Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md

@@ -10,60 +10,55 @@ ms.collection:
   - highpri
 ms.topic: article
 localizationpriority: medium
-ms.date: 5/3/2021
+ms.date: 07/29/2022
+appliesto:
+- ✅ <b>Windows 10</b>
+- ✅ <b>Windows 11</b>
 ---
 
 # PIN reset
 
-**Applies to:**
+Windows Hello for Business provides the capability for users to reset forgotten PINs using the *I forgot my PIN* link from the Sign-in options page in *Settings* or from the Windows lock screen. Users are required to authenticate and complete multi-factor authentication to reset their PIN.
 
-- Windows 10, version 1709 or later
-- Windows 11
+There are two forms of PIN reset:
 
-Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multifactor authentication to reset their PIN.
+- **Destructive PIN reset**: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new log in key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration.
+- **Non-destructive PIN reset**: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the **Microsoft PIN Reset Service** and configure your clients' policy to enable the **PIN Recovery** feature.
+## Using PIN reset
 
-There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and does not require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.
-
-## Using PIN Reset
-
-**Requirements**
-
-- Reset from settings - Windows 10, version 1703
-- Reset above Lock - Windows 10, version 1709
-
-Destructive and non-destructive PIN reset use the same entry points for initiating a PIN reset. If a user has forgotten their PIN, but has an alternate logon method, they can navigate to Sign-in options in Settings and initiate a PIN reset from the PIN options. If they do not have an alternate way to sign into their device, PIN reset can also be initiated from above the lock screen in the PIN credential provider.
+Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users do not have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
 
 >[!IMPORTANT]
 >For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
 
 ### Reset PIN from Settings
 
-1. Sign-in to Windows 10, version 1703 or later using an alternate credential.
-2. Open **Settings**, click **Accounts**, click **Sign-in options**.
-3. Under **PIN**, click **I forgot my PIN** and follow the instructions.
+1. Sign-in to Windows 10 using an alternate credential
+1. Open **Settings**, select **Accounts** > **Sign-in options**
+1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions
 
 ### Reset PIN above the Lock Screen
 
 For Azure AD-joined devices:
 
-1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
-1. Click **I forgot my PIN** from the PIN credential provider.
-1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (i.e., Password, PIN, Security key).
-1. Follow the instructions provided by the provisioning process.
-1. When finished, unlock your desktop using your newly created PIN.
+1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon
+1. Select **I forgot my PIN** from the PIN credential provider
+1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (e.g., Password, PIN, Security key)
+1. Follow the instructions provided by the provisioning process
+1. When finished, unlock your desktop using your newly created PIN
 
 For Hybrid Azure AD-joined devices:
 
-1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
-1. Click **I forgot my PIN** from the PIN credential provider.
-1. Enter your password and press enter.
-1. Follow the instructions provided by the provisioning process.
-1. When finished, unlock your desktop using your newly created PIN.
+1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon
+1. Select **I forgot my PIN** from the PIN credential provider
+1. Enter your password and press enter
+1. Follow the instructions provided by the provisioning process
+1. When finished, unlock your desktop using your newly created PIN
 
 > [!NOTE]
 > Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
 
-You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
+You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
 
 ## Non-Destructive PIN reset
 
@@ -72,75 +67,100 @@ You may find that PIN reset from settings only works post login, and that the "l
 - Azure Active Directory
 - Hybrid Windows Hello for Business deployment
 - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
-- Windows 10, version 1709 to 1809, **Enterprise Edition**. There is no licensing requirement for this feature since version 1903.
 
-When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multifactor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory.
+When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory.
 
-Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
+Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment.
 
 >[!IMPORTANT]
-> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809.  The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer.
-> The Microsoft PIN Reset service is not currently available in Azure Government.
+> The **Microsoft PIN Reset Service** is not currently available in Azure Government.
 
