Allow PIN reset for Windows Hello for Business

PIN is one of the login options in Windows Hello for Business. If a user forgets their PIN, they can reset it. Windows Hello for Business allows two types of PIN reset:

Destructive PIN reset, which deletes everything in the Windows Hello for Business container. This is a forced reset, but it requires no additional configuration and works by default.
Non-destructive PIN reset, which requires additional configuration but does not delete the existing Windows Hello for Business container and the keys stored in it.

Non-destructive PIN reset for Windows Hello for Business

Let’s take a look at how to configure a non-destructive PIN reset for Windows Hello for Business, as this is definitely a better and more convenient option for users in case they forget their PIN. This is because this option does not have the negative side effect of deleting other keys from the Windows Hello for Business container as well.

The non-destructive PIN reset works on a computer with Microsoft Entra ID Hybrid Join or Microsoft Entra ID Join. Therefore, it does not work on computers that are added purely to the local Active Directory.

How to enable non-destructive PIN reset for Windows Hello for Business

For the non-destructive PIN reset for Windows Hello for Business to work, you need to register two applications with Microsoft Entra ID.

Microsoft Pin Reset Service Production
Microsoft Pin Reset Client Production

Microsoft PIN Reset Service Production

Sign in as a global admin and open the Microsoft PIN Reset Service Production URL. Click the Accept button to give consent to the app.

Microsoft PIN Reset Client Production

The second application that needs to be registered with Microsoft Entra ID is Microsoft PIN Reset Client Production. Open the URL of Microsoft PIN Reset Client Production app as a global admin, click Next on the first screen and then Accept on the second screen to give consent to the app.

You can now verify that both applications are registered in the Microsoft Entra ID. Go to Enterprise applications – All applications and you should see the two newly registered applications.

Enable PIN recovery using Microsoft Intune

Open the Microsoft Intune portal and go to Endpoint security – Account protection and create a new policy (or edit the existing Windows Hello for Business configuration policy). Platform is Windows 10 and later, Profile is Account protection.

Give the policy any name you want, and on the next configuration page, for Block Windows Hello for Business, select Disabled. This will open a new menu with the Windows Hello for Business settings. From the menu below, change Enable PIN recovery to Yes.

Finish creating the policy and apply the policy to the devices where you want to enable Windows Hesllo for Business PIN reset.

Verify the Windows Hello for Business PIN reset policy application

You can easily check whether the policy has been successfully applied to your device from the command line. Open a standard command prompt / Windows Terminal and type dsregcmd /status. Scroll down a bit and you should see CanReset : DestructiveAndNonDestructive in the User State line.