deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-11 03:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
Tina Burden 10bd9b4330
Merge pull request #3599 from damabe/1610820-damabe21 
SEODescFix: User Story 1610820, Part 21
2020-08-24 08:35:42 -07:00

8.8 KiB
Raw Blame History

title, description, keywords, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, audience, author, ms.author, manager, ms.collection, ms.topic, localizationpriority, ms.date, ms.reviewer
title description keywords ms.prod ms.mktglfcycl ms.sitesec ms.pagetype audience author ms.author manager ms.collection ms.topic localizationpriority ms.date ms.reviewer
Pin Reset Learn how Microsoft PIN reset services enables you to help users recover who have forgotten their PIN. identity, PIN, Hello, passport, WHFB, hybrid, cert-trust, device, reset w10 deploy library security, mobile ITPro mapalko mapalko dansimp M365-identity-device-management article medium 09/09/2019

PIN reset

Applies to:

  • Windows 10, version 1709 or later

Hybrid Deployments

Requirements:

  • Azure Active Directory
  • Hybrid Windows Hello for Business deployment
  • Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
  • Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903.

The Microsoft PIN reset services enables you to help users recover who have forgotten their PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.

Important

The Microsoft PIN Reset service only works with Enterprise Edition for Windows 10, version 1709 to 1809. The feature works with Enterprise Edition and Pro edition with Windows 10, version 1903 and newer.

Onboarding the Microsoft PIN reset service to your Intune tenant

Before you can remotely reset PINs, you must on-board the Microsoft PIN reset service to your Azure Active Directory tenant, and configure devices you manage.

Connect Azure Active Directory with the PIN reset service

  1. Go to the Microsoft PIN Reset Service Production website, and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
  2. After you have logged in, choose Accept to give consent for the PIN reset service to access your account. PIN reset service application in Azure
  3. Go to the Microsoft PIN Reset Client Production website, and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
  4. After you have logged in, choose Accept to give consent for the PIN reset client to access your account.

Note

After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.

PIN reset client application in Azure

  1. In the Azure portal, verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the Enterprise applications blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. PIN reset service permissions page

Configure Windows devices to use PIN reset using Group Policy

You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.

  1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
  2. Edit the Group Policy object from step 1.
  3. Enable the Use PIN Recovery policy setting located under Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business.
  4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.

Configure Windows devices to use PIN reset using Microsoft Intune

To configure PIN reset on Windows devices you manage, use an Intune Windows 10 custom device policy to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):

Create a PIN Reset Device configuration profile using Microsoft Intune

  1. Sign-in to Azure Portal using a Global administrator account.

  2. You need your tenant ID to complete the following task. You can discover your tenant ID by viewing the Properties of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a Command window on any Azure AD-joined or hybrid Azure AD-joined computer.

    dsregcmd /status | findstr -snip "tenantid"

  3. Navigate to the Microsoft Intune blade. Click Device configuration. Click Profiles. Click Create profile.

  4. Type Use PIN Recovery in the Name field. Select Windows 10 and later from the Platform list. Select Custom from the Profile type list.

  5. In the Custom OMA-URI Settings blade, Click Add.

  6. In the Add Row blade, type PIN Reset Settings in the Name field. In the OMA-URI field, type ./Device/Vendor/MSFT/PassportForWork/tenant ID/Policies/EnablePinRecovery where tenant ID is your Azure Active Directory tenant ID from step 2.

  7. Select Boolean from the Data type list and select True from the Value list.

  8. Click OK to save the row configuration. Click OK to close the Custom OMA-URI Settings blade. Click **Create to save the profile.

Assign the PIN Reset Device configuration profile using Microsoft Intune

  1. Sign in to the Azure Portal using a Global administrator account.
  2. Navigate to the Microsoft Intune blade. Choose Device configuration > Profiles. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration.
  3. In the device configuration profile, select Assignments.
  4. Use the Include and/or Exclude tabs to target the device configuration profile to select groups.

On-premises Deployments

Requirements

  • Active Directory
  • On-premises Windows Hello for Business deployment
  • Reset from settings - Windows 10, version 1703, Professional
  • Reset above Lock - Windows 10, version 1709, Professional

On-premises deployments provide users with the ability to reset forgotten PINs either through the settings page or from above the user's lock screen. Users must know or be provided their password for authentication, must perform a second factor of authentication, and then re-provision Windows Hello for Business.

Important

Users must have corporate network connectivity to domain controllers and the federation service to reset their PINs.

Reset PIN from Settings

  1. Sign-in to Windows 10, version 1703 or later using an alternate credential.
  2. Open Settings, click Accounts, click Sign-in options.
  3. Under PIN, click I forgot my PIN and follow the instructions.

Reset PIN above the Lock Screen

  1. On Windows 10, version 1709, click I forgot my PIN from the Windows Sign-in
  2. Enter your password and press enter.
  3. Follow the instructions provided by the provisioning process
  4. When finished, unlock your desktop using your newly created PIN.

Note

Visit the Windows Hello for Business Videos page and watch the Windows Hello for Business forgotten PIN user experience video.

Related topics