如何:从 Windows 登录屏幕启用密码重置How to: Enable password reset from the Windows login screen

对于运行 Windows 7、8、8.1、10 的计算机,可以在 Windows 登录屏幕上允许用户重置其密码。For machines running Windows 7, 8, 8.1, and 10 you can enable users to reset their password at the Windows login screen. 用户不再需要查找带 Web 浏览器的设备来访问 SSPR 门户Users no longer have to find a device with a web browser to access the SSPR portal.

Windows 7 和 10 登录屏幕示例,其中显示了 SSPR 链接

一般限制General limitations

  • 目前不支持从远程桌面或从 Hyper-V 增强的会话进行密码重置。Password reset is not currently supported from a Remote Desktop or from Hyper-V enhanced sessions.
  • 已知某些第三方凭据提供程序会导致此功能出现问题。Some 3rd party credential providers are known to cause problems with this feature.
  • 已知通过修改 EnableLUA 注册表项禁用 UAC 会导致问题。Disabling UAC via modification of EnableLUA registry key is known to cause issues.
  • 此功能不适用于部署了 802.1x 网络身份验证的网络和“在用户登录前立即执行”选项。This feature does not work for networks with 802.1x network authentication deployed and the option "Perform immediately before user logon". 对于部署了 802.1x 网络身份验证的网络,建议使用计算机身份验证来启用此功能。For networks with 802.1x network authentication deployed it is recommended to use machine authentication to enable this feature.
  • 若要使用新密码并更新缓存的凭据,已加入混合 Azure AD 的计算机必须能够通过网络连接到域控制器。Hybrid Azure AD joined machines must have network connectivity line of sight to a domain controller to use the new password and update cached credentials.
  • 如果使用映像,请确保在运行 sysprep 之前先为内置 Administrator 清除 Web 缓存,再执行 CopyProfile 步骤。If using an image, prior to running sysprep ensure that the web cache is cleared for the built-in Administrator prior to performing the CopyProfile step. 有关此步骤的更多信息,可参阅支持文章:使用自定义默认用户配置文件时性能较差More information about this step can be found in the support article Performance poor when using custom default user profile.
  • 已知以下设置会干扰在 Windows 10 设备上使用和重置密码的功能The following settings are known to interfere with the ability to use and reset passwords on Windows 10 devices
    • 在 v1809 之前的 Windows 10 版本中,如果策略要求使用 Ctrl+Alt+Del,则“重置密码”将无效。 If Ctrl+Alt+Del is required by policy in versions of Windows 10 before v1809, Reset password will not work.
    • 如果锁屏通知已关闭,则“重置密码”将无效。 If lock screen notifications are turned off, Reset password will not work.
    • HideFastUserSwitching 设置为“启用”或 1HideFastUserSwitching is set to enabled or 1
    • DontDisplayLastUserName 设置为“启用”或 1DontDisplayLastUserName is set to enabled or 1
    • NoLockScreen 设置为“启用”或 1NoLockScreen is set to enabled or 1
    • 在设备上设置 EnableLostModeEnableLostMode is set on the device
    • 将 Explorer.exe 替换为自定义 shellExplorer.exe is replaced with a custom shell
  • 组合使用下面三个特定的设置可能会导致此功能失效。The combination of the following specific three settings can cause this feature to not work.
    • 交互式登录:不需要 CTRL+ALT+DEL = DisabledInteractive logon: Do not require CTRL+ALT+DEL = Disabled
    • DisableLockScreenAppNotifications = 1 或 EnabledDisableLockScreenAppNotifications = 1 or Enabled
    • Windows SKU 不是家庭版或专业版Windows SKU isn't Home or Professional edition

Windows 10 密码重置Windows 10 password reset

Windows 10 先决条件Windows 10 prerequisites

  • 管理员必须通过 Azure 门户启用 Azure AD 自助式密码重置。An administrator must enable Azure AD self-service password reset from the Azure portal.
  • 用户必须在使用此功能之前注册 SSPRUsers must register for SSPR before using this feature
  • 网络代理要求Network proxy requirements
    • Windows 10 设备Windows 10 devices
      • 连接到 passwordreset.activedirectory.windowsazure.cnajax.aspnetcdn.com 的端口 443Port 443 to passwordreset.activedirectory.windowsazure.cn and ajax.aspnetcdn.com
      • Windows 10 设备仅支持计算机级别的代理配置Windows 10 devices only support machine-level proxy configuration
  • 至少运行 Windows 10 2018 年 4 月更新版 (v1803),且设备必须符合下述条件之一:Run at least Windows 10, version April 2018 Update (v1803), and the devices must be either:
    • 已加入 Azure ADAzure AD joined
    • 已加入混合 Azure ADHybrid Azure AD joined

为使用注册表的 Windows 10 启用此功能Enable for Windows 10 using the Registry

  1. 使用管理凭据登录到 Windows 电脑Sign in to the Windows PC using administrative credentials
  2. 以管理员身份运行 regeditRun regedit as an administrator
  3. 设置以下注册表项Set the following registry key
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
      • "AllowPasswordReset"=dword:00000001

排查 Windows 10 密码重置问题Troubleshooting Windows 10 password reset

Azure AD 审核日志将包含有关密码重置发生的 IP 地址和 ClientType 的信息。The Azure AD audit log will include information about the IP address and ClientType where the password reset occurred.

