Specops Client- Specops uReset 8

NOTE
The Specops Client requires installation/silent deployment. You can download the installation files here. There are no configs or msi parameters required for roll-out.

Specops Client can be configured using the administrative template in the Group Policy Management Console.

Specops Client uses ADMX files to change the Windows Registry settings to alter the way the software interacts with the system software. ADMX templates are Windows Group Policy Settings XML-based files that specify which registry keys in the Windows Registry are changed when a certain Group Policy setting is changed (ADML files are the localized XML files containing the text strings associated with the ADMX files).

ADMX templates can be used to change numerous registry keys, but this document focuses on two settings in particular connected to Specops Client: creating the Start menu shortcut; and showing/hiding the reset password link on the logon page.

Accessing the Specops ADMX templates

To access the ADMX templates associated with Specops Client:

  1. Open the Group Policy Management tool (GPMC).
  2. Right-click the Group Policy Object (GPO) you want to change, and select Edit.
  3. In the tree navigation, navigate to Computer Configuration > Policies > Administrative templates: Policy definitions (ADMX files) > Specops Client. There you will find all the ADMX templates associated with Specops Client.

Hiding the reset password link on the logon page

Location: Enhance Windows logon and password change > Show the Password Reset Link

At Windows logon, under the username/password fields, a “Reset password…” link allows users in organizations running Specops uReset or Specops Password Reset to reset their passwords. This setting allows you to show or hide the reset password link shown on the Windows logon page.

  1. Open the Show the Password Reset Link file.
  2. Select the Disabled radio button.
  3. Click OK.
    NOTE
    to enable the setting again, you can set the radio button to either Not configured or Enabled.

Start menu shortcut creation

Location:General Client settings > Create start menu shortcuts to enroll/change/reset

With Specops Client installed, when a user logs in to Windows, start menu shortcuts to enroll, reset and change password are created. These are convenience shortcuts for users to easily use Specops uReset or Specops Password Reset. This setting allows you to hide those shortcuts, in case these should not be shown. If those shortcuts have already been created on a computer, they will be removed at next logon if this setting has been set to disabled.

Enroll, reset and change password each have their own template file. The procedure below is the same for all three. The files are named as follows:

  • Create start menu shortcut to enroll
  • Create start menu shortcut to password reset
  • Create start menu shortcut to password change
  1. Open the file you want to change the bahavior for (see the list of files above).
  2. Select the Disabled radio button.
  3. Click OK.
    NOTE
    to enable the setting again, you can set the radio button to either Not configured or Enabled.

Creating a Central Store for Group Policy Administrative Templates

The Central Store for Administrative Templates allows you to store all template files in a single location on SYSVOL where they can be accessed and presented on any server from your domain. To create a Central Store for Group Policy Administrative Templates, copy the Specops uReset Client ADMX/ADML files from %windir%\PolicyDefinitions.

The ADMX should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions

The ADML should be copied to:

[your domain]\sysvol\[your domain]\Policies\PolicyDefinitions\en-us

For more information about the Central Store and best practices, visit: www.support.microsoft.com/kb/929841

For help in installing the product and the Client, please refer to the Installation section.

For downloads, please refer to the Downloads section.

Dynamic Feedback UI

NOTE
The dynamic feedback at password change is not supported if the Group Policy setting "Interactive Logon: Do not display last username" is set to Enabled.
NOTE
The dynamic feedback at password change is not supported when authenticating with RSA SecurID.

Specops Secured Browser (Cefsharp)

The Specops Secured Browser is used to reset passwords for a user from the Windows logon screen. It comes in two flavors, based on CefSharp and Internet Explorer browser engines, respectively. It is recommended to use the CefSharp-based Secured Browser for better security and user experience.

To use the CefSharp-based Secured Browser, the Specops Client CefSharp runtime must be deployed. The runtime has been tested by Specops to be compatible with the Secured Browser, and is a separate MSI from the Specops Client.

NOTE
If the CefSharp runtime isn't installed, an error message will be displayed if attempting to reset a password from the Windows logon screen by pressing the 'Reset Password...' link. It is possible to enforce using the Internet Explorer based browser, but strongly not recommended.

Usage

The CefSharp-based browser supports Specops uReset 8 and Specops Password Reset. Organizations that have not yet migrated to Specops uReset 8 must use the Internet Explorer-based Secured Browser, and should therefore not deploy the MSI for Specops the CefSharp runtime.

Organizations using Specops uReset 8 or Specops Password Reset

It is recommended to deploy the Specops Client CefSharp runtime on x64 Windows 10 or newer client computers.

Organizations using Specops Password Policy only

If no reset solution is used, there is no need deploy the Specops Client CefSharp runtime (not applicable).

Using the Specops Client for uReset on Microsoft Entra ID-joined computers

The guide below describes how to configure the Specops Client for uReset on Microsoft Entra ID-joined computers.

