiexec /quiet /i "<path>AdaxesSelfServiceClient.msi"

where <path> is the path to the Adaxes self-service client installation file (AdaxesSelfServiceClient.msi).

 macOS
sudo installer -pkg "<path>AdaxesSelfServiceClient.pkg" -target /

where <path> is the path to the Adaxes self-service client installation file (AdaxesSelfServiceClient.pkg).

For instructions on how to install the self-service client on a large number of devices, see Bulk deployment.

Configuration

After the installation, the Reset password link on the login screen is disabled by default. To make it available, the self-service client must be configured. There are two configuration delivery options that you can use, depending on how you want to manage settings across devices:

  • Global settings – configured in the Adaxes administration console and automatically delivered to all connected devices.
  • Local settings – configured via group policies, Microsoft Intune, or other mobile device management tools, and automatically delivered to specific devices.

You're free to use either method or both. The recommended approach is to configure global settings, and then use local settings to override global settings on specific devices should you need to do so.

Configuring global settings

  1. Launch Adaxes administration console.

  2. In the Console Tree, expand the Adaxes service node (the icon represents service nodes).

  3. Expand Configuration / Password Self-Service and select OS Integration.

  4. In the Result Pane on the right, select the Allow users to reset their passwords from the computer login screen checkbox.

  5. In the Web interface URL field, specify the URL of the Adaxes web interface that the client will use for password resets.

    • This URL must be accessible from devices where self‑password reset should be available.

    • The Password self‑service component must be enabled in this web interface.

       How to enable the password self-service component {.mt-2}

      1. Open the web interface configurator.

      2. In the top left corner, select the web interface you want to customize.

      3. In the left navigation menu, click Components.

      4. Select the Password self-service checkbox.

      5. Save the changes.

  6. Optionally, configure the following settings:

    Out of office and offline password reset

    Select the Out of Office password reset or Offline password reset checkboxes to turn on these features.

    • For out‑of‑office resets, the specified web interface URL must be available from the Internet. See Exposing web interface to the Internet for details.

    • For out-of-office and offline resets, we recommended creating a dedicated web interface with restricted sign-in. This web interface will only allow password self-reset.

       How restrict web interface sign-in to all users

      1. Open the web interface configurator.

      2. In the top left corner, select the web interface you want to customize.

      3. In the left navigation menu, click Access control.

      4. In the User access section, select the Deny everyone option.

      5. Save the changes.

    Third-party credential provider integration

    The self-service client on Windows can integrate with any third-party credential provider that supports wrapping. This allows you to combine the functionality of two credential providers on the same Windows logon tile. For example, you can enforce the MFA authentication requirement of Duo and still be able to reset passwords via the Adaxes self-service client.

    To enable third-party integration:

    • Click More options.

    • On the Integration tab, select the Integrate with checkbox and select the credential provider you want to integrate with.

    Adaxes works with Duo Authentication for Windows Logon and PingID for Windows Login out of the box.

    If you selected Other, you might need to whitelist the Adaxes self-service client GUID in the settings of your credential provider. Refer to the third-party vendor documentation for details on how to do it. The Adaxes self-service client GUID is {FBB91FEC-A651-4A42-BEA4-6B78EB772FFA}.

    Setting synchronization

    Active Directory domain-joined and Microsoft Entra hybrid-joined computers automatically retrieve global settings from Adaxes Service Connection Points (SCPs) in Active Directory. No additional configuration is required.

    If you want to automatically synchronize global settings to Microsoft Entra-joined computers, you need to create a Microsoft Intune device configuration policy which Adaxes will use for setting synchronization. Adaxes will write the settings to the selected policy, and Intune will push them to the devices within the policy scope using its native mechanisms.

    Separate policies are required for Windows and macOS devices.

     Windows {id=win-policy-global}

    The policy for Windows devices is based on the ADMX administrative template provided by Adaxes. You need to import this template into Microsoft Intune before creating a policy. This has to be done only once – the template can then be reused should you need to create additional policies for local settings.

