在 Windows 登录屏幕上启用 Azure Active Directory 自助式密码重置Enable Azure Active Directory self-service password reset at the Windows sign-in screen

自助式密码重置 (SSPR) 使 Azure Active Directory (Azure AD) 中的用户能够更改或重置其密码,而不需要管理员或支持人员的干预。Self-service password reset (SSPR) gives users in Azure Active Directory (Azure AD) the ability to change or reset their password, with no administrator or help desk involvement. 通常,用户会在另一台设备上打开 Web 浏览器,以访问 SSPR 门户Typically, users open a web browser on another device to access the SSPR portal. 若要在运行 Windows 7、8、8.1、10 的计算机上改善体验,可以允许用户在 Windows 登录屏幕上重置其密码。To improve the experience on computers that run Windows 7, 8, 8.1, and 10, you can enable users to reset their password at the Windows sign-in screen.

Windows 7 和 10 登录屏幕的示例,其中显示了 SSPR 链接

重要

本教程演示管理员如何为企业中的 Windows 设备启用 SSPR。This tutorial shows an administrator how to enable SSPR for Windows devices in an enterprise.

如果 IT 团队尚未启用从你的 Windows 设备使用 SSPR 的功能,或者你在登录过程中遇到问题,请联系支持人员以获得更多帮助。If your IT team hasn't enabled the ability to use SSPR from your Windows device or you have problems during sign-in, reach out to your helpdesk for additional assistance.

一般限制General limitations

以下限制适用于在 Windows 登录屏幕上使用 SSPR:The following limitations apply to using SSPR from the Windows sign-in screen:

  • 目前不支持从远程桌面或从 Hyper-V 增强式会话进行密码重置。Password reset isn't currently supported from a Remote Desktop or from Hyper-V enhanced sessions.
  • 已知某些第三方凭据提供程序会导致此功能出现问题。Some third party credential providers are known to cause problems with this feature.
  • 已知通过修改 EnableLUA 注册表项禁用 UAC 会导致问题。Disabling UAC via modification of EnableLUA registry key is known to cause issues.
  • 此功能不支持部署了 802.1x 网络身份验证的网络和“在用户登录前立即执行”选项。This feature doesn't work for networks with 802.1x network authentication deployed and the option "Perform immediately before user logon". 对于部署了 802.1x 网络身份验证的网络,建议使用计算机身份验证来启用此功能。For networks with 802.1x network authentication deployed, it's recommended to use machine authentication to enable this feature.
  • 已加入混合 Azure AD 的计算机必须能够通过网络连接到域控制器才能使用新密码以及更新缓存的凭据。Hybrid Azure AD joined machines must have network connectivity line of sight to a domain controller to use the new password and update cached credentials. 这意味着,设备必须位于组织的内部网络或 VPN 中,并且必须能够通过网络访问本地域控制器。This means that devices must either be on the organization's internal network or on a VPN with network access to an on-premises domain controller.
  • 如果使用映像,请确保在运行 sysprep 之前先为内置 Administrator 清除 Web 缓存,然后再执行 CopyProfile 步骤。If using an image, prior to running sysprep ensure that the web cache is cleared for the built-in Administrator prior to performing the CopyProfile step. 有关此步骤的详细信息,请参阅支持文章使用自定义默认用户配置文件时性能较差More information about this step can be found in the support article Performance poor when using custom default user profile.
  • 已知以下设置会干扰在 Windows 10 设备上使用和重置密码的功能:The following settings are known to interfere with the ability to use and reset passwords on Windows 10 devices:
    • 在 v1809 之前的 Windows 10 版本中,如果策略要求使用 Ctrl+Alt+Del,则“重置密码”将无效。If Ctrl+Alt+Del is required by policy in versions of Windows 10 before v1809, Reset password won't work.
    • 如果锁屏通知已关闭,则“重置密码”将无效。If lock screen notifications are turned off, Reset password won't work.
    • HideFastUserSwitching 设置为“已启用”或 1HideFastUserSwitching is set to enabled or 1
    • DontDisplayLastUserName 设置为“已启用”或 1DontDisplayLastUserName is set to enabled or 1
    • NoLockScreen 设置为“已启用”或 1NoLockScreen is set to enabled or 1
    • 在设备上设置了 EnableLostModeEnableLostMode is set on the device
    • 将 Explorer.exe 替换为自定义 shellExplorer.exe is replaced with a custom shell
  • 组合使用下面三个特定的设置可能会导致此功能失效。The combination of the following specific three settings can cause this feature to not work.
    • 交互式登录:不要求 CTRL+ALT+DEL = DisabledInteractive logon: Do not require CTRL+ALT+DEL = Disabled
    • DisableLockScreenAppNotifications = 1 或“已启用”DisableLockScreenAppNotifications = 1 or Enabled
    • Windows SKU 不是家庭或专业版Windows SKU isn't Home or Professional edition

