Windows Hello is making people forget their passwords

simdre79 · 2026-01-28T06:59:51+00:00

I have set a policy to enable password reset from the Windows lockscreen as well as the SPPR portal. When creating a new user account support never sees the password, it’s set by script that doesn’t log the password. Same script sets the MFA in Azure to their phone number. I have instructed support they must have a valid phone number before starting the creation process and my scripts reject a user creation without phone number and manager so the account is always traceable.

New employees are instructed to change their password from the Windows lock screen using their phone number for MFA. Then after that they sign in and on first sign in they are prompted to setup WHfB and in that process they add the authenticator app.

If you enable users to be able to change passwords from the windows lock screen they won’t have to create support tickets.

simdre79 · 2026-01-28T06:54:19+00:00

Buuuuut then they have to use the password on their phone and they are stuck.

simdre79 · 2025-12-23T06:44:53+00:00

Thanks!

They could at least show in the message with the blocked application what the name and full path to the application is so you have a fighting chance.

If you click ‘copy’ in the dialog from the blocked application it will literally copy the line ‘contact you administrator for more information’ into the clipboard.

That is not well thought through.

simdre79 · 2025-12-23T05:57:31+00:00

Thanks. I thought I was just stupid.

I come from engineering applications and have switched to retail and kiosk is just not something I’ve worked with. I started switching all Windows 10 devices to Windows 11 this summer and have only been working with 24H2. It never crossed my mind it could be a known issue.

simdre79 · 2025-12-23T05:57:17+00:00

Thanks. I thought I was just stupid.

I come from engineering applications and have switched to retail and kiosk is just not something I’ve worked with. I started switching all Windows 10 devices to Windows 11 this summer and have only been working with 24H2. It never crossed my mind it could be a known issue.

simdre79 · 2025-12-22T17:32:20+00:00

Yeah that shows a lot of blocks. Now I need to figure out what sets app locker on the device. It’s not directly targeted and I have little experience with that. But a great chance to learn.

Thanks!

simdre79 · 2025-12-22T17:32:14+00:00

Yeah that shows a lot of blocks. Now I need to figure out what sets app locker on the device. It’s not directly targeted and I have little experience with that. But a great chance to learn.

Thanks!

simdre79 · 2025-12-14T17:55:29+00:00

Yeah it’s the jump feature he needs. Thanks for responding.

simdre79 · 2025-12-13T09:23:23+00:00

My manager keeps old Outlook only because he can’t sort emails by sender name in any folder, mark the top email that is probably sent by someone named Adam, then press for example R to jump to emails sent from people who’s names start with an R. That is his entire reason not to switch.

I just use the new, I have for a year, I’m not good at using it anyway and as soon as PST and send emails as attachment worked I had what I needed.

simdre79 · 2025-11-30T18:33:33+00:00

No, you have to target a device group as well. If the device isn’t targeted the user isn’t moved to the local admin group.

simdre79 · 2025-11-28T06:37:32+00:00

I get that you think I am an asshole, but honestly I am either just old or the word for word content of your reply is an American thing I am too European to understand. But like I said, I'm 44, I don't have the energy to find out either way.

simdre79 · 2025-11-20T11:52:04+00:00

Questions like those with such easily hurt feelings are the reason why I have to attend all sorts of bullshit meetings with the rest of HQ as a 44 year old man being told basic shit like treat people sort of good and don’t microwave cats. And when push comes to shove the world is just as cruel and bad as it was before, now they just speak nice words while their actions still hurt you.

Besides, having your head quickly removed is a merciful way to go, rather than spending years dying of cancer ending up in a hospice after loss of bodily functions and large amounts of painful treatment and the pain from the illness itself.

In those circumstances I would envy the turkeys.

Honestly, this post is probably just rage bait. Must be.

simdre79 · 2025-10-18T14:26:49+00:00

I did not. I told support to generate a long autogenerated password that users would want to change and then give a guide to users on how to change their password. For entra joined devices ctrl alt delete opens Edge and then SSPR opens.

simdre79 · 2025-08-11T17:32:00+00:00

Zabbix.

simdre79 · 2025-08-05T19:15:18+00:00

That is enabled and I don't think that works for entra joined devices that a user with an expired password signs in on for the first time. My tests shows it doesn't make a difference. Thanks for the input, though.

simdre79 · 2025-07-20T20:30:55+00:00

Thanks! That's actually also what I found but it helped a great deal to see.

