βοΈπͺπ»CP - Security - SSPR on Lockscreen
What this policy is about πβ
Let's paint a picture:
It's Monday morning. Your phone rings. It's Karen from HR. "I forgot my password. Can you reset it?"
Five minutes later: Bob from Sales. Ten minutes later: Someone who "just needs to check one email real quick."
By 10 AM, you've reset 12 passwords and haven't even touched your actual work.
This policy fixes that.
It enables Self-Service Password Reset (SSPR) directly on the Windows lock screen, so users can reset their own passwords without ever calling you, emailing you, or finding you in the break room.
Why this matters βοΈβ‘οΈπ«β
Because password resets are:
- The #1 helpdesk ticket type β Seriously, it's always passwords
- Completely preventable β Users can do this themselves
- A waste of everyone's time β Yours and theirs
- A security weak point β Phone-based resets bypass proper verification
With SSPR enabled on the lock screen, users can:
- Reset their password before logging in
- Do it 24/7 without waiting for IT
- Get back to work faster
You get:
- Fewer interruptions
- Lower helpdesk costs
- Happier users (they don't like calling you either)
- More time to do actual IT work
π οΈ Configuration Settingsβ
This is beautifully simple. One setting. Maximum impact.
| Setting | Value | Why |
|---|---|---|
| Allow Aad Password Reset | Allow | Enables the "I forgot my password" link on the Windows lock screen, allowing users to reset their own passwords via Azure AD SSPR |
That's it. One toggle. Infinite peace and quiet.
π₯ Group Assignmentsβ
β Included groups:β
All Devices
β Excluded groups:β
- π‘οΈπͺπ»βοΈGroup - Autopilot Devices - IoT
- π‘οΈπͺπ»βοΈGroup - Autopilot Devices - Kiosk
Why? IoT and Kiosk devices don't have individual user logins, so SSPR doesn't apply. Simple as that.
π‘ SuperVision Tipsβ
π SSPR Must Be Enabled in Entra IDβ
This policy only shows the link on the lock screen. For it to actually work, you need to enable and configure SSPR in Entra ID (Azure AD).
Without it enabled, the link will be there... but it won't do anything. Like a broken vending machine. Frustrating for everyone.
π Check your Entra ID Password Reset settings to make sure SSPR is fully configured.
Final Thoughts π§β
There are very few IT policies that are:
- Easy to implement β
- Loved by users β
- Reduce costs β
- Improve security β
SSPR on the lock screen is one of them.
Enable it. Configure it properly. Watch your ticket queue shrink.
And the next time someone forgets their password at 3 AM on a Sunday? They won't be calling you.
Standardize like a pro. Configure with intent. And remember: the best helpdesk ticket is the one that never gets created.