PIN reset

Windows Hello for Business provides the capability for users to reset forgotten PINs using the I forgot my PIN link from the Sign-in options page in Settings or from the Windows lock screen. Users are required to authenticate and complete multi-factor authentication to reset their PIN.

There are two forms of PIN reset:

  • Destructive PIN reset: with this option, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new login key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration.
  • Non-destructive PIN reset: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the Microsoft PIN Reset Service and configure your clients' policy to enable the PIN Recovery feature.

Using PIN reset

There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.

Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in Settings and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.

Important

For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.

Reset PIN from Settings

  1. Sign-in to Windows 10 using an alternate credential.
  2. Open Settings, select Accounts > Sign-in options.
  3. Select PIN (Windows Hello) > I forgot my PIN and follow the instructions.

Reset PIN above the Lock Screen

For Azure AD-joined devices:

  1. If the PIN credential provider isn't selected, expand the Sign-in options link, and select the PIN pad icon.
  2. Select I forgot my PIN from the PIN credential provider.
  3. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (like Password, PIN, Security key).
  4. Follow the instructions provided by the provisioning process.
  5. When finished, unlock your desktop using your newly created PIN.

For Hybrid Azure AD-joined devices:

  1. If the PIN credential provider isn't selected, expand the Sign-in options link, and select the PIN pad icon.
  2. Select I forgot my PIN from the PIN credential provider.
  3. Enter your password and press enter.
  4. Follow the instructions provided by the provisioning process.
  5. When finished, unlock your desktop using your newly created PIN.

Note

Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.

You may find that PIN reset from settings only works post login. Also, the "lock screen" PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General .

Non-Destructive PIN reset

Requirements:

  • Azure Active Directory
  • Windows 10, version 1709 to 1809, Enterprise Edition. There's no licensing requirement for this feature since version 1903.
  • Hybrid Windows Hello for Business deployment
  • Azure AD registered, Azure AD joined, and Hybrid Azure AD joined

When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory.

Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the Microsoft PIN Reset Service which enables users to reset their forgotten PIN without requiring re-enrollment.

Important

The Microsoft PIN Reset service only works with Enterprise Edition for Windows 10, version 1709 to 1809 and later, and Windows 11. The feature works with Enterprise Edition and Pro edition with Windows 10, version 1903 and later, Windows 11. The Microsoft PIN Reset service is not currently available in Azure Government.

Summary

Category Destructive PIN Reset Non-Destructive PIN Reset
Functionality The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see Connect Azure Active Directory with the PIN reset service. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.
Windows editions and versions Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11. Windows 10, version 1709 to 1809, Enterprise Edition. There isn't any licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.
Azure Active Directory Joined Cert Trust, Key Trust, and cloud Kerberos trust Cert Trust, Key Trust, and cloud Kerberos trust
Hybrid Azure Active Directory Joined Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.
On Premises If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. The PIN reset service relies on Azure Active Directory identities, so it's only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.
Additional Configuration required Supported by default and doesn't require configuration Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group Policy\MDM.
MSA/Enterprise MSA and Enterprise Enterprise only.

Onboarding the Microsoft PIN reset service to your Intune tenant

The Microsoft PIN Reset Service is not currently available in Azure Government.

Enable the Microsoft PIN Reset Service in your Azure AD tenant

Before you can remotely reset PINs, you must register two applications in your Azure Active Directory tenant:

  • PIN Reset Service
  • PIN Reset Client

Connect Azure Active Directory with the PIN Reset Service

  1. Go to the Microsoft PIN Reset Service Production website, and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant.
  2. After you've logged in, select Accept to give consent to the PIN Reset Service to access your organization. PIN reset service application in Azure.

Connect Azure Active Directory with the PIN Reset Client

  1. Go to the Microsoft PIN Reset Client Production website, and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant.
  2. After you've logged in, select Accept to give consent for the PIN Reset Client to access your organization. PIN reset client application in Azure.

Confirm that the two PIN Reset service principals are registered in your tenant

  1. Sign in to the Microsoft Entra Manager admin center.
  2. Select Azure Active Directory > Applications > Enterprise applications.
  3. Search by application name "Microsoft PIN" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in the list. PIN reset service permissions page.