Installing the Client

Download the Specops Client MSI and deploy to client computers (for more information on installing the Client, please see the installation guide). For instance, Microsoft Intune can be used for deployment.

Configuring the Client

To use Specops uReset, a few registry settings are required on client computers. While these can be applied manually, it is recommended to use Intune to deploy them.

Downloading/Importing Administrative Templates (ADMX)

Download ADMX templates for Specops Client. Note that there are two flavors of the ADMX templates. For Microsoft Entra ID-joined computers, use Specops.Client.AzureAdJoinedComputer.AdmxTemplates.zip.

Import the admx/adml files into Intune, see Import custom ADMX and ADML administrative templates into Microsoft Intune (https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-import-custom).

NOTE

The Specops ADMX has a dependency on Microsoft's ADMX templates. Import windows.admx/windows.adml from Microsoft's latest ADMX templates before importing the Specops ADMX templates.

Disabling "Change Password" in Windows

To provide a better user experience for users changing passwords with feedback on password policy rules fulfilled while typing the new password, it is recommended to disable Windows' built-in change password interface, and advise users to use Specops uReset instead.

To disable Windows' built-in change password interface with Microsoft's Administrative templates, do the following:

  1. Go to User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options
  2. Set Remove Change Password to Enabled
NOTE
Note that the above is a per-user setting.

Configuring URLs to uReset

In the Specops Gatekeeper Admin Tool, URLs for enrollment, password reset and password change can be found. These should be copied from Gatekeeper Admin Tool and entered under:

Computer Configuration > Administrative Templates > Specops Client (Microsoft Entra ID Computers) > URLs to Specops Authentication

While it is recommended to configure the URLs using ADMX templates, they can optionally be configured in registry:

Registry Key Parameters
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Specopssoft\uReset\Client\Urls] "Enroll"=https://login.specopssoft.com/Authentication/Enroll/?domainName=acme.org
"Reset"=https://login.specopssoft.com/Authentication/Password/Reset?domainName=acme.org
"Change"=https://login.specopssoft.com/Authentication/Password/Change?domainName=acme.org

Configuring start menu shortcuts

As a logged in user, there are three start menu shortcuts available (Enroll, Password Reset and Password Change). These are created when the user logs in.

By default, the user gets all three shortcuts. To show only a subset of the shortcuts, enable or disable the settings below as needed. For instance, a typical configuration could be to hide the password reset shortcut, but make the password change and the enrollment shortcuts available.

Which shortcuts are created when the user logs in can be customized under:

Computer Configuration > Administrative Templates > Specops Client (Microsoft Entra ID Computers) > General settings for Specops Client general settings

  • Create start menu shortcut to enroll
  • Create start menu shortcut to password reset
  • Create start menu shortcut to password change

While it is recommended to configure the URLs using ADMX templates, they can optionally be configured in registry (1 to create the shortcut, 0 to not create it):

Registry Key Parameters
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Specopssoft\uReset\Client\Settings] "CreateStartMenuShortcutEnroll"=dword:00000001
"CreateStartMenuShortcutReset"=dword:00000001
"CreateStartMenuShortcutChange"=dword:00000001

Configuring for Microsoft Entra ID-joined computers

The Specops Client by default operates on on-prem Active Directory-joined computers and assumes a domain controller to be reachable for the start menu shortcuts (Enroll, Password Reset and Password Change) to work. To use the start menu shortcuts on Microsoft Entra ID computers, do the following:

  1. Go to Computer Configuration > Administrative Templates > Specops Client (Microsoft Entra ID Computers) > General settings for Specops Client general settings
  2. Set Enable shortcuts for cloud joined computer to Enabled

While it is recommended to configure the URLs using ADMX templates, they can optionally be configured in the registry:

Registry Key Parameters
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Specopssoft\uReset\Client\Settings] "AllowShortcutsWithoutOnpremDomain"=dword:00000001

Client configuration for Secure Access

The Specops Client must be installed on all computers using Secure Access to log in. Since it is important that the Specops CLient is not uninstalled on these computers, individual users must not be permitted to uninstall the Specops Client (for instance by not allowing them to have local admin privileges). We highly recommend monitoring uninstalls of the Specops Client. To deploy the Specops client it is recommended to use a deployment system such as GPSI or Specops Deploy.

Computers must be joined to Active Directory. Users in Active Directory can be protected with MFA. Local users are not supported.

Each client computer must be provisioned with mandatory settings, which reside in registry. It is recommended to use ADMX templates.

ADMX Settings

Mandatory settings

  • Specops Authentication API URL
  • Specops Authentication API Key

Optional settings

  • Time before requiring MFA after successful online authentication
  • Allow offline authentication
  • Enable MFA for local logins
  • Enable MFA for remote logins

For more information on ADMX templates, see the section at the top of this page.