Azure AD – Allow end-users to reset password or PIN from the login screen

UPDATE January 2023

It is now easier to enable this option without a custom device profile https://t.co/IVCMZ5nCmk

UPDATE 21 nov 2017

You can also use the registy key HKLM\Software\Policies\Microsoft\AzureADAccount to enable this. Create a DWORD key named AllowPasswordReset with the value 00000001. I have tested with an AAD Joined device managed with SCCM. Will test with an AD Joined device later.

With Windows 10 Fall Creators Update (build 1709) you can allow your end-user to self reset their password (or PIN) directly from the login screen.

To do so you need to have enable the self service password reset on Azure AD, use Intune as MDM and must be using Windows 10 1709 in Azure AD Joined configuration.

Intune Configuration

Logon to your Intune portal from the Azure ARM (https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/ExtensionLandingBlade/overview)

image 

Then you need to create a custom profile from Device configuration\Profiles

imageimageimage 

The profile need to be configured as follow

  • Name: name the profile as you wish – I always recommend to use an understandable name like ‘Windows 10 Reset Password/PIN from Login Screen’
  • Platform: Windows 10 and later
  • Profile type: custom
  • Setting: add the following OMA-URI settings
    • For Password reset
      • Name: name the profile as you wish – I always recommend to use an understandable name like ‘Service Password Reset from Login Screen’
      • OMA-URI: ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
      • Data type: Integer
      • Value: 1

image 

    • For PIN reset
      • Name: name the profile as you wish – I always recommend to use an understandable name like ‘Service Password Reset from Login Screen’
      • OMA-URI: ./Device/Vendor/MSFT/PassportForWork/c56dd45b-1da6-4bd0-a53b-1466782d6ee5/Policies/EnablePinRecovery
      • Data type: Integer
      • Value: 1

image 

Once the profile has been saved, you can assign it (deploy) to your users

Result

Once the configuration for the self service reset password/PIN from the login screen, the users will have the ability to reset their password or PIN directly from the login screen without having to use a colleague device to access the self service password reset portal.

The following screenshots are taken for a password reset but the result is similar with a PIN reset.

image 

When the end-user use the reset password option, the Windows GINA (in charge of the authentication) redirects the user to the reset password page

image 

At this time they need to enter their user logon – for the system to look for their account

image 

Then they have to choose which verification method to use – i

image 

Once they have chosen the verification method and have been successfully verified, they will be able to change the password

imageimage 

And if you have enable the password reset notification, your end user will also receive a notification to confirm the password has been reset to their main mailbox and recovery mailbox

image 

Leave a Comment

Your email address will not be published. Required fields are marked *