UPDATE January 2023
It is now easier to enable this option without a custom device profile https://t.co/IVCMZ5nCmk
UPDATE 21 nov 2017
You can also use the registy key HKLM\Software\Policies\Microsoft\AzureADAccount to enable this. Create a DWORD key named AllowPasswordReset with the value 00000001. I have tested with an AAD Joined device managed with SCCM. Will test with an AD Joined device later.
With Windows 10 Fall Creators Update (build 1709) you can allow your end-user to self reset their password (or PIN) directly from the login screen.
To do so you need to have enable the self service password reset on Azure AD, use Intune as MDM and must be using Windows 10 1709 in Azure AD Joined configuration.
Intune Configuration
Logon to your Intune portal from the Azure ARM (https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/ExtensionLandingBlade/overview)
Then you need to create a custom profile from Device configuration\Profiles
The profile need to be configured as follow
- Name: name the profile as you wish – I always recommend to use an understandable name like ‘Windows 10 Reset Password/PIN from Login Screen’
- Platform: Windows 10 and later
- Profile type: custom
- Setting: add the following OMA-URI settings
- For Password reset
- Name: name the profile as you wish – I always recommend to use an understandable name like ‘Service Password Reset from Login Screen’
- OMA-URI: ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
- Data type: Integer
- Value: 1
- For PIN reset
- Name: name the profile as you wish – I always recommend to use an understandable name like ‘Service Password Reset from Login Screen’
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/c56dd45b-1da6-4bd0-a53b-1466782d6ee5/Policies/EnablePinRecovery
- Data type: Integer
- Value: 1
Once the profile has been saved, you can assign it (deploy) to your users
Result
Once the configuration for the self service reset password/PIN from the login screen, the users will have the ability to reset their password or PIN directly from the login screen without having to use a colleague device to access the self service password reset portal.
The following screenshots are taken for a password reset but the result is similar with a PIN reset.
When the end-user use the reset password option, the Windows GINA (in charge of the authentication) redirects the user to the reset password page
At this time they need to enter their user logon – for the system to look for their account
Then they have to choose which verification method to use – i
Once they have chosen the verification method and have been successfully verified, they will be able to change the password
And if you have enable the password reset notification, your end user will also receive a notification to confirm the password has been reset to their main mailbox and recovery mailbox