Updated instructions for configuring self service PIN Reset

2025-06-16 19:03:46 +00:00 · 2019-11-26 16:16:16 -08:00
parent ab32124ef0
commit 3a1e089d45
6 changed files with 16 additions and 10 deletions
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@ -30,12 +30,12 @@ ms.reviewer:
 - Azure Active Directory
 - Hybrid Windows Hello for Business deployment
 - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
- Windows 10, version 1709 or later, **Enterprise Edition**
+- Windows 10, version 1709 to 1809, **Enterprise Edition**. There is no licensing requirement for this feature since version 1903.

 The Microsoft PIN reset services enables you to help users recover who have forgotten their PIN.  Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.

 >[!IMPORTANT]
-> The Microsoft PIN Reset service only works with Windows 10, version 1709 or later **Enterprise Edition**.  The feature does not work with the **Pro** edition.]
+> The Microsoft PIN Reset service only works with Windows 10, version 1709 to 1809 with **Enterprise Edition**.  The feature works with **Pro** edition with Windows 10, version 1903 and newer.

 ### Onboarding the Microsoft PIN reset service to your Intune tenant

@ -43,11 +43,17 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se

 ### Connect Azure Active Directory with the PIN reset service

-1. Visit [Microsoft PIN Reset Service Integration website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
-2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.<br>
-![PIN reset service application in Azure](images/pinreset/pin-reset-service-home-screen.png)<br>
-3. In the Azure portal, you can verify that the Microsoft PIN reset service is integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.<br>
-![PIN reset service permissions page](images/pinreset/pin-reset-service-application.png)
+1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
+2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.
+![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
+3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
+4. After you log in, click **Accept** to give consent for the PIN reset client to access your account.
+![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
+5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
+![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
+
+>[!NOTE]
+>After you Accept the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN Reset applications are listed for your tenant.

 ### Configure Windows devices to use PIN reset using Group Policy

--- a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications.png
+++ b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-applications.png
--- a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png
+++ b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-prompt.png
--- a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png
+++ b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png
--- a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png
+++ b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png
--- a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png
+++ b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-prompt.png