Merge remote-tracking branch 'refs/remotes/origin/dhrs2-whfb' into rs2

windows/keep-secure/hello-why-pin-is-better-than-password.md

@@ -54,17 +54,44 @@ You can provide additional protection for laptops that don't have TPM by enablng
 **Configure BitLocker without TPM**
 1.  Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
 
-    **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup**
+    **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup**
     
 2.  In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.**
-3.  Go to Control Panel > **System and Security** > **BitLocker Drive Encryption** and select the operating system drive to protect.
+3.  Go to Control Panel > **System and Security > BitLocker Drive Encryption** and select the operating system drive to protect.
 **Set account lockout threshold**
 1.  Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
 
-    **Computer Configuration** >**Windows Settings** ?**Security Settings** >**Account Policies** > **Account Lockout Policy** > **Account lockout threshold**
+    **Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold**
     
 2.  Set the number of invalid logon attempts to allow, and then click OK.
 
+<span id="what-if-i-forget-my-pin"/>
+## What if I forget my PIN?
+
+Starting with Windows 10, version 1703, devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune), are be able to reset a forgotten PIN without deleting company managed data or apps.
+
+### Reset forgotten PIN on Windows Phone
+
+To reset a forgotten pin on a Windows Phone, you will need to locate the device in the Intune portal. Once you've selected the device, click on **More > New passcode** to generate a new PIN. 
+
+![Intune reset PIN drop-down menu](images/whfb-intune-reset-pin.jpg)
+
+Once you've done that, the device will receive a notification to unlock the device and you will have to provide them with the generated PIN in order to unlock the device. With the device unlocked, they user can now reset the PIN.
+
+![Phone unlock notification](images/whfb-pin-reset-phone-notification.png)
+
+### Reset forgotten PIN on desktop
+
+Users can reset a forgotten PIN from any Intune managed desktop device. They will need to unlock the device by other means (Password \ Smart Card \ Biometric).
+
+Once the device is unlocked, go to **Settings > Accounts > Sign-in options** and under **PIN** select **I forgot my PIN**.
+
+![Forgot my PIN in settings](images/whfb-reset-pin-settings.jpg)
+
+After signing-in, you will be prompted to change your PIN.
+
+![Reset PIN prompt](images/whfb-reset-pin-prompt.jpg)
+
 ## Why do you need a PIN to use biometrics?
 Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
 

windows/whats-new/whats-new-windows-10-version-1703.md

@@ -156,6 +156,16 @@ The security setting [**Interactive logon: Display user information when the ses
 A new security policy setting
 [**Interactive logon: Don't display username at sign-in**](../keep-secure/interactive-logon-dont-display-username-at-sign-in.md) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
 
+### Windows Hello for Business
+
+You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). 
+
+For Windows Phone devices, an adminisrator is able to initiate a remote PIN reset through the Intune portal.
+
+For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**.
+
+For more details, check out [What if I forget my PIN?](../keep-secure/hello-why-pin-is-better-than-password.md#what-if-i-forget-my-pin).
+
 ## Update
 
 ### Windows Update for Business
@@ -166,7 +176,7 @@ Windows Update for Business managed devices are now able to defer feature update
 
 ### Windows Insider for Business
 
-We recently the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](waas-windows-insider-for-business.md).
+We recently the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](../update/waas-windows-insider-for-business.md).
 
 ### Optimize update delivery