Windows 10 密码重置Windows 10 password reset

若要配置 Windows 10 设备以便在登录屏幕上启用 SSPR,请查看以下先决条件和配置步骤。To configure a Windows 10 device for SSPR at the sign-in screen, review the following prerequisites and configuration steps.

Windows 10 先决条件Windows 10 prerequisites

为使用注册表的 Windows 10 启用此功能Enable for Windows 10 using the Registry

若要使用注册表项在登录屏幕上启用 SSPR,请完成以下步骤:To enable SSPR at the sign-in screen using a registry key, complete the following steps:

  1. 使用管理凭据登录到 Windows 电脑。Sign in to the Windows PC using administrative credentials.

  2. 按 Windows + R 打开“运行”对话框,然后以管理员身份运行 regeditPress Windows + R to open the Run dialog, then run regedit as an administrator

  3. 设置以下注册表项:Set the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount
       "AllowPasswordReset"=dword:00000001
    

排查 Windows 10 密码重置问题Troubleshooting Windows 10 password reset

如果在 Windows 登录屏幕上使用 SSPR 时遇到问题,Azure AD 审核日志会包含有关发生密码重置的 IP 地址和 ClientType 的信息,如以下示例输出所示:If you have problems with using SSPR from the Windows sign-in screen, the Azure AD audit log includes information about the IP address and ClientType where the password reset occurred, as shown in the following example output:

Azure AD 审核日志中的 Windows 7 密码重置示例

当用户在 Windows 10 设备的登录屏幕中重置其密码时,系统会创建名为 defaultuser1 的权限较低的临时帐户。When users reset their password from the sign-in screen of a Windows 10 device, a low-privilege temporary account called defaultuser1 is created. 使用此帐户可以确保密码重置过程的安全。This account is used to keep the password reset process secure.

此帐户本身有一个随机生成的密码,该密码在进行设备登录时不显示,在用户重置其密码后会自动删除。The account itself has a randomly generated password, doesn't show up for device sign-in, and is automatically removed after the user resets their password. 可能存在多个 defaultuser 配置文件,不过可以放心地忽略它们。Multiple defaultuser profiles may exist but can be safely ignored.

Windows 7、8 和 8.1 密码重置Windows 7, 8, and 8.1 password reset

若要配置 Windows 7、8 或 8.1 设备以便在登录屏幕上启用 SSPR,请查看以下先决条件和配置步骤。To configure a Windows 7, 8, or 8.1 device for SSPR at the sign-in screen, review the following prerequisites and configuration steps.

Windows 7、8 和 8.1 先决条件Windows 7, 8, and 8.1 prerequisites

警告

必须启用 TLS 1.2,而不能仅仅设置为自动协商。TLS 1.2 must be enabled, not just set to auto negotiate.

安装Install

对于 Windows 7、8 和 8.1,必须在计算机上安装一个小组件,才能在登录屏幕上启用 SSPR。For Windows 7, 8, and 8.1, a small component must be installed on the machine to enable SSPR at the sign-in screen. 若要安装此 SSPR 组件,请完成以下步骤:To install this SSPR component, complete the following steps:

  1. 下载要启用的 Windows 版本的相应安装程序。Download the appropriate installer for the version of Windows you would like to enable.

