Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy

In this article, we will examine how to enable self service password reset (SSPR) on the Windows login screen using Intune policy. By doing so, it allows users to reset their passwords directly from the Windows sign-in screen, improving the overall user experience on Windows computers.

Self-service password reset (SSPR) gives users in Azure AD the ability to change or reset their password, with no administrator or help desk involvement. Typically, users open a web browser on another device to access the SSPR portal.

Deploying the configuration change to enable SSPR from the login screen using Intune is the most flexible method. It allows you to deploy the configuration change to a specific group of machines you define. This method requires Intune managed device.

SSPR improves productivity by allowing users to quickly and easily reset their own passwords without having to wait for assistance from IT. This can save time for both users and IT staff, and reduce the number of helpdesk calls and emails related to password reset.

Patch My PC

To configure a Windows 11 or 10 devices for SSPR at the sign-in screen, review the prerequisites and configuration steps, Self-service password reset for Windows devices.

Enable Self Service Password Reset SSPR on Windows Login Screen using Intune

Let’s follow the steps to create a device configuration policy in Microsoft Intune to enable Azure AD self-service password reset at the Windows sign-in screen.

  • Sign in to the Microsoft Intune Admin portal https://endpoint.microsoft.com/
  • Select Devices > Windows > Configuration profiles > Create profile.
Intune Policy to Enable Self Service Password Reset SSPR from Windows Login Screen Fig.1
Intune Policy to Enable Self Service Password Reset SSPR from Windows Login Screen Fig.1

In Create Profile, Select Platform, Windows 10, and later and Profile, Select Profile Type as Settings catalog. Click on Create button.

Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy 1
Intune Policy to Enable Self Service Password Reset SSPR from Windows Login Screen Fig.2

On the Basics tab, enter a descriptive name, such as Enable Self Service Password Reset. Optionally, enter a Description for the policy, then select Next.

Adaptiva
Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy 2
Intune Policy to Enable Self Service Password Reset SSPR from Windows Login Screen Fig.3

In Configuration settings, click Add settings to browse or search the catalog for the settings you want to configure.

Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy Fig.4
Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy Fig.4

On the Settings Picker windows, Select Authentication to see all the settings in this category. Select Allow Aad Password Reset below. After adding your settings, click the cross mark at the right-hand corner to close the settings picker. 

Note! In policy, use the search box to find specific settings. You can search by category or a keyword, such as Allow Aad Password Reset. It will display the related settings available.

Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy Fig.5
Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy Fig.5

Here you need to specify the settings set to Allow or Block based on your requirements. I am setting up Allow. and click on Next.

Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the Windows logon screen.

Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy Fig.6
Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy Fig.6

Under Assignments, In Included groups, click Add groups and then choose Select groups to include one or more groups. Click Next to continue.

Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy Fig.7
Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy Fig.7

In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next.

In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned.

Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy Fig.8
Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy Fig.8

A notification will appear automatically in the top right-hand corner with a message. You can see that Policy “Enable Self Service Password Reset SSPR from Windows Login Screen” created successfully. The policy is also shown in the Configuration profiles list.

Intune Policy Deployment Report

You can check Intune settings catalog profile report from Intune Portal, which provides an overall view of device configuration policies and deployment status.

To monitor the policy assignment, from the list of Configuration Profiles, select the policy, and here you can check the device and user check-in status. If you click View Report, additional details are displayed.

Additionally, you can quickly check the update as devices/users check in status reports:

Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy Fig.9
Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy Fig.9

You can troubleshoot the basic security policy from the Intune admin center portal. One example is given below How To Start Troubleshooting Intune Issues from the server-side. The next level of troubleshooting is with MDM Diagnostics Tool to collect the log and information from the client side.

Once the configuration is applied, The users will have the ability to reset their password or PIN directly from the Windows login screen.

Author

About Author – JiteshMicrosoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

3 thoughts on “Enable Self Service Password Reset SSPR on Windows Login Screen using Intune Policy”

  1. Another great guide…Thanks for sharing it. You have helped me figure out many Intune and Endpoint issues and tasks recently. Thanks Again!

    Reply
  2. do we have to configure the device group that allow the SSPR? if we already configure in Azure to allow all users to be able to process the password reset in the windows login screen, would that be enough?

    thanks

    Xu

    Reply
  3. great article as always, is there any way for enabling authenticator number matching windows login for intune managed PC’s.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.