Ctrl+Alt+Delete then Change a password then redirect to https://name.domainname.com/adfs/portal/updatepassword/

Question

Ctrl+Alt+Delete then Change a password then redirect to https://name.domainname.com/adfs/portal/updatepassword/

Renat Khamzin 21

Hi there. We have on-premises domain and some of computers were migrated to Intune, so now part of the computers are not domain joined but Microsoft Entra joined. Some of users on Microsoft Entra joined computers after pressing Ctrl+Alt+Delete and selecting Change a password are redirected to

https://name.domainname.com/adfs/portal/updatepassword/ and it is :) good, it is how I want to be (they are able to change their passwords). But others users on Microsoft Entra joined computers after pressing Ctrl+Alt+Delete and selecting Change a password are redirected to

https://mysignins.microsoft.com/security-info/password/change ( https://myaccount.microsoft.com/ ) and they can not change passwords because we disabled Write-Back feature. The question is - How to redirect all users on Microsoft Entra joined computers to https://name.domainname.com/adfs/portal/updatepassword/ ? We have not done something special on Microsoft Entra joined computers that are redirected to https://name.domainname.com/adfs/portal/updatepassword/ , first I thought it is by default but then I noticed that some computers are redirected to https://mysignins.microsoft.com/security-info/password/change ( https://myaccount.microsoft.com/ ) May be someone already faced with this issue :)

Anonymous

2025-01-07T19:42:32.26+00:00

Hello @Renat Khamzin,

Thank you for reaching out to Microsoft Q&A.

We understand that you have some devices migrated to Intune making them a Microsoft Entra joined devices. As a part of resetting the password, users are being redirected to https://name.domainname.com/adfs/portal/updatepassword/ for some devices and https://mysignins.microsoft.com/security-info/password/change for other devices. Could you please confirm if the users belongs to same domain and trying to access from the same network and still noticing this behavior?

Thanks& Regards,

Janaki Kota
Renat Khamzin 21 Reputation points

2025-01-08T05:07:03.9166667+00:00

Hi Janaki Kota.

Yes, that is correct, all computers belongs to the same domain, they are connected to the same network, more over OS were installed from the same iso and computers have the same applied policies and rules.

Regards,
Renat
Renat Khamzin 21 Reputation points

2025-01-08T05:52:26.7133333+00:00

May be it is possible to configure Registry or GPO to direct users to adfs password change page after pressing Ctrl+Alt+Delete and then Change password
Anonymous

2025-01-08T14:00:54.61+00:00

Hello @Renat Khamzin,

Thanks for the prompt response.

Yes, it is possible to configure the Active Directory Federation Services (ADFS) password change page to be displayed after a user presses Ctrl+Alt+Delete and selects Change a password. You can update password customization to enable the password update page.

1.You need to go to AD FS Management under Endpoints.

2.The endpoint for update password is located at the bottom under Other - /adfs/portal/updatepassword/.

3.Once you have enabled the endpoint, you must restart the AD FS service.

If you expect using update password webpage externally, and when using Web Application Proxy, under the same option you need to enable it on the proxy (Enable on proxy).

You can then navigate to https://<fqdn>/adfs/portal/updatepassword/ on a workplace joined device and you should see the update password page.

Please let us know if you have any further queries

Thanks & Best Regards,

Janaki Kota
Renat Khamzin 21 Reputation points

2025-01-09T06:48:09.7066667+00:00

Hi Janaki Kota.

Thank you for your reply.

We already have configured ADFS and it works correct. Any users whose devices Microsoft Entra joined can navigate manually https://<fqdn>/adfs/portal/updatepassword and change their passwords.

But the question is why some users are directed automatically to https://<fqdn>/adfs/portal/updatepassword after pressing Ctrl+Alt+Delete and selecting Change a password but others users are redirected to https://mysignins.microsoft.com/security-info/password/change

I want to stress all users can open manually https://<fqdn>/adfs/portal/updatepassword and change their passwords. The task is to make it automatically.

