Azure AD sspr not working on Windows Login Screen

Question

Azure AD sspr not working on Windows Login Screen

Raghavendran KR 21

Hi All,

I managed to get the RESET NOW feature of SSPR on my Windows Login screen but when i click on it it throws the error "THE PASSWORD PROVIDED IS INCORRECT".
I want to redirect my users to SSPR page when they click the RESET NOW option in Login Screen.
I got the key using the registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount

muraamar 21 Reputation points

2021-09-13T19:19:20.377+00:00

Hello Raghavendarn, Any luck resolving this issue? we are facing the same issue in our environment.
Raghavendran KR 21 Reputation points

2021-09-14T01:58:19.337+00:00

Hi Murali,

We had to make the create and make changes to following registries using GPO to all the client machine to get the SSPR working.

Key 1:

AllowPasswordReset will show the RESET PASSWORD option in the Windows 10 home screen.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
Create the DWORD value of "AllowPasswordReset"=dword:00000001.

Key 2:

We also need to disable the EnforceSingleLogon DWORD key Credential provider to allow the sign-in of multiple users to laptop. This is required because “When a user reset their password from the lock screen of a Windows 10 machine, a temporary low privilege account named “defaultuser1” is created. This temporary low privilege account is used to facilitate the password reset process. The account itself doesn’t show up for device sign-in, and will be removed after some time. The defaultuser1 account does need to be allowed to login locally.”

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
Set the EnforceSingleLogon value to 0 for the acNamPwdCredProvider

Key 3:
Allow the display of the last username on the logon screen.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set the dontdisplaylastusername value to 0

2 answers

Your answer

muraamar 21 Reputation points

2021-09-13T19:19:20.377+00:00

Hello Raghavendarn, Any luck resolving this issue? we are facing the same issue in our environment.
Raghavendran KR 21 Reputation points

2021-09-14T01:58:19.337+00:00

Hi Murali,

We had to make the create and make changes to following registries using GPO to all the client machine to get the SSPR working.

Key 1:

AllowPasswordReset will show the RESET PASSWORD option in the Windows 10 home screen.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
Create the DWORD value of "AllowPasswordReset"=dword:00000001.

Key 2:

We also need to disable the EnforceSingleLogon DWORD key Credential provider to allow the sign-in of multiple users to laptop. This is required because “When a user reset their password from the lock screen of a Windows 10 machine, a temporary low privilege account named “defaultuser1” is created. This temporary low privilege account is used to facilitate the password reset process. The account itself doesn’t show up for device sign-in, and will be removed after some time. The defaultuser1 account does need to be allowed to login locally.”

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
Set the EnforceSingleLogon value to 0 for the acNamPwdCredProvider

Key 3:
Allow the display of the last username on the logon screen.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set the dontdisplaylastusername value to 0

Answer 1

Hi James,

We had to make the create and make changes to following registries using GPO to all the client machine to get the SSPR working.

Key 1:

AllowPasswordReset will show the RESET PASSWORD option in the Windows 10 home screen.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
Create the DWORD value of "AllowPasswordReset"=dword:00000001.

Key 2:

We also need to disable the EnforceSingleLogon DWORD key Credential provider to allow the sign-in of multiple users to laptop. This is required because “When a user reset their password from the lock screen of a Windows 10 machine, a temporary low privilege account named “defaultuser1” is created. This temporary low privilege account is used to facilitate the password reset process. The account itself doesn’t show up for device sign-in, and will be removed after some time. The defaultuser1 account does need to be allowed to login locally.”

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
Set the EnforceSingleLogon value to 0 for the acNamPwdCredProvider

Key 3:
Allow the display of the last username on the logon screen.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set the dontdisplaylastusername value to 0

muraamar 21 Reputation points

2021-09-15T09:13:35.46+00:00

Hi RaghavendranKR-1455,

Thank you for your detailed explanation.

Validated Key 1 fine, and I am not able to locate/ create key2. However, Found Key 3 is causing the issue in our environment. After applying the "dontdisplaylastusername" value to 0 the "Reset password" link in the lock screen started working fine as expected.

Regards,
Murali

Answer 2

Anonymous

Hi @Raghavendran KR , is the password you're entering the temporary password given when you reset? Or is it the new password you've created? Please make sure you enter the temporary password first and then your new password. Please let me know if you have any questions.

Best,
James

Share via

Azure AD sspr not working on Windows Login Screen

2 answers

Your answer