Enable self-service password reset for Windows

Early Access release

Self-service password reset (SSPR) allows your users to initiate a password reset if they're locked out of their computer.

Users must have an active internet connection to initiate the password reset.

The self-service password reset function is designed for the following users:

  • Users created in Okta

  • Active Directory users with delegated authentication

  • Microsoft Entra ID users, where Okta is the Identity Provider and the password is set in Okta

  • Okta-sourced users

When a user changes their password with the self-service password reset feature, they're changing their Okta password. This password is then synced with Active Directory or Microsoft Entra ID.

Procedure

Before you enable the SSPR feature, ensure your Okta password policy and your Active Directory Agent password policies match.

After you confirm the policies, you can edit the SSPR registry key to activate the feature.

Confirm password policy match

If you haven't already, enable the IDP MyAccount API Password feature in the Okta Admin Console under SettingsFeatures.

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Password line, click ActionsEdit.

  3. Scroll to the section with the Add rule button. Click the pencil icon to edit the rule of the policy you want to modify.

  4. Optional. If you use delegated authority, ensure that the policy applies to Active Directory. Under the Authentication Providers heading, use the dropdown menu to select Active Directory.

  5. Next to Users can perform self-service, enable the Password reset option.

  6. In the Recovery authenticators section, ensure that Okta Verify is selected.

  7. Set Additional verification to Not required. Setting an additional verification requirement causes the password reset option to fail.

  8. Click Save or Update rule to confirm your changes.

Enable self-service password reset

By default, this feature is disabled (0). To enable the self-service password reset feature, set the SelfServicePasswordResetEnabled registry key to 1.

After deploying the Okta Verify app, you need to configure the Desktop MFA policies to use the self-service-password feature.

  1. In the registry settings on the device, go to HKLM\Software\Policies\Okta\Okta Device Access.

  2. Set the SelfServicePasswordResetEnabled registry key to 1.

After you enable the self-service password reset option on their device, users can initiate a password reset if they've forgotten their password. For the user experience, see Self-service password reset.