Pillar 4 — Zero-Trust Identity Gateway
Pre-Login Password Reset Software for Windows & Mac
When a user is locked out of their Microsoft account or the computer is locked out before network login, the help desk gets the call. Avatier Login Reset is the Windows credential provider password reset and Windows lockout self service recovery tool that puts the resolution at the login screen — MFA-verified, audit-logged, and back to work in under a minute.
Trusted by the world's most regulated enterprises
Locked Out Before You're Logged In
SSPR portals help — if the user can get to a browser.
Monday-morning lockouts, expired passwords, and cached-credential mismatches all strike before network login. Users have nowhere to go but the help desk.
Hybrid and remote work means lockouts happen off-network, in different time zones, with no IT on the other end of the line.
Lockout tickets spike after weekends and vacations, stealing hours of productivity per user per year.
What Login Reset Is
A secure Windows and Mac credential provider that adds an MFA-verified Unlock & Reset workflow directly to the login screen — with automatic cached-credential updates and first-time-login provisioning.
Replaces help desk calls for account lockouts, forgotten passwords, and new-hire first-login provisioning.
Active Directory, Entra ID, hybrid-joined devices, Citrix, and Azure Virtual Desktop.
How Login Reset Works
- Step 1
Install the credential provider
A lightweight Windows or Mac credential provider installs via MSI, GPO, or Intune and adds a secure Unlock & Reset option to the login screen.
- Step 2
User initiates reset at the login screen
Locked out, expired, or first-time login — the user taps Unlock & Reset and is redirected to a secure, MFA-enforced portal.
- Step 3
MFA verifies identity
The user completes MFA via the enterprise provider or Identity Challenge Card for deviceless environments.
- Step 4
Credentials reset and cache syncs
Password is reset, cached credentials are updated to prevent secondary lockouts, and the user is back to work.
Login Reset Outcomes
- Eliminate the #1 source of help desk calls
- 24×7 recovery across Windows, Mac, and VDI
- Passwordless provisioning for new hires
- Cached credentials auto-synced — no secondary lockouts
- Forced enrollment closes MFA adoption gaps
The Cached Credential Problem
When a user resets their password through a traditional browser-based SSPR tool, their laptop's cached credentials stay out of sync with the new password. The web app works. The lock screen doesn't. The user calls the help desk a second time — same day, same user, different lockout. IT teams running portal-only SSPR see a measurable double-call pattern that almost no SSPR vendor advertises and almost every help desk leader recognizes. Avatier Login Reset eliminates the secondary lockout by updating cached credentials automatically as part of the same workflow that resets the password — a single user-initiated event, no second call, no offline-stuck-laptop ticket.
Who It's For
Service Desk Leader
Eliminates the most frequent ticket type.
CIO / IT
Same UX across Windows, Mac, hybrid, VDI.
CFO
Measurable productivity recovery and help desk cost reduction.
Traditional SSPR vs Login Reset
| SSPR Portal Only | Login Reset | |
|---|---|---|
| Pre-login access | None — user must already be in | Embedded at login screen |
| Cached credential sync | Manual re-login required | Automatic |
| Platform coverage | Web only | Windows, Mac, Citrix, AVD |
| New-hire provisioning | IT-assisted | Self-service via HR-linked lookup |
| Ctrl+Alt+Del UX | Native Windows only | Intercepted and branded |
Works Where Other Solutions Don't
Login Reset is the only credential-provider-class pre-login reset that ships with first-class support for every major Windows + Mac + VDI configuration enterprises actually run:
| Avatier Login Reset | Microsoft built-in | Specops Login Helper | |
|---|---|---|---|
| Active Directory-joined Windows | ✓ native | ✓ | ✓ |
| Entra-joined Windows | ✓ native | ✓ | Limited |
| Hybrid-joined Windows | ✓ native | ✓ | ✓ |
| macOS | ✓ native | — | — |
| Citrix | ✓ native | — | ✓ |
| Azure Virtual Desktop (AVD) | ✓ native | Limited | ✓ |
| Thin client | ✓ | — | Limited |
Avatier vs the Pre-Login Password Reset Field
The closest pre-login password reset competitors are Specops uReset Login Helper, FastPassCorp's password manager logon agent, and ManageEngine ADSelfService Plus's logon-screen agent:
| Avatier Login Reset | Specops uReset Login Helper | FastPassCorp | ManageEngine ADSSP Logon Agent | |
|---|---|---|---|---|
| Native macOS credential provider | ✓ | — | — | — |
| Citrix / VDI / AVD support | ✓ native | ✓ | — | ✓ |
| Cached credential auto-update | ✓ | — | ✓ | ✓ |
| Passwordless first-time provisioning (HR-linked) | ✓ patent-pending | — | — | ✓ |
| Ctrl-Alt-Del intercept | ✓ | — | — | ✓ |
| MSI / GPO / Intune deployment | ✓ all 3 | ✓ | MSI only | ✓ |
| Hours-not-weeks rollout | Hours | Days | Days | Days |
| Category coverage across the 11 NP categories | 11/11 | 1/11 | 1/11 | 5/11 |
Sources: NP Accel Competitor Strategy v1.0 (April 2026), vendor product pages as of May 2026. The pre-login credential-provider category is narrowly defended; Avatier's Mac native + Citrix native combination is unique.