    Microsoft 下载中心 (https://www.microsoft.com/en-us/download/details.aspx?id=57343) 提供了该软件安装程序The software installer is available on the Microsoft download center at https://www.microsoft.com/en-us/download/details.aspx?id=57343

  2. 登录到要在其中进行安装的计算机,然后运行安装程序。Sign in to the machine where you would like to install, and run the installer.

  3. 安装完成后,强烈建议重新启动。After installation, a reboot is highly recommended.

  4. 重启后,在登录屏幕中选择一个用户,然后选择“忘记了密码?”After the reboot, at the sign-in screen choose a user and select "Forgot password?" 启动密码重置工作流。to initiate the password reset workflow.

  5. 遵循屏幕上的步骤完成重置密码的工作流。Complete the workflow following the onscreen steps to reset your password.

在 Windows 7 中单击“忘记了密码?”后的

无提示安装Silent installation

可以使用以下命令,在无提示的情况下安装或卸载 SSPR 组件:The SSPR component can be installed or uninstalled without prompts using the following commands:

  • 若要进行无提示安装,请使用命令“msiexec /i SsprWindowsLogon.PROD.msi /qn”For silent install, use the command "msiexec /i SsprWindowsLogon.PROD.msi /qn"
  • 若要进行无提示卸载,请使用命令“msiexec /x SsprWindowsLogon.PROD.msi /qn”For silent uninstall, use the command "msiexec /x SsprWindowsLogon.PROD.msi /qn"

排查 Windows 7、8 和 8.1 密码重置问题Troubleshooting Windows 7, 8, and 8.1 password reset

如果在 Windows 登录屏幕上使用 SSPR 时遇到问题,则计算机和 Azure AD 中均会记录事件。If you have problems with using SSPR from the Windows sign-in screen, events are logged both on the machine and in Azure AD. Azure AD 事件包括有关发生密码重置的 IP 地址和 ClientType 的信息,如以下示例输出所示:Azure AD events include information about the IP address and ClientType where the password reset occurred, as shown in the following example output:

Azure AD 审核日志中的 Windows 7 密码重置示例

如果需要记录更多的日志,可以更改计算机上的注册表项,以启用详细日志记录。If additional logging is required, a registry key on the machine can be changed to enable verbose logging. 使用以下注册表项值启用详细日志记录(仅用于故障排除目的):Enable verbose logging for troubleshooting purposes only using the following registry key value:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{86D2F0AC-2171-46CF-9998-4E33B3D7FD4F}
  • 若要启用详细日志记录,请创建 REG_DWORD: "EnableLogging" 并将其设置为 1。To enable verbose logging, create a REG_DWORD: "EnableLogging", and set it to 1.
  • 若要禁用详细日志记录,请将 REG_DWORD: "EnableLogging" 更改为 0。To disable verbose logging, change the REG_DWORD: "EnableLogging" to 0.

用户看到什么What do users see

为 Windows 设备配置 SSPR 以后,对用户来说有什么变化?With SSPR configured for your Windows devices, what changes for the user? 用户如何知道可以在登录屏幕上重置其密码?How do they know that they can reset their password at the login screen? 以下示例屏幕截图显示了可供用户使用 SSPR 重置其密码的更多选项:The following example screenshots show the additional options for a user to reset their password using SSPR:

Windows 7 和 10 登录屏幕的示例,其中显示了 SSPR 链接

用户在尝试登录时,可以看到“重置密码”或“忘记了密码”链接,该链接用于在登录屏幕上打开自助式密码重置体验。 When users attempt to sign in, they see a Reset password or Forgot password link that opens the self-service password reset experience at the login screen. 此功能允许用户重置其密码,不需使用其他设备来访问 Web 浏览器。This functionality allows users to reset their password without having to use another device to access a web browser.

可以在重置工作或学校密码中找到为用户提供的有关使用此功能的详细信息More information for users on using this feature can be found in Reset your work or school password

后续步骤Next steps

若要简化用户注册体验,可以预填充用于 SSPR 的用户身份验证联系信息To simplify the user registration experience, you can pre-populate user authentication contact information for SSPR.