Reset the passcode on Windows devices using Intune

Important

On October 22, 2022, Microsoft Intune is ending support for devices running Windows 8.1. After that date, technical assistance and automatic updates on these devices won't be available. For more information, go to Plan for Change: Ending support for Windows 8.1.

If you currently use Windows 8.1, then we recommend moving to Windows 10/11 devices. Microsoft Intune has built-in security and device features that manage Windows 10/11 client devices. For more information, go to End of support for Windows 7 and Windows 8.1.

You can reset the passcode for Windows devices. The reset passcode feature uses the Microsoft Pin Reset Service to generate a new passcode for devices that run Windows 10 Mobile.

Supported platforms

  • Windows 10 Mobile running Creators Update and later (Azure AD joined).

The following platforms are not supported:

  • Windows
  • iOS
  • macOS
  • Android

Authorize the PIN reset services

To reset the passcode on Windows devices, onboard the PIN reset service to your Intune tenant.

  1. Go to Microsoft PIN Reset Service production, and sign in using the tenant administrator account.

  2. After you have logged in, choose Accept to give consent for the PIN reset service to access your account. Accept the PIN Reset Server request for permissions

  3. Go to the Microsoft PIN Reset Client production, and sign in using the tenant administrator account.

  4. After you have logged in, choose Accept to give consent for the PIN reset client to access your account. Accept the PIN Reset Client request for permissions

  5. In the Azure portal, verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the Enterprise applications (All applications) blade. Filter the Application status drop down to "Enabled", and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production are enabled in your tenant. PIN reset service permissions page

Note

After you have accepted the PIN reset service and client requests, you may get a You do not have permission to view this directory or page. message, or it may appear as if nothing happens. This behavior is normal. Be sure to confirm that the two PIN Reset applications are listed for your tenant.

Configure Windows devices to use PIN reset

To configure the PIN reset on the Windows devices you manage, use an Intune Windows 10 custom device policy. Configure the policy using the following Windows policy configuration service provider (CSP):

Use the device policy - ./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery

Replace tenant ID with your Azure AD Directory ID, which is listed in the Properties of Azure Active Directory in the Azure portal.

Set the value for this CSP to True.

Tip

After you create the policy, you assign (or deploy) it to a group. The policy can be assigned to user groups or a device groups. If you assign it to a users group, then the group may include users who have other devices, such as iOS/iPadOS. Technically, the policy doesn't apply, but these devices are still included in the status details.

Reset the passcode

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Devices, and then select All devices.
  3. Select the device you want to reset the passcode. In the device properties, select Reset passcode.
  4. Select Yes to confirm. The passcode is generated, and is displayed in the portal for the next seven days.

Next step

If the passcode reset fails, a link is provided in the portal that provides more details.