Specops Client- Specops Password Policy

NOTE
The Specops Client requires installation/silent deployment. You can download the installation files here. There are no configs or msi parameters required for roll-out.

Specops Client can be configured using the administrative template in the Group Policy Management Console.

Specops Client uses ADMX files to change the Windows Registry settings to alter the way the software interacts with the system software. ADMX templates are Windows Group Policy Settings XML-based files that specify which registry keys in the Windows Registry are changed when a certain Group Policy setting is changed (ADML files are the localized XML files containing the text strings associated with the ADMX files).

ADMX templates can be used to change numerous registry keys, but this document focuses on two settings in particular connected to Specops Client: creating the Start menu shortcut; and showing/hiding the reset password link on the logon page.

Accessing the Specops ADMX templates

To access the ADMX templates associated with Specops Client:

  1. Open the Group Policy Management tool (GPMC).
  2. Right-click the Group Policy Object (GPO) you want to change, and select Edit.
  3. In the tree navigation, navigate to Computer Configuration > Policies > Administrative templates: Policy definitions (ADMX files) > Specops Client. There you will find all the ADMX templates associated with Specops Client.

Hiding the reset password link on the logon page

Start menu shortcut creation


Location:General Client settings > Create start menu shortcuts to enroll/change/reset

With Specops Client installed, when a user logs in to Windows, start menu shortcuts to enroll, reset and change password are created. These are convenience shortcuts for users to easily use Specops uReset or Specops Password Reset. This setting allows you to hide those shortcuts, in case these should not be shown. If those shortcuts have already been created on a computer, they will be removed at next logon if this setting has been set to disabled.

Enroll, reset and change password each have their own template file. The procedure below is the same for all three. The files are named as follows:

  • Create start menu shortcut to enroll
  • Create start menu shortcut to password reset
  • Create start menu shortcut to password change
  1. Open the file you want to change the bahavior for (see the list of files above).
  2. Select the Disabled radio button.
  3. Click OK.
    NOTE
    to enable the setting again, you can set the radio button to either Not configured or Enabled.

Creating a Central Store for Group Policy Administrative Templates


The Central Store for Administrative Templates allows you to store all template files in a single location on SYSVOL where they can be accessed and presented on any server from your domain. To create a Central Store for Group Policy Administrative Templates, copy the Specops uReset Client ADMX/ADML files from %windir%\PolicyDefinitions.

The ADMX should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions

The ADML should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions\en-us

For more information about the Central Store and best practices, visit: www.support.microsoft.com/kb/929841

For help in installing the product and the Client, please refer to the Installation section.

For downloads, please refer to the Downloads section.

Dynamic Feedback UI


NOTE
The dynamic feedback at password change is not supported if the Group Policy setting "Interactive Logon: Do not display last username" is set to Enabled.
NOTE
The dynamic feedback at password change is not supported when authenticating with RSA SecurID.

Specops Client and Microsoft Entra SSPR


This section applies to organizations using Specops Password Policy, hybrid Microsoft Entra ID and use Microsoft Entra SSPR for password resets.

When Microsoft Entra SSPR resets a user's password in hybrid Microsoft Entra ID, the Specops Password Policy Sentinel is invoked to evaluate the new password.

Microsoft Entra SSPR will be informed if Specops Password Policy rejects the new password. Note however, that Microsoft Entra SSPR lacks knowledge about why the password reset was rejected. Consider implementing Specops uReset to get a better user experience.

If client computers already are configured using Intune or registry policy and use Microsoft Entra SSPR for the "Password Reset..." link, this configuration must be reverted.

To use Microsoft Entra SSPR to reset password from the "Password Reset..." link on the Windows logon screen, use the following configuration:

  • Deploy the Specops Client and the Specops CefSharp runtime MSIs
  • Make sure "AllowPasswordReset" under "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AzureADAccount" in registry value is disabled (non-existent or set to 0). This disables the built-in Microsoft Entra SSPR "Reset Password..." functionality.
  • Configure a Group policy affecting the computer, with "Use Microsoft Entra SSPR for password resets" set to "Enabled" from the Specops Client ADMX
  • Note that the features "VPN-less password reset with cached credential update" only works with Specops uReset, but not Microsoft Entra SSPR.

Client configuration for Secure Access


The Specops Client must be installed on all computers using Secure Access to log in. Since it is important that the Specops CLient is not uninstalled on these computers, individual users must not be permitted to uninstall the Specops Client (for instance by not allowing them to have local admin privileges). We highly recommend monitoring uninstalls of the Specops Client. To deploy the Specops client it is recommended to use a deployment system such as GPSI or Specops Deploy.

Computers must be joined to Active Directory. Users in Active Directory can be protected with MFA. Local users are not supported.

Each client computer must be provisioned with mandatory settings, which reside in registry. It is recommended to use ADMX templates.

ADMX Settings

Mandatory settings

  • Specops Authentication API URL
  • Specops Authentication API Key

Optional settings

  • Time before requiring MFA after successful online authentication
  • Allow offline authentication
  • Enable MFA for local logins
  • Enable MFA for remote logins

For more information on ADMX templates, see the section at the top of this page.