Configure Password Reset in MDM

  • Article

2/9/2009

Password reset in Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1 enables a user who has forgotten his or her Windows Mobile device password to reset it. To reset the device password, the user enters a one-time recovery password on the device. The recovery password is a 20-character numeric string that, when entered on the device, enables the user to reset the device password.

The Password Reset Experience for Users

Users who have forgotten the password on their Windows Mobile devices can request a one-time recovery password to access the device and reset the password. If you have configured the recovery password feature in MDM Self Service Portal then users can retrieve the recovery password themselves by using the portal. Or users can contact their organization's IT Help Desk to request the recovery password.

If users request a recovery password by using MDM Self Service Portal, the recovery password is displayed in the portal. Alternatively, a Help Desk technician can select a user's device in MDM Console or run the Get-MDMDeviceRecoveryPassword cmdlet to obtain the recovery password for the device.

Before a user can use the password reset feature, you must install the MDM Password Reset Client on the device. The MDM Password Reset Client adds a Reset Password option to the Menu option on the Password screen. The user chooses Reset Password, and then resets the device password. Next, the user types the recovery password and then enters the new device password to unlock the device. The user's device then generates a new recovery password and sends it to MDM Device Management Server. If the user forgets the device password again, he or she can request the new recovery password.

How Password Reset Works in MDM

The following describes how password reset works in the MDM 2008 SP1 system:

  • You install the required .cab file on users' managed devices and enable password reset in MDM by configuring the User Reset of Password Group Policy.
  • As part of the first device management session with MDM Device Management Server after the policy is applied, the managed device generates a recovery password, encrypts the password, and sends it to MDM Device Management Server. The password is stored encrypted on the server.
  • The recovery password cannot yet be used to unlock the device. After the device management session is complete, the user must unlock the device once by using the device password to enable the generated recovery password to be configured correctly. Nothing is displayed to the user about this part of the recovery password setup process.
  • When the recovery password configuration is complete, the reset password option is enabled in the Menu option of a locked device
  • When a user forgets the password on a Windows Mobile device, they can request the recovery password by using MDM Self Service Portal or by contacting their organization's IT Help Desk. The device is not required to be connected to MDM Device Management Server for a user to reset the device password.
  • After users apply the recovery password and reset the password on the device, a device management session is started.
  • Inside the device management session, a new recovery password is generated on the device and sent to MDM Device Management Server. After the new recovery password is generated and sent to the server, the old recovery password is invalidated, and password reset is not available on the device.
  • Password reset is available again when the user unlocks the device by using the device password, and setup for the new recovery password completes on the device. Nothing is displayed to the user about this part of the recovery password setup process.

The device management session that starts when the user resets the device password typically completes within a few minutes after the user resets the password. If the device management session cannot complete due to network unavailability or another problem, a new recovery password is generated during the next scheduled device management session. (By default, device management sessions between managed devices and MDM Device Management Server occur every eight hours.) In the meantime, the current recovery password can still be used to reset the password.

Enabling Password Reset in MDM

Password reset is supported on Windows Mobile devices, starting with version 6.1.4. To use the feature, you must install a .cab file on the Windows Mobile device as well as enable the feature by using Group Policy.

The .cab file that supports password reset is available as a download, and it can be installed on users' devices by using MDM Software Distribution Console. We recommend that when you distribute the .cab file by using MDM Software Distribution Console, you choose the option to not allow the user to uninstall the application. Uninstalling the application removes the password reset functionality from the managed device.

Note

MDM Password Reset Client, which is part of the MDM Resource Kit Tools, provides a .cab file that you install on Windows Mobile devices so that users can use the password reset feature in MDM. More information about installing the .cab file is included in the guide that is packaged with the tool download. To download the tool, see MDM Password Reset Client at this Microsoft Web page: https://go.microsoft.com/fwlink/?LinkID=127030.

You enable password reset in MDM 2008 SP1 by setting the User Reset of Password Group Policy and selecting the using MDM server option. After you enable this setting on MDM Device Management Server, the setting is updated on user devices as part of standard MDM device policy updates. The device generates an initial recovery password, which is sent to MDM Device Management Server and stored in an MDM database.

For more information about configuring password reset for MDM 2008 SP1, see Configuring MDM Recovery Password Service in MDM Operations at this Microsoft Web page:https://go.microsoft.com/fwlink/?LinkId=112415.

To enable users to independently request and receive recovery passwords, you must configure MDM Self Service Portal to enable the password recovery option. On the Portal Admin page for MDM Self Service Portal, choose Device Password Recovery, and then choose Apply. For more information about installing and configuring MDM Self Service Portal, see Deploying MDM Self Service Portal in MDM Operations at this Microsoft Web page:https://go.microsoft.com/fwlink/?LinkId=112415.

Alternatively you can enable users to reset their passwords by using the Microsoft Exchange password reset feature. You can configure this option by updating the User Reset of Password Group Policy setting. For more information, see Security Policies in MDM in MDM Operations at this Microsoft Web page:https://go.microsoft.com/fwlink/?LinkId=112415.

Choosing Between Password Reset in MDM and Exchange PIN Reset

Password reset in MDM 2008 SP1 and Exchange password reset offer similar functionality but have different requirements.

Exchange password reset functionality requires the following:

  • You must deploy Outlook Web Access (OWA) and publish OWA to the Internet.
  • You must have Exchange administrator access in order to configure Exchange password reset, and the IT Help Desk that handles questions from Windows Mobile device users must have access to Exchange to look up recovery passwords.
  • Users must have access to OWA to display the recovery password for their devices.

In contrast, password reset in MDM 2008 SP1 allows users to look up recovery passwords by using MDM Self Service Portal. In addition, the mobility administrators and IT Help Desk technicians who work with MDM 2008 SP1 already have the required permissions to configure and assist in password reset.

Note

Only one password reset option—MDM or Exchange—can be used at a time. Administrators should configure MDM Device Management Server or the Exchange server to disable the method that is not being used.