Enabling password reset on the Windows 10 logon screen
Have you remembered to enable Self Service Password Reset (SSPR) before the summer vacation?
After some weeks on vacation a lot of users are having problems remembering their password.
Many of you have probably enabled the SSPR function in Azure Active Directory already, if not:
In Azure Active Directory, go to Password resetEnable for all or selected users Choose if the user have to authenticate with one or two methods and choose wich methods should be available. The default are fine for most cases. I wouldn’t recommend using security questions as it is the least secure of the methods available.Choose if user should be required to register on the next logon and how often they have to reconfirm the information. If you have already added the users mobile number as an authentication method in Azure AD they shouldn’t need to register, but I use to set this to “yes”
Adding “Reset Password” to the Windows 10 logon screen
Enabling SSPR works good for web only users or non AAD-joined devices, but if you have forgotten you AAD password, it’s probably on the Windows 10 logon screen you will notice it first.
So let us add a “Reset password” link to the Windows 10 logon screen via Intune
Create a new device configuration profileGive the profile a name, choose Window 10 as the platform and Custom as the profile type. Click on the “Add”-button to add a new OMA-URI setting Give it a name and eventually a description. Add the OMA-URI path ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset , choose data type Integer and set the value to 1. Click OK twice and then Create Choose Assignments and assign the profile to one or more group of computers, since this is a device setting
To target all Windows 10 computers, add a dynamic device group in Azure AD with the advanced query: (device.deviceOSVersion -startsWith “10.0”) -and (device.DeviceOSType -startsWith “Windows”)
Hi. Thanks for a nice article. I have self-service password reset all set up in my hybrid AD environment. I can reset my password using the Microsoft web portal. The only piece that doesn’t work for me is enabling the password reset link in Windows 10. We don’t use Intune, so I set up the group policy registry tweak to make this appear. Unfortunately, the reset password link is not showing up at the logon screen. I’m baffled. Any suggestions?
Hi. Thanks for a nice article. I have self-service password reset all set up in my hybrid AD environment. I can reset my password using the Microsoft web portal. The only piece that doesn’t work for me is enabling the password reset link in Windows 10. We don’t use Intune, so I set up the group policy registry tweak to make this appear. Unfortunately, the reset password link is not showing up at the logon screen. I’m baffled. Any suggestions?
I think they have changed this functionality, so this doesn’t work any longer.