Enable password reset on the login screen of a Hybrid Azure AD joined Windows 10 1803 device (using Configuration Manager)

Introduction

More Windows 10 1803! Password reset directly from the login screen of Windows 10 has been possible since Windows 10 1709, but only in a cloud-only scenario. This changed with 1803, and users having a hybrid Azure AD environment, are now able to offer this service to their users as well. (assuming they roll on the latest and greatest Windows 10 version). This guide explains what’s required in a Hybrid environment and how to leverage Configuration Manager to apply the proper configuration on the client.

For this to work, there are a few prerequisites:

  • Windows 10 1803 or newer
  • Password writeback enabled in Azure AD Connect
    • Proper permissions in on-premise AD for the AAD Connect account
  • Password reset enabled in Azure AD
  • Enable password reset on the 1803 clients (in this scenario through ConfigMgr)

Password writeback

Short and sweet, everything you need to do in this regard, is to follow the instructions A-Z outlined in this chapter: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback#configure-password-writeback

It’s covering the setup of Azure AD Connect as well as the permissions needed on your on-premise AD for the AAD Connect account.

Password reset

Again, short and sweet. Password reset needs to be enabled in Azure Active Directory. This is also explained very nicely from A-Z right here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr

Below is a snippet of my tenant, displaying that Password reset has been enabled for all users.

When everything is working in regards to Password Writeback and Password Reset, you will see a green check mark in the On-premises integration menu. Also as shown below:

Configuration Manager

As an initial note, this can of course be done with group policies. But when speaking modern management and how we should consider moving workloads away from on-premise infrastructure, I actually think doing this through Configuration Manager is considered more modern than an old fashioned group policy. Doing it through Intune is of course also an option, as it has been since Windows 10 1709.

Instead of walking you through a tedious amount of screenshots, showing you how to do the Configuration Item and Baseline, I’m just providing you with a direct copy of mine as a download here:  CI_CB_EnablePasswordReset.zip (17 downloads)

Extract the download and import both the Configuration Item and the Configuration Baseline into the Configuration Manager console and deploy it to a collection consisting of Windows 10 1803 computers.

For the record, this is just a single registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount

"AllowPasswordReset"=dword:00000001

End user experience

When everything is working, users running on Windows 1803 will have the following password reset experience from the login screen:

  • Type the email address associated with the account you want to initiate a password reset on

  • Select a contact method. I’m preferring a phone call, but this can be a text message, email message as well as answers on secret questions

  • Set a new password once verification has been made

  • And your password has been reset

Please share and leave a comment, if this was useful 🙂

More information

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

Leave a Comment