    1. Download the archive with the template and unpack it.

    2. Sign in to the Microsoft Intune admin center.

    3. Select Devices > Manage devices > Configuration.

    4. Activate the Import ADMX tab.

    5. Click Import.

    6. In the ADMX file field, upload the AdaxesSelfServiceClient.admx file.

    7. In the ADML file for the default language field, upload the AdaxesSelfServiceClient.adml file from the en-US folder.

    8. Click Next and then click Create.

    Once the template status becomes Available, you can proceed with creating the policy.

    1. Activate the Policies tab.

    2. Click Create, and then select New policy in the drop-down menu.

    3. In the Platform field, select Windows 10 and later.

    4. In the Profile type field, select Templates.

    5. Select Imported Administrative templates and click Create.

    6. Specify a name for the policy and click Next.

    7. Click Next twice to skip the Configuration settings and Scope tags steps.

    8. On the Assignments step, select the devices or device groups that should receive the global settings.

    9. Click Next and then click Create.

     macOS {id=mac-policy-global}

    The policy for macOS is based on a configuration profile. You will import this profile during policy creation.

    1. Download the archive with the profiles and unpack it.

    2. Sign in to the Microsoft Intune admin center.

    3. Select Devices > Manage devices > Configuration.

    4. Activate the Policies tab.

    5. Click Create, and then select New policy in the drop-down menu.

    6. In the Platform field, select macOS.

    7. In the Profile type field, select Templates.

    8. Select Preference file and click Create.

    9. Specify a name for the policy and click Next.

    10. In the Preference domain name field, specify com.softerra.adaxes.selfservice.

    11. In the Property list file field, upload the com.softerra.adaxes.selfservice.xml file.

    12. Click Next.

    13. On the Assignments step, select the devices or device groups that should receive the settings.

    14. Click Next and then click Create.

    After creating the policies, enable the Setting synchronization switch in the OS Integration settings in Adaxes administration console, and select the policies you created in the dialog that opens.

    Setting priority

    If an Active Directory domain is managed by multiple Adaxes services that don't share configuration, they may publish conflicting global settings to the Adaxes Service Connection Points. Computers joined to such domains may have issues recognizing which settings to use.

    To avoid ambiguity in this scenario, click Advanced and set the priority of the settings from the service instance you are currently connected to.

Configuring local settings

Local settings can be used instead of, or alongside, global settings to fine-tune the self-service client behavior on a per-device basis. Common scenarios include:

  • Restricting features like offline password self-reset on security-sensitive devices, while keeping those features enabled by default on other devices.

  • Displaying the self-service client UI (for example, enrollment reminder notifications) in a different language for devices from different regions.

There are several ways to deliver local settings, depending on the target device's operating system and its domain-join status.

Using Group Policies (GPO)

This approach can be used for:

  • Active Directory domain-joined Windows computers
  • Entra hybrid-joined Windows computers

Group policies override the global settings. If you assign a group policy over a device, this device will always prioritize using the settings from the group policy.

 Windows {id=gpo-details}

All available settings of the self-service client are predefined in the ADMX administrative template provided by Adaxes. You need to install the template, configure the group policy, and apply it to devices where you want to deliver the local settings.

  1. Download the archive with the template and unpack it.

  2. Install the template:

    • If you have the Central Store for administrative templates, copy the full content of the ADMX folder from the archive (including the language directories) to the \\SYSVOL\\Policies\PolicyDefinitions folder.

    • If you don't have the Central Store, copy the extracted files to the %systemroot%\PolicyDefinitions folder on the local computer.

  3. Create a new GPO or select an existing GPO that is linked to the computers, sites, domains, or organizational units where you want to apply local settings.

  4. In the Group Policy Management Editor, expand Computer Configuration / Policies / Administrative Templates folder under the selected GPO.