Enable PIN Recovery on your devices

Before you can remotely reset PINs, your devices must be configured to enable PIN Recovery. Follow the instructions below to configure your devices using either Microsoft Intune, Group Policy Objects (GPO), or Configuration Service Providers (CSP).

You can configure Windows devices to use the Microsoft PIN Reset Service using Microsoft Intune.

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Devices > Configuration profiles > Create profile.
  3. Enter the following properties:
    • Platform: Select Windows 10 and later.
    • Profile type: Select Settings catalog.
  4. Select Create.
  5. In Basics, enter the following properties:
    • Name: Enter a descriptive name for the profile.
    • Description: Enter a description for the profile. This setting is optional, but recommended.
  6. Select Next.
  7. In Configuration settings, select Add settings.
  8. In the settings picker, select Windows Hello For Business > Enable Pin Recovery.
  9. Configure Enable Pin Recovery to true.
  10. Select Next.
  11. In Scope tags, assign any applicable tags (optional).
  12. Select Next.
  13. In Assignments, select the security groups that will receive the policy.
  14. Select Next.
  15. In Review + create, review your settings and select Create.

Note

You can also configure PIN recovery from the Endpoint security blade:

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Endpoint security > Account protection > Create Policy.

Confirm that PIN Recovery policy is enforced on the devices

The PIN reset configuration can be viewed by running dsregcmd /status from the command line. This state can be found under the output in the user state section as the CanReset line item. If CanReset reports as DestructiveOnly, then only destructive PIN reset is enabled. If CanReset reports DestructiveAndNonDestructive, then non-destructive PIN reset is enabled.

Sample User state Output for Destructive PIN Reset

+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+

                    NgcSet : YES
                  NgcKeyId : {FA0DB076-A5D7-4844-82D8-50A2FB42EC7B}
                  CanReset : DestructiveOnly
           WorkplaceJoined : NO
             WamDefaultSet : YES
       WamDefaultAuthority : organizations
              WamDefaultId : https://login.microsoft.com
            WamDefaultGUID : { B16898C6-A148-4967-9171-64D755DA8520 } (AzureAd)

+----------------------------------------------------------------------+

Sample User state Output for Non-Destructive PIN Reset

+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+

                    NgcSet : YES
                  NgcKeyId : {FA0DB076-A5D7-4844-82D8-50A2FB42EC7B}
                  CanReset : DestructiveAndNonDestructive
           WorkplaceJoined : NO
             WamDefaultSet : YES
       WamDefaultAuthority : organizations
              WamDefaultId : https://login.microsoft.com
            WamDefaultGUID : { B16898C6-A148-4967-9171-64D755DA8520 } (AzureAd)

+----------------------------------------------------------------------+

Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices

Applies to:

  • Azure AD joined devices

The ConfigureWebSignInAllowedUrls policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then this policy should be set. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset.

Configure Web Sign-in Allowed URLs using Microsoft Intune

  1. Sign in to the Microsoft Endpoint Manager admin center
  2. Select Devices > Configuration profiles > Create profile
  3. Enter the following properties:
    • Platform: Select Windows 10 and later
    • Profile type: Select Templates
    • In the list of templates that is loaded, select Custom > Create
  4. In Basics, enter the following properties:
    • Name: Enter a descriptive name for the profile
    • Description: Enter a description for the profile. This setting is optional, but recommended
  5. Select Next
  6. In Configuration settings, select Add and enter the following settings:
    • Name: Web Sign In Allowed URLs
    • Description: (Optional) List of domains that are allowed during PIN reset flows
    • OMA-URI: ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
    • Data type: String
    • Value: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be signin.contoso.com;portal.contoso.com Custom Configuration for ConfigureWebSignInAllowedUrls policy.
  7. Select Save > Next
  8. In Assignments, select the security groups that will receive the policy
  9. Select Next
  10. In Applicability Rules, select Next
  11. In Review + create, review your settings and select Create

Note

For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set login.microsoftonline.us as the value for the ConfigureWebSignInAllowedUrls policy.