top of page
Search

(122) Microsoft Intune - Enable SSPR at Windows Sign-In Screen

  • Writer: Mr B SOE way
    Mr B SOE way
  • Apr 30, 2024
  • 2 min read

Self-service password reset (SSPR) gives users in Microsoft Entra ID the ability to change or reset their password, with no administrator or help desk involvement. Typically, users open a web browser on another device to access the SSPR portal.


There are so known limiations with using this:

  • Password reset isn't currently supported from a Remote Desktop or from Hyper-V enhanced sessions.

  • Some third party credential providers are known to cause problems with this feature.

  • Disabling UAC via modification of EnableLUA registry key is known to cause issues.

  • This feature doesn't work for networks with 802.1x network authentication deployed and the option "Perform immediately before user logon". For networks with 802.1x network authentication deployed, it's recommended to use machine authentication to enable this feature.

  • Microsoft Entra hybrid joined machines must have network connectivity line of sight to a domain controller to use the new password and update cached credentials. This means that devices must either be on the organization's internal network or on a VPN with network access to an on-premises domain controller.

  • If using an image, prior to running sysprep ensure that the web cache is cleared for the built-in Administrator prior to performing the CopyProfile step. More information about this step can be found in the support article Performance poor when using custom default user profile.

  • The following settings are known to interfere with the ability to use and reset passwords on Windows 10 devices:

  • If lock screen notifications are turned off, Reset password won't work.

  • HideFastUserSwitching is set to enabled or 1

  • DontDisplayLastUserName is set to enabled or 1

  • NoLockScreen is set to enabled or 1

  • BlockNonAdminUserInstall is set to enabled or 1

  • EnableLostMode is set on the device

  • Explorer.exe is replaced with a custom shell

  • Interactive logon: Require smart card is set to enabled or 1

  • The combination of the following specific three settings can cause this feature to not work.

  • Interactive logon: Do not require CTRL+ALT+DEL = Disabled (only for Windows 10 version 1710 and earlier)

  • DisableLockScreenAppNotifications = 1 or Enabled

  • Windows SKU is Home edition


Setup Password Reset:

Navigate to Password Reset in Microsoft Azure. Make sure Self service password reset enabled is set to 'All' then save any changes.

ree

Create Microsoft Intune Configuration Profile:

Navigate to https://intune.microsoft.com/ then select Devices then under By platform: Windows then select Device Configuration then select Create then select New Policy then select Custom profile.


Under OMA-URI settings, enter the following:

Name: AllowAadPasswordReset

Description: Not set

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset

Data type: Integer

Value: 1

ree

On a Windows Device:

Go to Company Portal and run sync, you may have to restart your device to see the changes.

ree


















When you click on 'Reset password', the following load to a text box.

ree

 
 
 

Comments

bottom of page