Regards,
Renat.
James Hamil 27,211 Reputation points Microsoft Employee Moderator

2025-01-23T20:48:42.6766667+00:00

Hi @Renat Khamzin , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James

Accepted answer

1 additional answer

Your answer

Anonymous

2025-01-07T19:42:32.26+00:00

Hello @Renat Khamzin,

Thank you for reaching out to Microsoft Q&A.

We understand that you have some devices migrated to Intune making them a Microsoft Entra joined devices. As a part of resetting the password, users are being redirected to https://name.domainname.com/adfs/portal/updatepassword/ for some devices and https://mysignins.microsoft.com/security-info/password/change for other devices. Could you please confirm if the users belongs to same domain and trying to access from the same network and still noticing this behavior?

Thanks& Regards,

Janaki Kota
Renat Khamzin 21 Reputation points

2025-01-08T05:07:03.9166667+00:00

Hi Janaki Kota.

Yes, that is correct, all computers belongs to the same domain, they are connected to the same network, more over OS were installed from the same iso and computers have the same applied policies and rules.

Regards,
Renat
Renat Khamzin 21 Reputation points

2025-01-08T05:52:26.7133333+00:00

May be it is possible to configure Registry or GPO to direct users to adfs password change page after pressing Ctrl+Alt+Delete and then Change password
Anonymous

2025-01-08T14:00:54.61+00:00

Hello @Renat Khamzin,

Thanks for the prompt response.

Yes, it is possible to configure the Active Directory Federation Services (ADFS) password change page to be displayed after a user presses Ctrl+Alt+Delete and selects Change a password. You can update password customization to enable the password update page.

1.You need to go to AD FS Management under Endpoints.

2.The endpoint for update password is located at the bottom under Other - /adfs/portal/updatepassword/.

3.Once you have enabled the endpoint, you must restart the AD FS service.

If you expect using update password webpage externally, and when using Web Application Proxy, under the same option you need to enable it on the proxy (Enable on proxy).

You can then navigate to https://<fqdn>/adfs/portal/updatepassword/ on a workplace joined device and you should see the update password page.

Please let us know if you have any further queries

Thanks & Best Regards,

Janaki Kota
Renat Khamzin 21 Reputation points

2025-01-09T06:48:09.7066667+00:00

Hi Janaki Kota.

Thank you for your reply.

We already have configured ADFS and it works correct. Any users whose devices Microsoft Entra joined can navigate manually https://<fqdn>/adfs/portal/updatepassword and change their passwords.

But the question is why some users are directed automatically to https://<fqdn>/adfs/portal/updatepassword after pressing Ctrl+Alt+Delete and selecting Change a password but others users are redirected to https://mysignins.microsoft.com/security-info/password/change

I want to stress all users can open manually https://<fqdn>/adfs/portal/updatepassword and change their passwords. The task is to make it automatically.

Regards,
Renat.
James Hamil 27,211 Reputation points Microsoft Employee Moderator

2025-01-23T20:48:42.6766667+00:00

Hi @Renat Khamzin , did you need any more help with this question? If not could you please mark "Accept Answer" on the appropriate answer so other users can reference it?

Thank you,

James

Answer 1

Hi @Renat Khamzin , ADFS only passes the ADFS Password Change URL in the Saml token to Entra if:

The relevant claimrule is configured
Password portal is enabled in ADFS
The user's password in Active Directory is within 14 days of expiry

Assuming a user signed into their device for the first time, their password is still valid for more than 14 days. ADFS would not emit the URL. In that case Entra passes the Entra Password Portal URL to the device

The device caches this information and will load Entra Password Portal when the user invokes a PWD change on the device.

Eventually the user may perform a password logon when their password is closing in on the 14 days expiry mark.

