The guide below describes how to configure the Specops Client for uReset on Microsoft Entra ID-joined computers.
Installing the Client
Download the Specops Client MSI and deploy to client computers (for more information on installing the Client, please see the installation guide). For instance, Microsoft Intune can be used for deployment.
Configuring the Client
To use Specops uReset, a few registry settings are required on client computers. While these can be applied manually, it is recommended to use Intune to deploy them.
Downloading/Importing Administrative Templates (ADMX)
Download ADMX templates for Specops Client. Note that there are two flavors of the ADMX templates. For Microsoft Entra ID-joined computers, use Specops.Client.AzureAdJoinedComputer.AdmxTemplates.zip.
Import the admx/adml files into Intune, see Import custom ADMX and ADML administrative templates into Microsoft Intune (https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-import-custom).
NOTE
The Specops ADMX has a dependency on Microsoft's ADMX templates. Import windows.admx/windows.adml from Microsoft's latest ADMX templates before importing the Specops ADMX templates.
Disabling "Change Password" in Windows
To provide a better user experience for users changing passwords with feedback on password policy rules fulfilled while typing the new password, it is recommended to disable Windows' built-in change password interface, and advise users to use Specops uReset instead.
To disable Windows' built-in change password interface with Microsoft's Administrative templates, do the following:
- Go to User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options
- Set Remove Change Password to Enabled
NOTE
Note that the above is a per-user setting.
Configuring URLs to uReset
In the Specops Gatekeeper Admin Tool, URLs for enrollment, password reset and password change can be found. These should be copied from Gatekeeper Admin Tool and entered under:
Computer Configuration > Administrative Templates > Specops Client (Microsoft Entra ID Computers) > URLs to Specops Authentication
While it is recommended to configure the URLs using ADMX templates, they can optionally be configured in registry:
Registry Key
|
Parameters
|
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Specopssoft\uReset\Client\Urls]
|
"Enroll"=https://login.specopssoft.com/Authentication/Enroll/?domainName=acme.org "Reset"=https://login.specopssoft.com/Authentication/Password/Reset?domainName=acme.org "Change"=https://login.specopssoft.com/Authentication/Password/Change?domainName=acme.org
|
Configuring start menu shortcuts
As a logged in user, there are three start menu shortcuts available (Enroll, Password Reset and Password Change). These are created when the user logs in.
By default, the user gets all three shortcuts. To show only a subset of the shortcuts, enable or disable the settings below as needed. For instance, a typical configuration could be to hide the password reset shortcut, but make the password change and the enrollment shortcuts available.
Which shortcuts are created when the user logs in can be customized under:
Computer Configuration > Administrative Templates > Specops Client (Microsoft Entra ID Computers) > General settings for Specops Client general settings
- Create start menu shortcut to enroll
- Create start menu shortcut to password reset
- Create start menu shortcut to password change
While it is recommended to configure the URLs using ADMX templates, they can optionally be configured in registry (1 to create the shortcut, 0 to not create it):
Registry Key
|
Parameters
|
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Specopssoft\uReset\Client\Settings]
|
"CreateStartMenuShortcutEnroll"=dword:00000001 "CreateStartMenuShortcutReset"=dword:00000001 "CreateStartMenuShortcutChange"=dword:00000001
|
Configuring for Microsoft Entra ID-joined computers
The Specops Client by default operates on on-prem Active Directory-joined computers and assumes a domain controller to be reachable for the start menu shortcuts (Enroll, Password Reset and Password Change) to work. To use the start menu shortcuts on Microsoft Entra ID computers, do the following:
- Go to Computer Configuration > Administrative Templates > Specops Client (Microsoft Entra ID Computers) > General settings for Specops Client general settings
- Set Enable shortcuts for cloud joined computer to Enabled
While it is recommended to configure the URLs using ADMX templates, they can optionally be configured in the registry:
Registry Key
|
Parameters
|
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Specopssoft\uReset\Client\Settings]
|
"AllowShortcutsWithoutOnpremDomain"=dword:00000001
|