In this article, we will examine how to enable self service password reset (SSPR) on the Windows login screen using Intune policy. By doing so, it allows users to reset their passwords directly from the Windows sign-in screen, improving the overall user experience on Windows computers.
Self-service password reset (SSPR) gives users in Azure AD the ability to change or reset their password, with no administrator or help desk involvement. Typically, users open a web browser on another device to access the SSPR portal.
Deploying the configuration change to enable SSPR from the login screen using Intune is the most flexible method. It allows you to deploy the configuration change to a specific group of machines you define. This method requires Intune managed device.
SSPR improves productivity by allowing users to quickly and easily reset their own passwords without having to wait for assistance from IT. This can save time for both users and IT staff, and reduce the number of helpdesk calls and emails related to password reset.
To configure a Windows 11 or 10 devices for SSPR at the sign-in screen, review the prerequisites and configuration steps, Self-service password reset for Windows devices.
- Manage Self-Service Device Actions In Intune Company Portal
- Best Methods To Reset Windows 11 Password Local Admin Microsoft Account Standard User
Enable Self Service Password Reset SSPR on Windows Login Screen using Intune
Let’s follow the steps to create a device configuration policy in Microsoft Intune to enable Azure AD self-service password reset at the Windows sign-in screen.
- Sign in to the Microsoft Intune Admin portal https://endpoint.microsoft.com/
- Select Devices > Windows > Configuration profiles > Create profile.
In Create Profile, Select Platform, Windows 10, and later and Profile, Select Profile Type as Settings catalog. Click on Create button.
On the Basics tab, enter a descriptive name, such as Enable Self Service Password Reset. Optionally, enter a Description for the policy, then select Next.
In Configuration settings, click Add settings to browse or search the catalog for the settings you want to configure.
On the Settings Picker windows, Select Authentication to see all the settings in this category. Select Allow Aad Password Reset below. After adding your settings, click the cross mark at the right-hand corner to close the settings picker.
Note! In policy, use the search box to find specific settings. You can search by category or a keyword, such as Allow Aad Password Reset. It will display the related settings available.
Here you need to specify the settings set to Allow or Block based on your requirements. I am setting up Allow. and click on Next.
Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the Windows logon screen.
Under Assignments, In Included groups, click Add groups and then choose Select groups to include one or more groups. Click Next to continue.
In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next.
In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned.
A notification will appear automatically in the top right-hand corner with a message. You can see that Policy “Enable Self Service Password Reset SSPR from Windows Login Screen” created successfully. The policy is also shown in the Configuration profiles list.
Intune Policy Deployment Report
You can check Intune settings catalog profile report from Intune Portal, which provides an overall view of device configuration policies and deployment status.
To monitor the policy assignment, from the list of Configuration Profiles, select the policy, and here you can check the device and user check-in status. If you click View Report, additional details are displayed.
Additionally, you can quickly check the update as devices/users check in status reports:
You can troubleshoot the basic security policy from the Intune admin center portal. One example is given below How To Start Troubleshooting Intune Issues from the server-side. The next level of troubleshooting is with MDM Diagnostics Tool to collect the log and information from the client side.
Once the configuration is applied, The users will have the ability to reset their password or PIN directly from the Windows login screen.
Author
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.
Another great guide…Thanks for sharing it. You have helped me figure out many Intune and Endpoint issues and tasks recently. Thanks Again!
do we have to configure the device group that allow the SSPR? if we already configure in Azure to allow all users to be able to process the password reset in the windows login screen, would that be enough?
thanks
Xu
great article as always, is there any way for enabling authenticator number matching windows login for intune managed PC’s.
Is there a way to change the sspr url? We use a different password management software and would like it pointed to that instead.
Hello Anoop,
there is a requirement to enforce users to change the password when they first sign in from Windows 10 Azure Ad joined Device. We have enabled the Reset password option from the login screen. However still when resetting user password to change it next time, the actual end user tried to log in with a temp password from the login screen and logged in successfully, it didn’t prompt him to change the password from the login screen, however it prompts from other O365 apps to change the password once he logged in.
We need user to prompt to change passowrd form the login screen itslef. Any possibilite.
Regards,
ARun Kumar Sivamani