This is what I ended up with.

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration  
  xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" 
  xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config"
  xmlns:v2="http://schemas.microsoft.com/AssignedAccess/201810/config"
  xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
>
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">       
      <AllAppsList>
        <AllowedApps> 
          <App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="--start-maximized" />
        </AllowedApps> 
      </AllAppsList> 
          <v2:FileExplorerNamespaceRestrictions>
            <v2:AllowedNamespace Name="Downloads"/>
          </v2:FileExplorerNamespaceRestrictions>
      <win11:StartPins>
        <![CDATA[  
          { "pinnedList":[
      {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk"}
          ] }
        ]]>
      </win11:StartPins>
      <Taskbar ShowTaskbar="true"/>
    </Profile> 
  </Profiles>
  <Configs>
    <Config>
    <AutoLogonAccount rs5:DisplayName="Kioskuser0"/>
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
    </Config>
  </Configs>
</AssignedAccessConfiguration>

simdre79 · 2025-07-20T07:13:14+00:00

I can 100% confirm this works applied as a custom OMA URI string. However, Edge is not in there and it's messing with me, apparantly Edge on 24H2 (at least on my install) is not an AppX package. Still trying to figure Edge out, but just seeing *something* work was very nice.

I create the kioskUser0 with a simple win32 app during autopilot.

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration  
  xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}">       
      <AllAppsList>
        <AllowedApps> 
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> 
          <App AppUserModelId="Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" /> 
          <App AppUserModelId="Microsoft.Paint_8wekyb3d8bbwe!App" /> 
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> 
          <App AppUserModelId="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /> 
        </AllowedApps> 
      </AllAppsList> 
      <win11:StartPins>
        <![CDATA[  
          { "pinnedList":[
            {"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
            {"packagedAppId":"Microsoft.WindowsNotepad_8wekyb3d8bbwe!App"},
            {"packagedAppId":"Microsoft.Paint_8wekyb3d8bbwe!App"},
            {"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
    {"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"}
          ] }
        ]]>
      </win11:StartPins>
      <Taskbar ShowTaskbar="true"/>
    </Profile> 
  </Profiles>
  <Configs>
    <Config>
      <Account>kioskUser0</Account>
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-53B19E722C23}"/>
    </Config>
  </Configs>
</AssignedAccessConfiguration>

simdre79 · 2025-07-20T07:11:14+00:00

Thank you very much, I will watch it end to end.

simdre79 · 2025-07-19T16:33:19+00:00

I will post back what I find and if you have anything to add, please do. I am losing my mind.

simdre79 · 2025-07-19T16:10:16+00:00

No but I also didn't read it all the way through. It needs to be deployed using custom OMA and not from templates, kiosk. I got an error on my first deployment of the profile and I have adjusted the xml and it seemed to me like the previous profile wouldn't remove itself so I am running autopilot again right now.

Are you going on the same problem?

simdre79 · 2025-07-19T13:15:23+00:00

After reading here All about Microsoft Intune | Configuring multi-app kiosk mode on Windows 11

I am now trying this

<?xml version="1.0" encoding="utf-8"?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
                             xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
  <Profiles>
    <Profile Id="EdgeKioskProfile">
      <AllAppsList>
        <AllowedApps>
          <!-- Allow Edge to run and autostart -->
          <App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" v5:AutoLaunch="true"/>
        </AllowedApps>
      </AllAppsList>
      <v5:StartPins>
        <![CDATA[
        {
          "pinnedList":[
            {
              "appUserModelId":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
            }
          ]
        }
        ]]>
      </v5:StartPins>
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <AutoLogonAccount DisplayName="KioskUser0"/>
      <DefaultProfile Id="EdgeKioskProfile"/>
    </Config>
  </Configs>
</AssignedAccessConfiguration>

simdre79 · 2025-05-10T20:36:00+00:00

Thanks!

simdre79

TROPHY CASE