Hi James,
We had to make the create and make changes to following registries using GPO to all the client machine to get the SSPR working.
Key 1:
AllowPasswordReset will show the RESET PASSWORD option in the Windows 10 home screen.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
Create the DWORD value of "AllowPasswordReset"=dword:00000001.
Key 2:
We also need to disable the EnforceSingleLogon DWORD key Credential provider to allow the sign-in of multiple users to laptop. This is required because “When a user reset their password from the lock screen of a Windows 10 machine, a temporary low privilege account named “defaultuser1” is created. This temporary low privilege account is used to facilitate the password reset process. The account itself doesn’t show up for device sign-in, and will be removed after some time. The defaultuser1 account does need to be allowed to login locally.”
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
Set the EnforceSingleLogon value to 0 for the acNamPwdCredProvider
Key 3:
Allow the display of the last username on the logon screen.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set the dontdisplaylastusername value to 0