  5. Select the Adaxes self-service client folder (under the Administrative Templates folder).

  6. Configure the settings.

 macOS

Group policies cannot be used to deliver local settings to macOS devices. If a macOS device is Entra-joined or Entra hybrid-joined, use device configuration policies in Microsoft Intune to deliver local settings. If a device is joined only to an Active Directory domain, you have to rely on a third-party mobile device management solution to deliver local settings.

Using device configuration policies in Microsoft Intune

This approach can be used for:

  • Entra-joined Windows computers
  • Entra-joined macOS computers
  • Entra hybrid-joined Windows computers
  • Entra hybrid-joined macOS computers

When applying both global and local settings to Entra-joined devices, ensure that device configuration policies with different settings do not overlap in scope. Policies have no priority order, hence, a device included in both a global and a local policy will encounter conflicts. If you want to deliver local settings to a device, it must be excluded from the device configuration policy that delivers global settings.

 Windows
Uploading the template

Upload the ADMX template to Intune only if you haven't already done so for global settings.

  1. Download the archive with the template and unpack it.

  2. Sign in to the Microsoft Intune admin center.

  3. Select Devices > Manage devices > Configuration.

  4. Activate the Import ADMX tab.

  5. Click Import.

  6. In the ADMX file field, upload the AdaxesSelfServiceClient.admx file.

  7. In the ADML file for the default language, upload the AdaxesSelfServiceClient.adml file from the en-US folder.

  8. Click Next and then click Create.

Once the template status becomes Available, you can proceed with creating the policy.

Creating a policy

  1. Sign in to the Microsoft Intune admin center.

  2. Select Devices > Manage devices > Configuration.

  3. Activate the Policies tab.

  4. Click Create, and then select New policy in the drop-down menu.

  5. In the Platform field, select Windows 10 and later.

  6. In the Profile type field, select Templates.

  7. Select Imported Administrative templates and click Create.

  8. Specify a name for the policy and click Next.

  9. On the Configuration settings step, expand Computer Configuration and select Adaxes Self-Service Client.

  10. Configure the settings.

  11. Click Next twice when done.

  12. On the Assignments step, select the devices or device groups that should receive the settings.

  13. Click Next and then click Create.

 macOS
Creating a policy

  1. Download the archive with the profiles and unpack it.

  2. Sign in to the Microsoft Intune admin center.

  3. Select Devices > Manage devices > Configuration.

  4. Activate the Policies tab.

  5. Click Create, and then select New policy in the drop-down menu.

  6. In the Platform field, select macOS.

  7. In the Profile type field, select Templates.

  8. Select Preference file and click Create.

  9. Specify a name for the policy and click Next.

  10. In the Preference domain name field, specify com.softerra.adaxes.selfservice.

  11. In the Property list file field, upload the com.softerra.adaxes.selfservice.xml file.

  12. Edit the values to configure the settings. The keys can be divided into two categories – texts and configuration settings.

    • Text keys let you change the default texts of the application menus, buttons, and labels e.g. if you need to translate the self-service client to another language. For instance:

      <key>ResetPasswordButton.OptionalText</key>
<string>Haben Sie Ihr Kennwort vergessen?</string>

      Certain text values can be left empty to hide the corresponding UI controls.

     Optional text values
    Key Description
    EnrollReminder.MenuEnrollText Leave empty to hide the Enroll Now context menu item in the enrollment reminder notification.
    EnrollReminder.MenuExitText Leave empty to hide the Exit context menu item in the enrollment reminder notification.
    FileVaultSyncPrompt.SkipButtonText Leave empty to hide the Skip button in the FileVault password sync notification.
    FileVaultSyncPrompt.RemindLaterButtonText Leave empty to hide the Later button in the FileVault password sync notification.
    FileVaultSyncDialog.CancelButtonText Leave empty to hide the Cancel button in the dialog that requests SecureToken administrator credentials to complete FileVault password sync.
    FileVaultSyncDialog.SkipButtonText Leave empty to hide the Skip button in the dialog that requests SecureToken administrator credentials to complete FileVault password sync.

