With the latest release of Windows 10 (1709, Fall Creators Update) a new option is added to Windows; enable self service password reset feature on the windows logon screen. It provides your Azure AD users the option to reset their password direct from the Windows logon screen. Usually when a user arrives at the office in the morning (after the autumn holiday) and forgot his password, he needs to have access to a browser from another device to perform a password reset, or needs to contact the helpdesk. By enabling this new feature, that isn`t necessary anymore, the user can reset the password direct from the logon screen.
There are two requirements for using this feature; Self Service Password Reset needs to be configured in Azure AD and you need Windows 10 1709.
Enable the self service password reset option with Intune.
We first have a look at the CSP policy we need to use to enable this policy. Those CSP policies can be found on docs.microsoft.com. Below you see the CSP policy, with a part of the OMA-URI you need Authentication/AllowAadPasswordReset, a short description of what the feature does and the supported values.
Now we know the policy settings we need to set, we switch over to the Azure portal to create a new configuration policy. Open Microsoft Intune, choose Device Configuration, Profiles and Create profile.
Give your policy a Name, Description (optional), choose Windows 10 and later as Platform and choose Custom Profile Type. After that you need to choose Add, next to OMA-URI Settings
Give the Row a Name and fill in below values.
OMA-URI: ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
Data Type: Integer
Value: 1
When everything is set, save the new policy and assign it to your devices.
The end-user experience
How does did look like for a user when the Password reset feature is enabled for Windows 10? When the user starts his Windows 10 device on the logon screen, the option Reset password is available.
When the users clicks on Reset Password a new screen is opened and the user needs to provide the User ID (Azure AD User name).
In the next screen choose the contact method and enter the mobile phone number.
On the mobile phone a verification number is received (when Text my mobile phone is chosen) which needs to be filled in on this screen.
When the verification was successful, the user is allowed to enter a new password.
And the password has been reset without contacting the helpdesk or using the browser on a colleagues computer!
4 Comments
Can it be enabled with CSP only ?
No, iIt`s a registry setting:
Create this key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
And under that key REG_DWORD with value 1 (Decimal)
I get the sign-in method you are trying to use isn’t allowed error when trying to reset password.
Same here, not finding much of an explanation as to why.