Windows Hello Reset Pin

16-04-2021
 |  [RAND-100] - Comments



-->

Applies to

  • Windows 10

To do that start by heading to Settings Accounts and then click the “Sign-in options” tab on the left. From there click the “Windows Hello PIN” option from the menu’s list. In my setup, Windows Hello for Business is working and PIN Reset is working as well. My questions was if user needs to reset their PIN, users needs their password while as per the article, we do not want users to know/have their passwords(by using SCRIL etc). How to fix Windows Hello PIN problems on Windows 10. To fix Windows Hello PIN when you can’t use, change, remove, or add PIN to your account, use these steps: Open Start. Search for Command Prompt, right-click the top result, and select the Run as administrator option. Type the first command to take ownership of the NGC folder and press Enter. In the PIN section for Windows Hello, click the Change button (Figure A). Figure A At the Change Your PIN window, check the box to Include Letters And Numbers and then click the link for PIN.

Pin

When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.

Windows Hello Reset Pin Lock

Example

Let's suppose that you have set up a PIN for your Microsoft account on Device A. You use your PIN to sign in on Device A and then change the password for your Microsoft account.Because you were using Device A when you changed your password, the PIN on Device A will continue to work with no other action on your part.

Suppose instead that you sign in on Device B and change your password for your Microsoft account. The next time that you try to sign in on Device A using your PIN, sign-in will fail because the account credentials that Hello on Device A knows will be outdated.

Windows Hello Reset Pin

Note

This example also applies to an Active Directory account when Windows Hello for Business is not implemented.

How to update Hello after you change your password on another device

  1. When you try to sign in using your PIN or biometric, you will see the following message: Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.
  2. Click OK.
  3. Click Sign-in options.
  4. Click the Password button.
  5. Sign in with new password.
  6. The next time that you sign in, you can select Sign-in options and then select PIN to resume using your PIN.

Related topics

Recently I have been troubleshooting a nasty Windows Hello for Business problem which prevented all users in a tenant from resetting their Windows Hello for Business PIN’s on Azure AD joined devices while getting the error CAA20004.

Issue

When clicking on “I forgot my PIN”:

See More Results

After completing the account sign-in and MFA challenge the Error CAA20004 came up:

Hello

Troubleshooting

The Azure AD Portal shows us “Failure reason: other”.

While recording all the https traffic to Microsofts oauth2 endpoint with Fiddler this finally unveils usable information:

AADSTS65001: The user or administrator has not consented to use the application with ID ‘ 9115dd05-fad5-4f9c-acc7-305d08b1b04e’ named ‘ Microsoft Pin Reset Client Production’. Send an interactive authorization request for this user and resource.

The error indicates that an application registration is missing in the tenant for the application “Microsoft Pin Reset Client Production”

Solution

After a short search I found a matching Microsoft docs article. Instead of reading through the whole article the only thing I needed to do was consenthing to the: Microsoft PIN Reset Service production application and also for the Microsoft PIN Reset Client production

(just klick on the links in order to consent to the app registrations) as tenant admin. Although in some tenants I have only seen the “Microsoft PIN Reset Service production” and PIN resets are working without the “Microsoft PIN Reset Client production”.

When checking the registered enterprise applications in Azure AD the “Microsoft Pin Reset Client Production” was visible:

… and resetting Windows Hello for Business PIN’s is from now on possible and works like a charm.

Final words

Did you encounter the same difficulties? Or do you know why some tenants only have the “Microsoft PIN Reset Service production” and not the “Microsoft PIN Reset Client production” registered? I am curious to read your experiences in the comments.