none
SSPR Windows 10 Password Reset

    Question

  • Hi,

    I've been trying to find the answer to this question, but have been unsuccessful. If a customer has a laptop that is Domain Joined and Azure AD Joined, and the user needs to reset their password via the Windows 10 Login page, when they are outside the office (I already have the reset password link setup on the Windows 10 Machine) will the user be able to login to the computer using the new password? What is the proper way of setting this up for the Customer?

    Here is the Scenario;

    <g class="gr_ gr_1135 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1135" id="1135">User</g> is in the office, and <g class="gr_ gr_1194 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1194" id="1194">user</g> logs into their Windows 10 using domain\username. The user is offsite and connected to the internet. User clicks on reset password, and the password resets successfully. User tries to <g class="gr_ gr_954 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="954" id="954">login</g> to the Windows <g class="gr_ gr_953 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-del replaceWithoutSep" data-gr-id="953" id="953">computer,</g> but gets an error saying <g class="gr_ gr_952 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="952" id="952">password</g> is incorrect. <g class="gr_ gr_1233 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="1233" id="1233">User</g> is logging in domain\username.

    Should the customer start using their Azure AD account going forward for users who are most of the time remote, instead of their domain account? 

    What is the best practice so users who are both working locally in the office and also working off-site? Should we set it up so they use their Azure AD Account only?

    Thank you

    Friday, July 6, 2018 3:14 PM

All replies

  • So proposing you have experience with Intune, you could use that to set up an OMA-URI to be able to reset their password from the login screen of their device.

    Providing the device is in Azure AD (as you mentioned it's Hybrid joined) you could create an Intune Policy to push that OMA-URI out, and SSPR will take care of the rest.


    Have a look here:
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows

    • Proposed as answer by Jimmy PJ Friday, July 6, 2018 3:20 PM
    Friday, July 6, 2018 3:20 PM
  • Hi Jimmy,

    Sorry if my previous post wasn't clear. I have already setup the OMA-URI, and I tested the password reset link and it works. My issue currently is, during my testing. The machine is remote, not connected to the company domain. I reset the password using the rest link on the Windows 10 Machine. The password was successfully reset, but when I try to login to the Windows 10 computer with the new password, I'm getting <g class="gr_ gr_848 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="848" id="848">password</g> is incorrect. So the cached password hasn't been updated.

    So I'm asking what is the proper method for remote users to <g class="gr_ gr_1089 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="1089" id="1089">login</g> to their Windows 10 computer after they reset their password using the Password reset link. How can I ensure that the cached password to get updated?

    Thanks

    Friday, July 6, 2018 4:11 PM
  • Sorry if my previous post wasn't clear. I have already setup the OMA-URI, and I tested the password reset link and it works. My issue currently is, during my testing. The machine is remote, not connected to the company domain. I reset the password using the rest link on the Windows 10 Machine. The password was successfully reset, but when I try to login to the Windows 10 computer with the new password, I'm getting password is incorrect. So the cached password hasn't been updated.

    @AliG26:
    When you did the Password Reset with the Win10 Password Reset Link, was the computer connected to the Internet (regardless of the company domain) ?

    Monday, July 9, 2018 3:02 PM
    Moderator
  • Yes, it was connected to the internet, and the password did change successfully, (Online and on the domain) but the cached password doesn't change. I was logging in as domain\username. The only time the cached password changed was when I connected to VPN.
    Monday, July 9, 2018 10:40 PM
  • This is by design.

    You would have to be connected to the Company Domain for the cached password to be updated.

    Monday, July 16, 2018 11:21 AM
    Moderator
  • So you're telling me, that if a user forgot their <g class="gr_ gr_101 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-del replaceWithoutSep" data-gr-id="101" id="101">password,</g> or the user's password has expired, and they need to change their password before logging into their <g class="gr_ gr_84 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="84" id="84">windows</g> 10 computer, they cannot until they connect their computer to the domain? What's the point of password reset remotely if the cached password can't be updated?
    Tuesday, July 17, 2018 6:27 PM
  • I would like to know the same thing, is it possible to update the cached pwd?
    Thursday, September 13, 2018 8:16 PM
  • No, the device would need to be connected to the Domain, either on-site or possibly through VPN.
    Friday, September 14, 2018 4:35 PM
    Moderator