With W10 1803, it’s now possible to reset your password with a Hybrid Azure AD Joined (Domain Joined, Synchronized to Azure AD) device directly from Logon Screen.
The following actions needs to be done to fullfill this:
- Configure your Azure AD Connect Service to synchronice device records
- Login to the Azure AD Connect Box
- Run “Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred;” (https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup)
- Enable the Device Registration GPO on your Testclient or run it manually (Task Sheduler –> Workplace Join –> Automatic-Device-Registration)
- Relogin with a Azure identity (synchronised) and check the device Registration status:
- Set the following registry key to enable the “reset password” button on your logon screen: “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount\AllowPasswordReset” dword:00000001
Thats it, now your users are able to reset their passwords through the well known Azure AD SSPR feature:
Dave Wenger 