    • Configuration setting keys let you configure the self-service client features. For instance:

      <key>OfflinePasswordReset.Enabled</key>
<true/>
     Available configuration keys
    Key Description
    AllowLoginScreenPasswordReset Set to true to allow users to reset their passwords from the Mac login screen or set to false to deny it.
    WebInterfaceURL Specify the URL of Adaxes web interface that the self-service client will use for resetting passwords e.g. http://host.example.com/Adaxes/SelfService
    ResetPasswordButton.Position Specify the position to display the Reset Password button on the login screen. Possible values: top-left, top-right, bottom-left, bottom-right.
    UpdateCredentialsCache.Enabled Set to true to allow users to reset their passwords when out of office (not connected to company network) or set to false to deny it.
    OfflinePasswordReset.Enabled Set to true to allow users to reset their passwords when the Mac is not connected to the Internet or set to false to deny it.
    EnrollReminder.Enable Set to true to display an alert in the Notification Center that reminds users to enroll for password self-service.
    EnrollReminder.IntervalMins Set the interval that indicates how often (in minutes) the reminder to enroll for password self-service will appear. Use 0 to display once when the system starts.
    EnrollReminder.Url Specify the URL of the web interface Adaxes will use to obtain the enrollment status e.g. http://host.example.com/Adaxes/SelfService.
    EnrollReminder.Proxy Specify the proxy server for obtaining the enrollment status from the web interface or leave blank.
    FileVaultSyncPrompt.Enabled Set to true to display an alert in the Notification Center that prompts users to sync their new password to FileVault.
    FileVaultSyncPrompt.RemindLaterIntervalMins Set the interval that indicates how often (in minutes) the reminder to sync the password to FileVault will appear. Use 0 to display once when the system starts.

  13. Click Next when finished.

  14. On the Assignments step, select the devices or device groups that should receive the settings.

  15. Click Next and then click Create.

Using third-party solutions

Applying local settings simply means delivering an ADMX template to Windows devices or a configuration profile to macOS devices. Any third-party mobile device management solution that can do this can be used to deliver local settings, either instead or alongside the methods described above.

Download the relevant template and refer to the third-party vendor documentation for details on how to push it to your devices.

Viewing local settings

You can view the exact settings used by Adaxes self-service client on a specific computer to verify that local settings were applied or facilitate troubleshooting.

 Windows {id=view-local-win}

  1. Launch Registry Editor.

  2. Locate the following registry key: [HKEY_LOCAL_MACHINE\Software\Softerra\Adaxes Self-Service Client]. Each setting is represented by a data entry within this key.

 macOS {id=view-local-mac}

  1. Launch Terminal.

  2. Execute the following command.

    sudo defaults read ~/Library/Preferences/com.softerra.adaxes.selfservice.plist

Bulk deployment

Once you have installed the self-service client on some computers and verified that your global or local settings are applied correctly, you are ready to bulk-deploy the client to a fleet of devices.

There are two distinct bulk deployment methods for the self-service client – Group Policies for Windows devices joined to an on-premises Active Directory domain, and Microsoft Intune for all other scenarios.

Using Group Policies (GPO)

This deployment method can be used for:

  • Active Directory domain-joined Windows computers
  • Entra hybrid-joined Windows computers
 Windows {id=deploy-gpo}

  1. Download the installation package for Windows (AdaxesSelfServiceClient.msi).

  2. Copy the downloaded file to a network share accessible from all computers where you want to install the self-service client.

  3. Create a new GPO or select an existing GPO to use for Adaxes self-service client deployment. The GPO must be linked to all the computers, sites, domains, or organizational units where you want to install the self-service client.

  4. Open the Computer Configuration folder under the selected GPO, expand Policies, and then expand Software Settings.

  5. Right-click the Software installation node, in the context menu select New, and click Package.

  6. Select the self-service client installation file located in the shared folder and click Open.

  7. Select the Assigned deployment method and click OK.

Computers with Fast Login Optimization enabled might not install the self-service client during the first restart. Such computers perform a background refresh of Group Policies that makes the login faster, but some GPOs might not be applied immediately. Multiple restarts are usually required before the self-service client is installed.

