Windows 10 and SSPR

Azure AD self service password reset, sounds great right? A password reset tool included in office 365 what can be better. Well with most Microsoft solutions you need to understand its limits. Microsoft has continued to improve SSPR but its not quiet there yet.

Current state:

We are setup in a hybrid environment so we run AD Connect and sync it will our o365 tenant. We’ve enabled password writeback so we can now allow users to register with SSPR and when they use it from a web browser it will update their onprem AD also. Sweet!! They also went GA recently with the option to add the reset password link on the logon screen for windows 10 machines running the April 2018 update. You can enable this through Intune or a regkey. I’m trying the regkey method and have not been able to get it working yet, the link doesn’t show. I’ve opened a ticket with microsoft and I’m waiting for a reply.

Once I get that working, it will be a great way for employees within the corporate network to reset their passwords. BUT if your not connected to the corporate network it seems using SSPR doesn’t reset the local cached creds so you still can’t log into your PC with your new password if your not on connected to the domain 🙁

That’s a sticking point for us to go full deployment.

alone anime art artistic
Photo by Pixabay on Pexels.com

Future wants

As I said below being able to reset the password from the logon screen and having it update the local cached credits or authenticate with the new password against Azure AD would be killer.

But I want to take it step further, I want to be able to image a windows 10 PC here in the office, then ship it to someones home where they have never logged into the PC or are connected to the domain and have them log into the PC for the first time with their domain creds.  I’ve read about autopilot and they are making that better, but we can’t get or want the use to wait for all the software and configuration the first time they log in. We want them to be able to get right to work, so us imaging through config man is the best option for us at this time.

Wrap up

Microsoft is making improvements and changes to Azure and o365 all the time and I look forward to what they will bring next. I wrote this post to gather my thoughts and current state of my SSPR project, I’ll list the URLs below I used to collect the information. If I’m wrong about any of my current state, please let me know in the comments below.

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Reset-passwords-from-all-the-versions-of-Windows-important-to/ba-p/265978

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows#configure-reset-password-link-using-the-registry

https://social.msdn.microsoft.com/Forums/en-US/b0cfc043-dcbf-4ca4-89d7-a0bf41dff7c2/sspr-windows-10-password-reset