Enable password reset on the login screen of a Hybrid Azure AD joined Windows 10 1803 device

Introduction

More Windows 10 1803! Password reset directly from the login screen of Windows 10 has been possible since Windows 10 1709, but only in a cloud-only scenario. This changed with 1803, and users having a hybrid Azure AD environment, are now able to offer this service to their users as well. (assuming they roll on the latest and greatest Windows 10 version). This guide explains what’s required in a Hybrid environment and how to leverage Configuration Manager to apply the proper configuration on the client.

For this to work, there are a few prerequisites:

  • Windows 10 1803 or newer
  • Password writeback enabled in Azure AD Connect
    • Proper permissions in on-premise AD for the AAD Connect account
  • Password reset enabled in Azure AD
  • Enable password reset on the 1803 clients (in this scenario through ConfigMgr)

Password writeback

Short and sweet, everything you need to do in this regard, is to follow the instructions A-Z outlined in this chapter: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback#configure-password-writeback

It’s covering the setup of Azure AD Connect as well as the permissions needed on your on-premise AD for the AAD Connect account.

Password reset

Again, short and sweet. Password reset needs to be enabled in Azure Active Directory. This is also explained very nicely from A-Z right here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr

Below is a snippet of my tenant, displaying that Password reset has been enabled for all users.

When everything is working in regards to Password Writeback and Password Reset, you will see a green check mark in the On-premises integration menu. Also as shown below:

Configuration Manager

As an initial note, this can of course be done with group policies. But when speaking modern management and how we should consider moving workloads away from on-premise infrastructure, I actually think doing this through Configuration Manager is considered more modern than an old fashioned group policy. Doing it through Intune is of course also an option, as it has been since Windows 10 1709.

Instead of walking you through a tedious amount of screenshots, showing you how to do the Configuration Item and Baseline, I’m just providing you with a direct copy of mine as a download here:  CI_CB_EnablePasswordReset.zip (5650 downloads )

Extract the download and import both the Configuration Item and the Configuration Baseline into the Configuration Manager console and deploy it to a collection consisting of Windows 10 1803 computers.

For the record, this is just a single registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount

"AllowPasswordReset"=dword:00000001

End user experience

When everything is working, users running on Windows 1803 will have the following password reset experience from the login screen:

  • Type the email address associated with the account you want to initiate a password reset on

  • Select a contact method. I’m preferring a phone call, but this can be a text message, email message as well as answers on secret questions

  • Set a new password once verification has been made

  • And your password has been reset

Please share and leave a comment, if this was useful 🙂

More information

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

5 thoughts on “Enable password reset on the login screen of a Hybrid Azure AD joined Windows 10 1803 device”

  1. Hi Mike,

    Will I be able to login to my Hybrid Azure Joined Laptop using my new password. Assuming that I am out of domain network

    Reply
    • Late reply, sorry. If you are out of the domain network, you are dependent on a VPN tunnel in order to update the password on your remote laptop 🙂

      Reply
  2. Great article. I have a hybrid setup in my organization, and we now have P1 licenses for everyone. I have the password write-back configured, and I can do self-serice password reset via the MS web portal. Works great with our multi-factor authentication. We don’t have Intune/Endpoint Manager for device management. We still manage our Windows 10 Pro machines via Group Policy. I have the registry entry for creating the password reset link which I can push out via a GP Preference. The password reset link doesn’t appear at the logon prompt. Am I missing something? Why wouldn’t the reset link appear?

    Reply
  3. Do this register HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount works with Windows 10 Enterprise?? or just for Profesional and Home windows version?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.