Integrate Self-Service Password Reset into the Windows 10 login screen

Self-Service Password Reset (SSPR) is an Azure AD feature that allows end users to self-reset their password if they forget it. This feature must be enabled by the administrator in Azure AD and the user must register authentication information – phone number, alternate email, mobile app. During a password reset, the user must of course go through some other authentication factor before they can reset their password.

The self-service password reset feature is then available to users on computers with Azure AD join (connected directly to Azure AD) or computers with Azure AD Hybrid join (computers added to local AD and synchronized / joined to Azure AD).

Enable Self-Service Password Reset using Intune

Intune is the most flexible and recommended method for deploying Self-Service Password Reset by allowing you to target both local AD and Azure AD computers.

On the Microsoft Intune home page, select Devices in the left menu and then Configuration profiles. Set some new profile name and optional caption. Select Windows 10 and then Custom profile type as the platform.

Then create your own configuration profile using OMA-URI. Choose a name and optionally a description again. Set OMA-URI to

Data type is Integer and Value is 1.

We then apply the policy to devices or users.

Enable Self-Service Password Reset using Group Policy

The same setting can be achieved by GPO, when the value is written to the registry. So, create a new Group Policy Object and in Computer Configuration – Preferences – Windows Settings – Registry create a new registry entry in the path

Value name is AllowPasswordReset and Value data is 00000001 (DWORD type).