You can run the following command to force the GPO refresh and restart the computer only once: gpupdate /force.

Installation on x64 computers

Adaxes self-service client is an x86 package. By default, the option that allows the installation of x86 packages on x64 computers is enabled for all new packages. To check whether this option is enabled for the Adaxes self-service client package:

  1. Right-click the Adaxes self-service client package, and in the context menu click Properties.

  2. Activate the Deployment tab, and click Advanced.

  3. In the Advanced Deployment Options dialog box, make sure the Make this 32-bit X86 application available to Win64 machines checkbox is enabled.

Self-service client language

You can change the texts in the self-service client, effectively meaning it can be translated to any language. However, the language of the installation package is English. If the language of the operating system differs from the language of Adaxes self-service client on any computer linked to the GPO, you need to ignore the default language properties of the installation package. To do this:

  1. Right-click the Adaxes self-service client package and choose Properties.

  2. Activate the Deployment tab, and click Advanced

  3. Select the Ignore language when deploying this package checkbox.

 macOS

Group policies cannot be used to deploy the self-service client to macOS devices. If a macOS device is Entra-joined or Entra hybrid-joined, use Microsoft Intune to deploy the self-service client. If a device is joined only to an Active Directory domain, you have to rely on a third-party mobile device management solution.

Microsoft Intune

This deployment method can be used for:

  • Entra-joined Windows computers
  • Entra-joined macOS computers
  • Entra hybrid-joined Windows computers
  • Entra hybrid-joined macOS computers
 Windows and macOS {id=deploy-intune}

The steps are identical, whether you are deploying the client for Windows devices or macOS devices.

  1. Download the installation package for Windows or for macOS.

  2. Sign in to the Microsoft Intune admin center.

  3. Select Apps > All Apps.

  4. Click Create.

  5. In the App type menu, select Line-of-business app.

  6. Click Select.

  7. Click Select app package file.

  8. Select the installation package you downloaded and click OK.

  9. Specify any value in the Publisher field. For example, Softerra or Adaxes.

  10. Click Next.

  11. Assign devices where you want to deploy the self-service client to the Required category.

  12. Click Next.

  13. Click Create.

Using third-party solutions

You can use any third-party mobile device management solution to deploy the self-service client to your devices. If you prefer to use this approach, refer to the third-party vendor documentation for details on how to do so.

Automated bulk enrollment

If the Security Questions and Answers option is enabled in a password self-service policy, users need to specify answers for security questions during enrollment. Adaxes allows you to enroll users automatically by preloading existing user-specific data from an external database.

For example, you can use social security numbers, employee ID numbers, or other data present in an HR database as predefined answers to security questions.

For more details on how to automate the enrollment process, see Autoenroll users for self-password reset.

Uninstallation

To uninstall Adaxes self-service client from multiple devices in bulk use the same method you used to deploy the client in the first place – Group Policies for Active Directory domain-joined Windows devices and Microsoft Intune for all other scenarios.

 Using Group Policies

  1. Select the GPO used for the self-service client deployment, and launch Group Policy Object Editor.

  2. Open the Computer Configuration folder under the selected GPO, expand Policies, and then expand Software Settings.

  3. Click the Software installation node.

  4. Right-click the Adaxes self-service client package, and in the context menu select All Tasks, then click Remove.

  5. In the Remove Software dialog box, select the Immediately uninstall the software from users and computers option and click OK.

 Using Microsoft Intune

  1. Sign in to the Microsoft Intune admin center.

  2. Select Apps > All Apps.

  3. Click the app that represents the Adaxes self-service client. By default, it is named Adaxes Self-Service Client for Windows and AdaxesSelfServiceClient.pkg for macOS.

