question

RaghavendranKR-1455 avatar image
0 Votes"
RaghavendranKR-1455 asked RaghavendranKR-1455 answered

Azure AD sspr not working on Windows Login Screen

Hi All,

I managed to get the RESET NOW feature of SSPR on my Windows Login screen but when i click on it it throws the error "THE PASSWORD PROVIDED IS INCORRECT".
I want to redirect my users to SSPR page when they click the RESET NOW option in Login Screen.
I got the key using the registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount

azure-ad-sspr
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Raghavendarn, Any luck resolving this issue? we are facing the same issue in our environment.

0 Votes 0 ·
RaghavendranKR-1455 avatar image RaghavendranKR-1455 muralidharanrajendran-0007 ·

Hi Murali,

We had to make the create and make changes to following registries using GPO to all the client machine to get the SSPR working.

Key 1:

AllowPasswordReset will show the RESET PASSWORD option in the Windows 10 home screen.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
Create the DWORD value of "AllowPasswordReset"=dword:00000001.


Key 2:

We also need to disable the EnforceSingleLogon DWORD key Credential provider to allow the sign-in of multiple users to laptop. This is required because “When a user reset their password from the lock screen of a Windows 10 machine, a temporary low privilege account named “defaultuser1” is created. This temporary low privilege account is used to facilitate the password reset process. The account itself doesn’t show up for device sign-in, and will be removed after some time. The defaultuser1 account does need to be allowed to login locally.”


Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
Set the EnforceSingleLogon value to 0 for the acNamPwdCredProvider


Key 3:
Allow the display of the last username on the logon screen.


Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set the dontdisplaylastusername value to 0

0 Votes 0 ·
JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered RaghavendranKR-1455 converted comment to answer

Hi @RaghavendranKR-1455 , is the password you're entering the temporary password given when you reset? Or is it the new password you've created? Please make sure you enter the temporary password first and then your new password. Please let me know if you have any questions.

Best,
James

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RaghavendranKR-1455 avatar image
0 Votes"
RaghavendranKR-1455 answered

Hi James,

We had to make the create and make changes to following registries using GPO to all the client machine to get the SSPR working.

Key 1:

AllowPasswordReset will show the RESET PASSWORD option in the Windows 10 home screen.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
Create the DWORD value of "AllowPasswordReset"=dword:00000001.


Key 2:

We also need to disable the EnforceSingleLogon DWORD key Credential provider to allow the sign-in of multiple users to laptop. This is required because “When a user reset their password from the lock screen of a Windows 10 machine, a temporary low privilege account named “defaultuser1” is created. This temporary low privilege account is used to facilitate the password reset process. The account itself doesn’t show up for device sign-in, and will be removed after some time. The defaultuser1 account does need to be allowed to login locally.”


Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
Set the EnforceSingleLogon value to 0 for the acNamPwdCredProvider


Key 3:
Allow the display of the last username on the logon screen.


Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set the dontdisplaylastusername value to 0

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi RaghavendranKR-1455,

Thank you for your detailed explanation.

Validated Key 1 fine, and I am not able to locate/ create key2. However, Found Key 3 is causing the issue in our environment. After applying the "dontdisplaylastusername" value to 0 the "Reset password" link in the lock screen started working fine as expected.

Regards,
Murali


0 Votes 0 ·