Add SSPR to Windows 10 Login Screen

In this post I am going to show you how to use Intune to deploy a policy which allows your end users to reset their password from the Windows 10 login screen. In the past you would always have needed access to a second device in order to be able to reset your password. This alleviates the need for another device.


  • Azure AD Joined / Hybrid AD Joined Device
  • At Least Windows 10 1803
  • SSPR Enabled in Azure AD

The Process:

  • Navigate to the Intune Portal
  • Choose Device Configuration > Profiles > Create Profile
  • Enter a Name
  • Platform – Windows 10 and Later
  • Profile Type – Custom


  • Choose Settings (Configure)
  • Click Add
  • Enter a Name (and Description if necessary)
  • OMA-URI – ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
  • Data Type – Integer
  • Value – 1


After creating the policy we now need to assign it to our windows 10 devices. I am going to assign to a group i had previously created.


You can monitor the status of the deployment using the “Device Status” Report inside the Configuration Profile we created.


Once the policy is successful you should see the “Reset Password” link on the Windows 10 login screen. Please note if you reset your password on a Hybrid AD Joined device you will need line of sight to the domain controller in order to be able to login with your new password.