Skip to content
Support
  • There are no suggestions because the search field is empty.

How to enable self-service password reset (SSPR) at the Windows sign-in screen

Overview

This knowledge base article provides step-by-step instructions how to allow users in Microsoft Entra to change or reset their password on a Windows device.

Limitations

The following limitations apply to using SSPR from the Windows sign-in screen:

  • Password reset isn't currently supported from a Remote Desktop or from Hyper-V enhanced sessions.
  • Some third-party credential providers are known to cause problems with this feature.
  • Disabling UAC via modification of EnableLUA registry key is known to cause issues.
  • This feature doesn't work for networks with 802.1x network authentication deployed and the option "Perform immediately before user logon". For networks with 802.1x network authentication deployed, it's recommended to use machine authentication to enable this feature.
  • Microsoft Entra hybrid joined machines must have network connectivity line of sight to a domain controller to use the new password and update cached credentials. This means that devices must either be on the organization's internal network or on a VPN with network access to an on-premises domain controller.
  • If using an image, prior to running sysprep ensure that the web cache is cleared for the built-in Administrator prior to performing the CopyProfile step. 
  • The following settings are known to interfere with the ability to use and reset passwords on Windows 10 devices:
    • If lock screen notifications are turned off, Reset password won't work.
    • HideFastUserSwitching is set to enabled or 1.
    • DontDisplayLastUserName is set to enabled or 1.
    • NoLockScreen is set to enabled or 1.
    • BlockNonAdminUserInstall is set to enabled or 1.
    • EnableLostMode is set on the device.
    • Explorer.exe is replaced with a custom shell.
    • Interactive logon: Require smart card is set to enabled or 1.
  • The combination of the following specific three settings can cause this feature to not work.
    • Interactive logon: Do not require CTRL+ALT+DEL = Disabled (only for Windows 10 version 1710 and earlier)
    • DisableLockScreenAppNotifications = 1 or Enabled
    • Windows SKU is Home edition.

Steps in Microsoft Intune with Devicie

As per CIS 3.0 Benchmark, policy: Turn off app notifications on the lock screen is set to Enabled. The rationale behind this is app notifications might display sensitive business or personal data which will lead no app notifications displayed on the locked screen.

Reach out to Devicie as the following CIS 3.0 Benchmark needs to be updated with the following:

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DisableLockScreenAppNotifications
Value: <disabled/>

Steps in Microsoft Entra

1. Navigate to Microsoft Entra portal, then expand Protection then select Password Reset .
2. Make sure to select Self service password reset enabled to All.


Steps in Microsoft Intune

1. Navigate to Microsoft Intune portal, select Devices then select By platform: Windows then select Configuration profiles.
2. Select Create then select New Policy then select By platform: Windows 10 and later and Profile type: Templates then Template name: Custom then select Create.

3. Under Basics tab, enter the following:
Name: Self-Service Password Reset Option
Description: Self-Service Password Reset Option
Then select Next.

4. Under Configuration settings tab, select Add.
Then enter the following:
Name: AllowAadPasswordReset
Description: Not set
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
Data type: Integer 
Value: 1
Then select Save, select Next.

5. Under Assignments tab, select your assignments. Then select Next.
6. Under Applicability Rules tab, select whether to apply any specific operating systems. Select Next.
Note: This does not apply to Windows Home SKUs.
7. Under Review + create tab, review the settings then select Create.

8. On the device, go to Company Portal and sync your device.
9. On next restart at the login screen, select other user, then start entering the username, the option for "Reset password" will appear. Click on Reset password.

10. It will then load to another pop-up screen, enter the characters to select Next to proceed with changing a new password.