Self service password reset – Intune

Featured by dakseven, posted in Active Directory, Azure, Azure AD, INTUNE

Self service reset password . Introduces the ability to the users on your enviorment to reset their own passwords ( requires a pre – registration ) . and enabling password writeback if using AD sync ( Hybrid model ).

Requeriments for the change in intune

Impement SSPR in your tentant(Azure AD & All your computers must be enrolled in Intune).

If you enviroment is Hybrid you must implement an Always on VPN type so the machines hit the Domain controllers.

Your machines must be:

  • Azure AD joined (cloud only )
  • Hybrid Azure AD joined ( Domain Sync)
  • 443 to passwordreset.microsoftonline.com and ajax.aspnetcdn.com must have allowed traffic if under a firewall or segmented network- from the computer side

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr

Considerations ( MS Guide )

  • Password reset isn’t currently supported from a Remote Desktop or from Hyper-V enhanced sessions.
  • Some third party credential providers are known to cause problems with this feature.
  • Disabling UAC via modification of EnableLUA registry key is known to cause issues.
  • This feature doesn’t work for networks with 802.1x network authentication deployed and the option “Perform immediately before user logon”. For networks with 802.1x network authentication deployed, it’s recommended to use machine authentication to enable this feature.
  • Hybrid Azure AD joined machines must have network connectivity line of sight to a domain controller to use the new password and update cached credentials. This means that devices must either be on the organization’s internal network or on a VPN with network access to an on-premises domain controller.
  • If using an image, prior to running sysprep ensure that the web cache is cleared for the built-in Administrator prior to performing the CopyProfile step. More information about this step can be found in the support article Performance poor when using custom default user profile.
  • The following settings are known to interfere with the ability to use and reset passwords on Windows 10 devices:
    • If Ctrl+Alt+Del is required by policy in Windows 10, Reset password won’t work.
    • If lock screen notifications are turned off, Reset password won’t work.
    • HideFastUserSwitching is set to enabled or 1
    • DontDisplayLastUserName is set to enabled or 1
    • NoLockScreen is set to enabled or 1
    • BlockNonAdminUserInstall is set to enabled or 1
    • EnableLostMode is set on the device
    • Explorer.exe is replaced with a custom shell
  • The combination of the following specific three settings can cause this feature to not work.
    • Interactive logon: Do not require CTRL+ALT+DEL = Disabled
    • DisableLockScreenAppNotifications = 1 or Enabled
    • Windows SKU is Home edition

Create a Configuration profile ( windows 10 later, templates & custom)

Under Configuration settings, select Add and provide the following OMA-URI setting to enable the reset password link

  • OMA-URI set to ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
  • Data type set to Integer
  • Value set to 1

The policy now can be either assigned to computer or user groups. And users should be able to reset their own passwords from the login screen

Advertisement

Published by dakseven

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.