Azure AD sspr not working on Windows Login Screen

Raghavendran KR 21 Reputation points
2021-08-19T06:52:02.593+00:00

Hi All,

I managed to get the RESET NOW feature of SSPR on my Windows Login screen but when i click on it it throws the error "THE PASSWORD PROVIDED IS INCORRECT".
I want to redirect my users to SSPR page when they click the RESET NOW option in Login Screen.
I got the key using the registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,456 questions
{count} votes

2 answers

Sort by: Most helpful
  1. James Hamil 26,036 Reputation points Microsoft Employee
    2021-08-19T19:49:23.883+00:00

    Hi @Raghavendran KR , is the password you're entering the temporary password given when you reset? Or is it the new password you've created? Please make sure you enter the temporary password first and then your new password. Please let me know if you have any questions.

    Best,
    James

    0 comments No comments

  2. Raghavendran KR 21 Reputation points
    2021-09-14T01:58:34.1+00:00

    Hi James,

    We had to make the create and make changes to following registries using GPO to all the client machine to get the SSPR working.

    Key 1:

    AllowPasswordReset will show the RESET PASSWORD option in the Windows 10 home screen.

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
    Create the DWORD value of "AllowPasswordReset"=dword:00000001.

    Key 2:

    We also need to disable the EnforceSingleLogon DWORD key Credential provider to allow the sign-in of multiple users to laptop. This is required because “When a user reset their password from the lock screen of a Windows 10 machine, a temporary low privilege account named “defaultuser1” is created. This temporary low privilege account is used to facilitate the password reset process. The account itself doesn’t show up for device sign-in, and will be removed after some time. The defaultuser1 account does need to be allowed to login locally.”

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
    Set the EnforceSingleLogon value to 0 for the acNamPwdCredProvider

    Key 3:
    Allow the display of the last username on the logon screen.

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    Set the dontdisplaylastusername value to 0


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.