  4. Select Manage > Properties.

  5. Click Edit next to Assignments.

  6. Under the Uninstall section, add device groups where the self-service client should be uninstalled.

  7. Click Review + Save.

  8. Click Save.

Troubleshooting

 Enable debug logging {id=enableDebugLogging}

To enable/disable debug logging for Adaxes self-service client on a specific computer:

 Windows {id=debug-win .mb-0}

  1. Launch Registry Editor.

  2. Locate the following registry key: [HKEY_LOCAL_MACHINE\Software\Softerra\Adaxes Self-Service Client].

  3. Right-click the LogLevel entry and select Modify.

    Create the LogLevel entry if it doesn't exist.

  4. In the Value data box, type 2 to enable debug logging or 0 to disable it, and click OK.

All events will be logged to the adaxeswinlogonextlog.txt file, located in the System32 subfolder of the Windows folder.

 macOS {id=debug-mac .mt-0}

  1. Launch Terminal.

  2. Execute the following command to enable debug logging.

    sudo defaults write /Library/Preferences/com.softerra.adaxes.selfservice.plist LogLevel 2

  3. Execute the following command to disable debug logging.

    sudo defaults write /Library/Preferences/com.softerra.adaxes.selfservice.plist LogLevel 0

The errors generated by the Adaxes self-service client will be logged to the /tmp/adaxesselfservice.log file.

Since debug logging is quite intensive, the log file can grow very quickly. Permanent logging of debug information consumes resources and affects performance. It is recommended to disable logging when it is no longer needed.

 Disable self-service client on all computers {id=disable-ssc-everywhere}

In case of an emergency, you can completely disable Adaxes self-service client on all computers in all domains managed by Adaxes. To do this, you first need to disable the client in the global settings.

 Disable in global settings

  1. Launch the Adaxes administration console.

  2. In the Console Tree, expand the Adaxes service node (the icon represents service nodes).

  3. Expand Configuration / Password Self-Service and select OS Integration.

  4. In the Result Pane on the right, clear the following checkboxes:

    • Allow users to reset their passwords from the computer login screen

    • Display a balloon in the system notification area to remind users to enroll for Password Self-Service

  5. Save the settings.

If you have configured local self-service client settings for specific computers and you are having an issue with the client on those computers, you also need to disable the client in the local settings.

 Disable when settings are delivered using Group Policies {.mb-0}

Windows

  1. Edit the GPO where local settings for Adaxes self-service client are configured.

  2. In the Group Policy Management Editor, expand Computer Configuration / Policies / Administrative Templates folder.

  3. Select the Adaxes Self-Service Client folder (under the Administrative Templates folder).

  4. In the Result Pane on the right, right-click the Enable users to reset passwords from the Winlogon screen setting, and in the context menu select Edit.

  5. Toggle the radio button to Disabled, and click OK.

  6. Right-click the Display a balloon in the system tray to remind users to enroll for Password Self-Service setting, and in the context menu select Edit.

  7. Toggle the radio button to Disabled, and click OK.

To apply the new settings, perform one of the following actions on all computers within the scope of the GPO:

  • Restart the computer.

  • Run the gpupdate /force command.

Adaxes self-service client installed on computers joined only to an Active Directory domain caches its settings on each computer where it is installed. When you change global or local settings, the client can update the cached settings only when the computer is connected to a domain controller.

 Disable when settings are delivered using Microsoft Intune device configuration policies

Windows

  1. Sign in to the Microsoft Intune admin center.

  2. Select Devices > Manage devices > Configuration.

  3. Activate the Policies tab.

  4. Select the policy that is used to deliver local settings to Windows devices.

  5. Click Edit next to Configuration settings.

  6. Locate the Allow users to reset passwords from the computer login screen setting and click it.

  7. Select Disabled and click OK.

  8. Locate the Display a balloon in the system notification area to remind users to enroll for Password Self-Service setting and click it.

