Azure AD sspr not working on Windows Login Screen

Question

Hi All,

I managed to get the RESET NOW feature of SSPR on my Windows Login screen but when i click on it it throws the error "THE PASSWORD PROVIDED IS INCORRECT".
I want to redirect my users to SSPR page when they click the RESET NOW option in Login Screen.
I got the key using the registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount

Answer 1

Hi @Raghavendran KR , is the password you're entering the temporary password given when you reset? Or is it the new password you've created? Please make sure you enter the temporary password first and then your new password. Please let me know if you have any questions.

Best,
James

Answer 2

Hi James,

We had to make the create and make changes to following registries using GPO to all the client machine to get the SSPR working.

Key 1:

AllowPasswordReset will show the RESET PASSWORD option in the Windows 10 home screen.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
Create the DWORD value of "AllowPasswordReset"=dword:00000001.

Key 2:

We also need to disable the EnforceSingleLogon DWORD key Credential provider to allow the sign-in of multiple users to laptop. This is required because “When a user reset their password from the lock screen of a Windows 10 machine, a temporary low privilege account named “defaultuser1” is created. This temporary low privilege account is used to facilitate the password reset process. The account itself doesn’t show up for device sign-in, and will be removed after some time. The defaultuser1 account does need to be allowed to login locally.”

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
Set the EnforceSingleLogon value to 0 for the acNamPwdCredProvider

Key 3:
Allow the display of the last username on the logon screen.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set the dontdisplaylastusername value to 0