Enable SSPR to reset Windows cached credentials
Its great that SSPR can now be invoked from the login screen. This however seems like a relatively minor benefit to the average user since most have a mobile device with which they can follow the flow. I don't mean to demean the achievement since its definitely needed. However, what is a major issue (and which generates just as many support issues (and erodes IT credibility) as no SSPR at all) is the lack of SSPR for cached credentials when users are off the network/VPN. This happens to be the most common use case we see and is vital we get addressed. As it stands we'll have to look for third party tools to assist us.
Hey folks! Thank you for your feedback. We are reviewing this ask and will keep you up to date on our findings. We have also added information about this limitation in our documentation. Thank you!
Hey Microsoft. The folks at DXC are getting more and more customers with this exact issue as more customer attempt to adopt the Hybrid Azure AD version of modern. So unless Microsoft want to see the Modern story tainted with the most basic of IT support use cases, I suggest a more rapid development of a solution. Thanks
Luke Paskert commented
Please make this happen.
How is this possible .. still not fixed
2,5 years later and nothing.... So sad how MS handles some ""killer features" that should be already implemented.
In the smartworking era this feature is a "must have".
Having one identity with two passwords is wrong.
Windows Hello for Business seems not to completely resolve the problem because it should require Domain Controller connection to enroll the tool (so being in LAN for hybrid joined windows 10 devices).
Can Windows Hello for Business help with this?
"Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen"
Does that need a VPN tunnel to check the password as part of the process?
I guess nothing more will happen here, right?
Joakim Tomren commented
@Brad Anderson what can you do about this?
Hansell, Derek commented
Almost 2 years without an update. Teams has plenty of devs - maybe shift some back to the Identity side of the house?
Any update on this feature? With COVID this is more of an issue with more and more remote workers that don't have line of sight to DCs.
Michael K commented
Microsoft. C'mon guys! Please, get this rolling. I can't believe this wasn't included with the original SSPR rollout. If AAD DS can sync password/user info it should be able to sync kerberos tickets and update the local password as well.
I am not sure why this is so difficult for Microsoft. Just like others have pointed out other companies have figured out how to do this. I guess i will renew my subscription to ADManager since Microsoft cannot figure out how to integrate their own platforms
Adam Smith commented
Hi Guys, great idea and works great - to that point where it doesn't work. Please put this in
Other Programs already do this. If 3rd parties have figured it out, surely Microsoft can do this is they made the operating systems.
As juju said, this is a major caveat.
If user password expires there is no way to log back into the device.
Julien BARREAU-MAINSON commented
Any update on this request ? This is really a must have...
Hybrid AAD joined computers + COVID19 = SSPR cannot be easily used...
The SSPR also should be able to reset the cached password on the mobile users laptop or other devices as well.
We are unable to use SSPR until this is fixed
And again... SSPR without cached credential change keeps on making your home use of your company controlled device unusable... Please provide a solution Microsoft!
Dave Morin commented
Any update, in evaluation since 2018. We would really need this.