-### Onboarding the Microsoft PIN reset service to your Intune tenant
+### Enable the Microsoft PIN Reset Service in your Azure AD tenant
 
-Before you can remotely reset PINs, you must on-board the Microsoft PIN reset service to your Azure Active Directory tenant, and configure devices you manage.
+Before you can remotely reset PINs, you must register two applications in your Azure Active Directory tenant:
 
-### Connect Azure Active Directory with the PIN reset service
+- PIN Reset Service
+- PIN Reset Client
 
-1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
-
-1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
+#### Connect Azure Active Directory with the PIN Reset Service
 
+1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant
+1. After you have logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization
    ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png)
 
-1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
-
-1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
+#### Connect Azure Active Directory with the PIN Reset Client
 
+1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant
+1. After you have logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization
    ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png)
 
-   > [!NOTE]
-   > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
+#### Confirm that the two PIN Reset service principals are registered in your tenant
 
-1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
+1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com)
+1. Select **Azure Active Directory** > **Applications** > **Enterprise applications**
+1. Search by application name "Microsoft PIN" and both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** will show up in the list
+   :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications-expanded.png":::
 
-   :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png":::
+### Enable PIN Recovery on your devices
 
-### Configure Windows devices to use PIN reset using Group Policy
+Before you can remotely reset PINs, your devices must be configured to enable PIN Recovery. Follow the instructions below to configure your devices using either Microsoft Intune, Group Policy Objects (GPO), or Configuration Service Providers (CSP).
 
-You can configure Windows to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
+#### [✅ **Intune**](#tab/intune)
 
-1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
-1. Edit the Group Policy object from Step 1.
-1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
-1. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC.
+You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune.
 
-#### Create a PIN Reset Device configuration profile using Microsoft Intune
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com)
+1. Select **Devices** > **Configuration profiles** > **Create profile**
+1. Enter the following properties:
+    - **Platform**: Select **Windows 10 and later**
+    - **Profile type**: Select **Settings catalog**
+1. Select **Create**
+1. In **Basics**, enter the following properties:
+    - **Name**: Enter a descriptive name for the profile
+    - **Description**: Enter a description for the profile. This setting is optional, but recommended
+1. Select **Next**
+1. In **Configuration settings**, select **Add settings**
+1. In the settings picker, select **Windows Hello For Business** > **Enable Pin Recovery**
+1. Configure **Enable Pin Recovery** to **true**
+1. Select **Next**
+1. In **Scope tags**, assign any applicable tags (optional)
+1. Select **Next**
+1. In **Assignments**, select the security groups that will receive the policy
+1. Select **Next**
+1. In **Review + create**, review your settings and select **Create**
 
-1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
-1. Click **Endpoint Security** > **Account Protection** > **Properties**.
-1. Set **Enable PIN recovery** to **Yes**.
+>[!NOTE]
+> You can also configure PIN recovery from the **Endpoint security** blade:
+> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com)
+> 1. Select **Endpoint security** > **Account protection** > **Create Policy**
 
-> [!NOTE]
-> You can also set up PIN recovery using configuration profiles.
->
-> 1. Sign in to Endpoint Manager.
-> 1. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type.
-> 1. Set **Enable PIN recovery** to **Yes**.
+#### [✅ **GPO**](#tab/gpo)
 
-#### Assign the PIN Reset Device configuration profile using Microsoft Intune
+You can configure Windows devices to use the **Microsoft PIN Reset Service** using a Group Policy Object (GPO).
 
-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account. 
-1. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration.
-1. In the device configuration profile, select **Assignments**.
-1. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
+1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory
+1. Edit the Group Policy object from Step 1
+1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**
+1. Close the Group Policy Management Editor to save the Group Policy object
 
-### Confirm that PIN recovery policy is enforced on the client
+#### [✅ **CSP**](#tab/csp)
 
-The PIN reset configuration for a user can be viewed by running [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) from the command line. This state can be found under the output in the user state section as the **CanReset** line item. If **CanReset** reports as DestructiveOnly, then only destructive PIN reset is enabled. If **CanReset** reports DestructiveAndNonDestructive, then non-destructive PIN reset is enabled.
+You can configure Windows devices to use the **Microsoft PIN Reset Service** using the [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp).
 
