Lukas Beran
Lukas Beran

Welcome to my blog! If you're looking for tutorials, hints or tips for IT, you're right here. You will find mostly articles on Microsoft products and technologies - operating systems, servers, virtualization, networks, management, but also the cloud. Sometimes I add some other interesting things.

March 2020
MTWTFSS
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Categories


Integrate Self-Service Password Reset into the Windows 10 login screen

Lukas BeranLukas Beran

Self-Service Password Reset (SSPR) is an Azure AD feature that allows end users to self-reset their password if they forget it. This feature must be enabled by the administrator in Azure AD and the user must register authentication information – phone number, alternate email, mobile app. During a password reset, the user must of course go through some other authentication factor before they can reset their password.

The self-service password reset feature is then available to users on computers with Azure AD join (connected directly to Azure AD) or computers with Azure AD Hybrid join (computers added to local AD and synchronized / joined to Azure AD).

Enable Self-Service Password Reset using Intune

Intune is the most flexible and recommended method for deploying Self-Service Password Reset by allowing you to target both local AD and Azure AD computers.

On the Microsoft Intune home page, select Devices in the left menu and then Configuration profiles. Set some new profile name and optional caption. Select Windows 10 and then Custom profile type as the platform.

Then create your own configuration profile using OMA-URI. Choose a name and optionally a description again. Set OMA-URI to

Data type is Integer and Value is 1.

We then apply the policy to devices or users.

Enable Self-Service Password Reset using Group Policy

The same setting can be achieved by GPO, when the value is written to the registry. So, create a new Group Policy Object and in Computer ConfigurationPreferencesWindows SettingsRegistry create a new registry entry in the path

Value name is AllowPasswordReset and Value data is 00000001 (DWORD type).

My primary focus is the security of identities, devices and data in the cloud using Microsoft services, technologies and tools.

Comments 0
There are currently no comments.