Azure AD 审核日志中的 Windows 7 密码重置示例

当用户在 Windows 10 设备的登录屏幕中重置其密码时,系统会创建名为 defaultuser1 的权限较低的临时帐户。When users reset their password from the login screen of a Windows 10 device, a low-privilege temporary account called defaultuser1 is created. 使用此帐户可以确保密码重置过程的安全。This account is used to keep the password reset process secure. 帐户本身有一个随机生成的密码,该密码在进行设备登录时不显示,在用户重置其密码后会由系统自动删除。The account itself has a randomly generated password, doesn't show up for device sign-in, and will automatically be removed after the user resets their password. 可能存在多个 defaultuser 配置文件,不过可以放心地忽略它们。Multiple defaultuser profiles may exist but can be safely ignored.

Windows 7、8、8.1 密码重置Windows 7, 8, and 8.1 password reset

Windows 7、8、8.1 先决条件Windows 7, 8, and 8.1 prerequisites

  • 管理员必须通过 Azure 门户启用 Azure AD 自助式密码重置。An administrator must enable Azure AD self-service password reset from the Azure portal.
  • 用户必须在使用此功能之前注册 SSPRUsers must register for SSPR before using this feature
  • 网络代理要求Network proxy requirements
    • Windows 7、8 和 8.1 设备Windows 7, 8, and 8.1 devices
      • 连接到 passwordreset.activedirectory.windowsazure.cn 的端口 443Port 443 to passwordreset.activedirectory.windowsazure.cn
  • 修补的 Windows 7 或 Windows 8.1 操作系统。Patched Windows 7 or Windows 8.1 Operating System.
  • 根据传输层安全性 (TLS) 注册表设置中的指导启用的 TLS 1.2。TLS 1.2 enabled using the guidance found in Transport Layer Security (TLS) registry settings.
  • 如果在计算机上启用了多个第三方凭据提供程序,用户会在登录屏幕上看到多个用户配置文件。If more than one 3rd party credential provider is enabled on your machine, users will see more than one user profile on the login screen.

Warning

必须启用 TLS 1.2,而不能仅仅将其设置为自动协商TLS 1.2 must be enabled, not just set to auto negotiate

安装Install

  1. 下载要启用的 Windows 版本的相应安装程序。Download the appropriate installer for the version of Windows you would like to enable.
  2. 登录到要在其中进行安装的计算机,然后运行安装程序。Sign in to the machine where you would like to install, and run the installer.
  3. 安装完成后,强烈建议重新启动。After installation, a reboot is highly recommended.
  4. 重启后,在登录屏幕中选择一个用户,然后单击“忘记了密码?”After the reboot, at the login screen choose a user and click "Forgot password?" 启动密码重置工作流。to initiate the password reset workflow.
  5. 遵循屏幕上的步骤完成重置密码的工作流。Complete the workflow following the onscreen steps to reset your password.

在 Windows 7 中单击“忘记了密码?”后的

无提示安装Silent installation

  • 若要进行无提示安装,请使用命令“msiexec /i SsprWindowsLogon.PROD.msi /qn”For silent install, use the command "msiexec /i SsprWindowsLogon.PROD.msi /qn"
  • 若要进行无提示卸载,请使用命令“msiexec /x SsprWindowsLogon.PROD.msi /qn”For silent uninstall, use the command "msiexec /x SsprWindowsLogon.PROD.msi /qn"

排查 Windows 7、8、8.1 的密码重置问题Troubleshooting Windows 7, 8, and 8.1 password reset

事件将同时记录在计算机和 Azure AD 中。Events will be logged both on the machine and in Azure AD. Azure AD 事件包括有关发生密码重置的 IP 地址和 ClientType 的信息。Azure AD Events will include information about the IP address and ClientType where the password reset occurred.

Azure AD 审核日志中的 Windows 7 密码重置示例

如果需要记录更多的日志,可以更改计算机上的注册表项,以启用详细日志记录。If additional logging is required, a registry key on the machine can be changed to enable verbose logging. 请仅出于故障排除的目的启用详细日志记录。Enable verbose logging for troubleshooting purposes only.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{86D2F0AC-2171-46CF-9998-4E33B3D7FD4F}

  • 若要启用详细日志记录,请创建 REG_DWORD: "EnableLogging" 并将其设置为 1。To enable verbose logging, create a REG_DWORD: "EnableLogging", and set it to 1.
  • 若要禁用详细日志记录,请将 REG_DWORD: "EnableLogging" 更改为 0。To disable verbose logging, change the REG_DWORD: "EnableLogging" to 0.

用户看到什么What do users see

为 Windows 设备配置密码重置以后,对用户来说有什么变化?Now that you have configured password reset for your Windows devices, what changes for the user? 用户如何知道可以在登录屏幕上重置其密码?How do they know that they can reset their password at the login screen?

Windows 7 和 10 登录屏幕示例,其中显示了 SSPR 链接

现在,用户在尝试登录时,可以看到“重置密码”或“忘记了密码”链接,该链接用于在登录屏幕上打开自助式密码重置体验。 When users attempt to sign in, they now see a Reset password or Forgot password link that opens the self-service password reset experience at the login screen. 此功能允许用户重置其密码,不需使用其他设备来访问 Web 浏览器。This functionality allows users to reset their password without having to use another device to access a web browser.

用户可以在重置工作或学校密码中发现此功能的使用指南Your users will find guidance for using this feature in Reset your work or school password

后续步骤Next steps

配置 Windows 10Configure Windows 10