Proof
Fits Your Stack
Windows
AD-joined, Entra-joined, and hybrid-joined workstations.
Mac
Native credential provider for macOS.
VDI
Citrix and Azure Virtual Desktop support.
HR
Workday, BambooHR, SuccessFactors for new-hire lookup.
Deployment
- How fast
- Rollout via MSI, GPO, or Intune in hours.
- What's required
- Endpoint management (Intune, Jamf, GPO) and an MFA provider.
- Who owns rollout
- Endpoint IT with Avatier enablement.
- User experience
- Users see a new Unlock & Reset option at the Windows or Mac login screen. Reset completes in under a minute.
Frequently Asked Questions
How do I unlock my Windows computer if I forgot my password?
Install Avatier Login Reset on the workstation — pre-login password reset software that adds an Unlock & Reset option to the Windows or Mac login screen itself. The user taps Unlock & Reset, completes MFA through their enterprise identity provider, sets a new password, and the computer is unlocked in under a minute. Cached credentials are auto-updated so a second offline lockout never occurs. The same flow handles a locked-out Microsoft account or a Microsoft Authenticator prompt at Windows login.
How do users reset a forgotten password before logging in to Windows?
Install the Avatier Login Reset credential provider on Windows or Mac via MSI, GPO, or Intune. It adds an MFA-verified "Unlock & Reset" option to the login screen itself — users tap it, complete MFA via the enterprise provider, set a new password, and are back to work in under a minute. Cached credentials are auto-updated to prevent secondary lockouts. Works on AD-joined, Entra-joined, hybrid, Citrix, and Azure Virtual Desktop.
Does it work with Mac?
Yes. Login Reset ships a native credential provider for macOS alongside the Windows agent. Customers managing mixed Windows + Mac fleets get the same Unlock & Reset UX, the same MFA enforcement, and the same audit log on both platforms.
Does it work with Entra-joined computers?
Yes. Active Directory-joined, Entra-joined, and hybrid-joined workstations are all supported. The credential provider detects the join state at runtime and routes the reset through the correct directory automatically.
What about cached credentials?
Login Reset automatically updates cached credentials after a successful reset, eliminating the secondary-lockout pattern (where a user resets via web SSPR, then can't unlock their offline laptop). This is the single biggest reason customers move from a portal-only SSPR to Login Reset — it eliminates the second support call.
Can new hires log in without IT setting up a password first?
Yes. Passwordless provisioning verifies the new hire against protected HR-linked data (hire date, manager name, employee ID) and lets them set their first password self-service from the login screen. No pre-staged credentials, no IT helpdesk involvement, no day-one delay.
How long does Login Reset take to deploy?
Endpoint rollout via MSI, GPO, or Intune completes in hours, not weeks. The lightweight credential provider adds no measurable boot-time impact and integrates with your existing MFA provider out of the box. Most customers deploy across 10,000+ endpoints in a single change-window.
Is the login-screen browser secure?
Yes. Login Reset uses a secure, locked-down browser process that connects exclusively to the Avatier portal — users cannot navigate to other websites or use keyboard shortcuts to escape the workflow. The session is terminated on completion, MFA failure, or timeout. No persistent state remains on the endpoint.
Compliance-Certified
Eliminate the #1 Help Desk Ticket
See Login Reset at work in a 30-minute demo.