Introduction to Windows Hello for Business PIN Reset
Windows Hello for Business enables users to reset lost PINs by clicking the I forgot my PIN link on the Sign-in settings page in Settings or the Windows lock screen. To reset their PIN, users must verify themselves and complete multi-factor authentication.
PIN reset may be done in two ways:
- Destructive PIN reset: With this option, the user’s previous PIN and underlying credentials are destroyed from the client, along with any keys or certificates added to their Windows Hello container, and a new login key and PIN are supplied. The destructive PIN reset option is the default and does not need setting.
- Non-destructive PIN reset: With this option, the user’s Windows Hello for Business container and keys are retained, but the PIN used to allow key use is updated. You must deploy the Microsoft PIN Reset Service and setup your clients’ policies to allow the PIN Recovery capability in order to perform non-destructive PIN reset.
Why deploy non-destructive PIN reset?
“During a destructive PIN reset, the user’s existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.”
“When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user’s Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multifactor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory.“
In this post I will be covering how you can configure Non-Destructive PIN Reset for Windows Hello for Business
Requirements
- Azure Active Directory
- Windows 10, version 1709 to 1809, Enterprise Edition. There’s no licensing requirement for this feature since version 1903.
- Hybrid Windows Hello for Business deployment
- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
Configuration Steps
-
Enable the Microsoft PIN Reset Service in your Azure AD tenant
-
Enable PIN Recovery on your devices
Lets enable the Microsoft PIN Reset Service in your Azure AD tenant.
- Go to the Microsoft PIN Reset Client Production website, and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant.
- After you’ve logged in, select Accept to give consent for the PIN Reset Client to access your organization.
Post accepting, you can login to Azure Active Directory to validate if the applications are created
Step -2 : Enable PIN Recovery on your devices
Before you can remotely reset PINs, your devices must be configured to enable PIN Recovery. You can configure your devices for Non-Destructive using either Microsoft Intune, Group Policy Objects (GPO), or Configuration Service Providers (CSP).
Lets see how we can configure our device to use the Microsoft PIN Reset Service using Microsoft Intune.
Login to intune portal i.e. https://endpoint.microsoft.com and create a new Configuration profile for Windows Devices.
Type-in the Name of the new profile
Click on Settings Catalog
Select Enable Key Recovery
Set the value to True and click Next.
Search the user / device group you want to assign the profile.
Click on Create.
Wait for the device to Sync
Device status before enabling PIN Recovery on your devices
Status when user select to Reset PIN before setting Non-Destructive Profile on the device
Now notice the warning, if you reset your PIN, apps might require you to sign in again, and any data that’s managed by an organization could be lost. This warning is showed because this is a destructive PIN reset.
Device status post enabling PIN Recovery on your devices
We will do the reset just like we did with the destructive reset, so I will only show you the screenshots with another dialog.
Configuring PIN Recovery on the device using GPO
You can configure Windows devices to use the Microsoft PIN Reset Service using a Group Policy Object (GPO).
- Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
- Edit the Group Policy object from Step 1.
- Enable the Use PIN Recovery policy setting located under Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business.
- Close the Group Policy Management Editor to save the Group Policy object.
Hope this will be informative for you, please do share if you find worth sharing this.