Password resets requests are very common in any helpdesk. Azure AD self-service password reset service is allowing users to reset their passwords without IT helpdesk involvement. So far this was only supported on Windows 10 Azure AD join devices. Now with few modifications we can do the same thing with Windows 7 or Windows 8.1 devices. In this demo I am going to demonstrate how we can do self-service password reset with these non-windows 10 devices.
This process required few prerequisites.
1) Enable SSPR in Azure AD – We need to enable SSPR service in Azure AD first. I have explain those steps in here http://www.rebeladmin.com/2017/11/step-step-guide-reset-user-password-azure-ad-joined-windows-10-device/
2) Up to date Patches – Make sure the latest windows updates are applied to Windows 7/ Windows 8.1 devices.
3) Users need to register with additional verification methods – As part enabling SSPR process, we also need to define how many methods it should use for user verifications.
If you using multiple methods, make sure user is register with those method before use SSPR service.
4) TLS 1.2 enabled – In Windows PC you must have TLS 1.2 enabled. It should not just set to auto negotiate. This can be done by using registry entries.
Under HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols you will be able to see TLS 1.2 (if it is not, go ahead and create a key). under that folder there will be two sub folders called client & server. I prefer to do changes under both roles. In there we need to create a key with following values.
DisabledByDefault – DWORD value 0