  9. Select Disabled and click OK.

  10. Click Review + save.

  11. Click Save.

macOS

  1. Sign in to the Microsoft Intune admin center.

  2. Select Devices > Manage devices > Configuration.

  3. Activate the Policies tab.

  4. Select the policy that is used to deliver local settings to macOS devices.

  5. Click Edit next to Configuration settings.

  6. Set the AllowLoginScreenPasswordReset and EnrollReminder.Enable keys to <false/>.

  7. Click Review + save.

  8. Click Save.

 If the enrollment notification balloon doesn't show up {id=no-notification}

  1. Make sure Adaxes self-service client is installed on the computer in question.

  2. Make sure the Display a balloon in the system notification area to remind users to enroll for password self-service option is enabled in Adaxes administration console. For details, see global settings in the Configuration section.

  3. Make sure that the enrollment notification is not disabled for the computer in question via local settings (GPO/Intune).

  4. Make sure that notifications from the self-service client are not disabled in the operating system settings.

  5. Make sure a password self-service policy is assigned to the currently logged in user.

  6. Make sure the currently logged in user is not already enrolled for password self-service.

  7. Send debug information to the Adaxes support team to help them troubleshoot the issue:

 If you have a problem with applying local settings (GPO) {id=gpo-local-settings-issues}

  1. Make sure the computer in question is linked to the GPO where the self-service client local settings are configured.

  2. Execute the gpupdate /force command on the computer in question to force the group policy refresh.

  3. Send debug information to the Adaxes support team to help them troubleshoot the issue:

 If you have a problem with applying local settings (Intune) {id=intune-local-settings-issues}

Windows

  1. Make sure that you are applying the device configuration policy to a device or a device group, not a user or a user group.

  2. Make sure that only one device configuration policy with Adaxes self-service client settings affects the target computer.

  3. Check the Microsoft Intune Event Log on the target computer:

    • Launch Event Viewer.

    • In the console tree of the Event Viewer open the Windows Logs folder and select Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.

    • Review error events in the right pane.

    • If you need assistance with troubleshooting, send the error events related to the device configuration policy with local settings to support@adaxes.com.

  4. Send debug information to the Adaxes support team to help them troubleshoot the issue:

macOS

  1. Make sure that you are applying the device configuration policy to a device or a device group, not a user or a user group.

  2. Make sure that the only one device configuration policy with Adaxes self-service client settings affects the target computer.

  3. Send debug information to the Adaxes support team to help them troubleshoot the issue:

    • Enable debug logging to track all the Adaxes self-service client actions. How to enable debug logging.

    • Attempt to apply the configuration profile to log the issue.

    • Sign out of the system.

    • Sign back in.

    • Send the log file to support@adaxes.com.

 If the login screen is broken {id=login-screen-broken}

Windows

Send debug information to the Adaxes support team to help them troubleshoot the issue:

  • Enable debug logging to track all the Adaxes self-service client actions. How to enable debug logging.

  • Sign out or switch user to get to the login screen.

  • Take a picture of the login screen.

  • Send the log file and the picture to support@adaxes.com.

macOS

  1. If the Reset password button is displayed over another UI element, change the button position:

    • Launch the Adaxes administration console.

    • In the Console Tree, expand the Adaxes service node (the icon represents service nodes).

    • Expand Configuration / Password Self-Service and select OS Integration.

    • In the Result Pane on the right, click More options.

    • Change the position of the button.

    • Alternatively, change the button position via local settings. Change the value of the ResetPasswordButton.Position key to move the button.

  2. Send debug information to the Adaxes support team to help them troubleshoot the issue:

    • Enable debug logging to track all the Adaxes self-service client actions. How to enable debug logging.

    • Sign out or switch user to get to the login screen.

    • Take a picture of the login screen.

    • Send the log file and the picture to support@adaxes.com.

How it works System requirements Installation Configuration Configuring global settings Configuring local settings Bulk deployment Automated bulk enrollment Uninstallation Troubleshooting
© Softerra 2022. All rights reserved.
Contact us