The user performs password auth and ADFS adds the URL to the token. Entra will then pass down the ADFS Password Portal URL as part of the PRT. At this time the device updates the cached info and offers the ADFS Portal the next time when attempting a PWD change

Note:

Users that use WHFB for logging into Windows or are on staged rollout for managed auth will rather get the Entra Password Portal because Entra would be the primary authentication authority.

Going forward, for security reasons we would rather recommend to use Entra SSPR with Password Writeback for a number of reasons.

Here's a brief comparison of functionality:

	Change Password	Reset Password	supports SmartLockout	MFA Protection
	Change Password	Reset Password	supports SmartLockout	MFA Protection
ADFS Password Portal
Entra SSPR

Besides the Security benefits sticking with one PWD change portal adds to more consistency in the user experience.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Renat Khamzin 21 Reputation points

2025-01-24T09:05:16.1233333+00:00

Hi James Hamil
Thank you for your answer.In my case I log in to one machine with user account One and after pressing Change Password I'm redirected to adfs.
but at the same time (in parallel) I log in with the same account One but on another machine and after pressing Change Password I'm redirected to mysignins.microsoft.com/security-info/password/change

Both machine are Intune joined and was installed from the same iso :) and I can not understand what where is the differense
Renat Khamzin 21 Reputation points

2025-02-04T07:28:26.9033333+00:00

James, you wrote

The device caches this information and will load Entra Password Portal when the user invokes a PWD change on the device.

I can not find the cached path.... I want to delete cached information and try again.
Can you give a hint please where is it?

It looks like it is cached on the device level because I tried to delete user profiles and the result is the same - adfs url opens (even I tried delete user profile, then disconnect Internet, then login to the sytem, press ctrl+alt+delete and again adfs url was opened
James Hamil 27,211 Reputation points Microsoft Employee Moderator

2025-02-04T22:13:30.8466667+00:00

Hi @Renat Khamzin , please open a support ticket and we can look into this further. If you don't have support access, please private message me your Subscription ID.

Best,

James

Answer 2

Anonymous

Hello @Renat Khamzin,

Thanks for the prompt response.

We understand that you are facing issues with some user devices which were migrated to Intune and are joined to azure. As the process of changing their password, some users are being redirected to https://name.domainname.com/adfs/portal/updatepassword/ while some users are being redirected to https://mysignins.microsoft.com/security-info/password/change after pressing Ctrl+Alt+Delete.

As a part of troubleshooting, we have confirmed that all devices belong to the same domain, they are connected to the same network. Further, you have also confirmed that the Active Directory Federation Services (ADFS) password change page is configured accordingly to redirect the users to the expected page for changing the password. To investigate the issue further, we need to analyze the logs to understand why it is being redirected to another page than the expected ADFS page. If you have a support plan, could you please file a support ticket for deeper investigation and do share the SR# with us? In case you don't have a support plan please let us know here.

Best Regards

Janaki Kota

Anonymous

2025-01-13T10:16:58.2633333+00:00

Hello @Renat Khamzin,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Anonymous

2025-01-15T08:13:11.7066667+00:00

Hello @Renat Khamzin,

Following up to see if you have any update regarding the issue. Please don't hesitate to reach out to us, if you have any further queries.

Best Regards,

Janaki Kota
Renat Khamzin 21 Reputation points

2025-01-17T10:45:40.2833333+00:00

Hello Janaki Kota.
Thank you for your answer.

Which logs logs should I investigate?
Actually the problem is I do not why one user is redirected and another one is not, where it can be configured and logs are produced during the redirection.

Regards,
Renat
James Hamil 27,211 Reputation points Microsoft Employee Moderator

2025-01-21T21:35:00.4+00:00

Hi @Renat Khamzin , thank you for your patience. I'll investigate this issue further. In the meantime, can you please review this document to view AD FS logs? It may help narrow down the issue. Best,

James

Share via

Ctrl+Alt+Delete then Change a password then redirect to https://name.domainname.com/adfs/portal/updatepassword/

James, you wrote

1 additional answer

Your answer