With the latest release of Windows 10 (1709, Fall Creators Update) a new option is added to Windows; enable self service password reset feature on the windows logon screen. It provides your Azure AD users the option to reset their password direct from the Windows logon screen. Usually when a user arrives at the office in the morning (after the autumn holiday) and forgot his password, he needs to have access to a browser from another device to perform a password reset, or needs to contact the helpdesk. By enabling this new feature, that isn`t necessary anymore, the user can reset the password direct from the logon screen.
There are two requirements for using this feature; Self Service Password Reset needs to be configured in Azure AD and you need Windows 10 1709.
Enable the self service password reset option with Intune.
We first have a look at the CSP policy we need to use to enable this policy. Those CSP policies can be found on docs.microsoft.com. Below you see the CSP policy, with a part of the OMA-URI you need Authentication/AllowAadPasswordReset, a short description of what the feature does and the supported values.
Now we know the policy settings we need to set, we switch over to the Azure portal to create a new configuration policy. Open Microsoft Intune, choose Device Configuration, Profiles and Create profile.
Give your policy a Name, Description (optional), choose Windows 10 and later as Platform and choose Custom Profile Type. After that you need to choose Add, next to OMA-URI Settings
Give the Row a Name and fill in below values.
Data Type: Integer
When everything is set, save the new policy and assign it to your devices.
The end-user experience