-#### Sample User state Output for Destructive PIN Reset
+- OMA-URI: `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`
+- Data type: **Boolean**
+- Value: **True**
+
+>[!NOTE]
+> You must replace `TenantId` with the identifier of your Azure Active Directory tenant.
+
+---
+
+#### Confirm that PIN Recovery policy is enforced on the devices
+
+The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) from the command line. This state can be found under the output in the user state section as the **CanReset** line item. If **CanReset** reports as DestructiveOnly, then only destructive PIN reset is enabled. If **CanReset** reports DestructiveAndNonDestructive, then non-destructive PIN reset is enabled.
+
+**Sample User state Output for Destructive PIN Reset**
 
 ```console
 +----------------------------------------------------------------------+
@@ -159,7 +179,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta
 +----------------------------------------------------------------------+
 ```
 
-#### Sample User state Output for Non-Destructive PIN Reset
+**Sample User state Output for Non-Destructive PIN Reset**
 
 ```console
 +----------------------------------------------------------------------+
@@ -178,43 +198,35 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta
 +----------------------------------------------------------------------+
 ```
 
-## Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices
+### Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices
 
-**Applies to:**
+The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
 
-- Windows 10, version 1803 or later
-- Windows 11
-- Azure AD joined
 
-The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
+#### Configure Web Sign-in Allowed URLs using Microsoft Intune
 
-### Configuring Policy Using Intune
-
-1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
-
-1. Click **Devices**. Click **Configuration profiles**. Click **Create profile**.
-
-1. For Platform select **Windows 10 and later** and for Profile type select **Templates**. In the list of templates that is loaded, select **Custom** and click Create.
-
-1. In the **Name** field type **Web Sign In Allowed URLs** and optionally provide a description for the configuration. Click Next.
-
-1. On the Configuration settings page, click **Add** to add a custom OMA-URI setting. Provide the following information for the custom settings
-
-    - **Name:** Web Sign In Allowed URLs
-    - **Description:** (Optional) List of domains that are allowed during PIN reset flows.
-    - **OMA-URI:** ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
-    - **Data type:** String
-    - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks)
-
-    :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png":::
-
-1. Click the Save button to save the custom configuration.
-
-1. On the Assignments page, use the Included groups and Excluded groups sections to define the groups of users or devices that should receive this policy. Once you have completed configuring groups click the Next button.
-
-1. On the Applicability rules page, click Next.
-
-1. Review the configuration that is shown on the Review + create page to make sure that it is accurate. Click create to save the profile and apply it to the configured groups.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. Select **Devices** > **Configuration profiles** > **Create profile**
+1. Enter the following properties:
+    - **Platform**: Select **Windows 10 and later**
+    - **Profile type**: Select **Templates**
+    - In the list of templates that is loaded, select **Custom** > **Create**
+1. In **Basics**, enter the following properties:
+    - **Name**: Enter a descriptive name for the profile
+    - **Description**: Enter a description for the profile. This setting is optional, but recommended
+1. Select **Next**
+1. In **Configuration settings**, select **Add** and enter the following settings:
+    - Name: **Web Sign In Allowed URLs**
+    - Description: **(Optional) List of domains that are allowed during PIN reset flows**
+    - OMA-URI: `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`
+    - Data type: **String**
+    - Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be **signin.contoso.com;portal.contoso.com** (without quotation marks)
+    :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist-expanded.png":::
+1. Select **Save** > **Next**
+1. In **Assignments**, select the security groups that will receive the policy
+1. Select **Next**
+1. In **Applicability Rules**, select **Next**
+1. In **Review + create**, review your settings and select **Create**
 
 > [!NOTE]
 > For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.