Enabling password reset on the Windows 10 logon screen
Have you remembered to enable Self Service Password Reset (SSPR) before the summer vacation?
After some weeks on vacation a lot of users are having problems remembering their password.
Many of you have probably enabled the SSPR function in Azure Active Directory already, if not:
In Azure Active Directory, go to Password resetEnable for all or selected users Choose if the user have to authenticate with one or two methods and choose wich methods should be available. The default are fine for most cases. I wouldn’t recommend using security questions as it is the least secure of the methods available. Choose if user should be required to register on the next logon and how often they have to reconfirm the information. If you have already added the users mobile number as an authentication method in Azure AD they shouldn’t need to register, but I use to set this to “yes”
Adding “Reset Password” to the Windows 10 logon screen
Enabling SSPR works good for web only users or non AAD-joined devices, but if you have forgotten you AAD password, it’s probably on the Windows 10 logon screen you will notice it first.
So let us add a “Reset password” link to the Windows 10 logon screen via Intune
Create a new device configuration profileGive the profile a name, choose Window 10 as the platform and Custom as the profile type. Click on the “Add”-button to add a new OMA-URI setting Give it a name and eventually a description. Add the OMA-URI path ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset , choose data type Integer and set the value to 1. Click OK twice and then Create Choose Assignments and assign the profile to one or more group of computers, since this is a device setting
To target all Windows 10 computers, add a dynamic device group in Azure AD with the advanced query: (device.deviceOSVersion -startsWith “10.0”) -and (device.DeviceOSType -startsWith “Windows”)
Leave A Comment