Forum Discussion
"Forgot PIN" not working. How to debug?
Hello Nico_Alberti,
Thank you for the opened thread.
If CanReset reports as DestructiveOnly, then only destructive PIN reset is enabled. If CanReset reports DestructiveAndNonDestructive, then nondestructive PIN reset is enabled. - PIN reset - Windows Security | Microsoft Learn with anchor #Confirm that PIN Recovery policy is enforced on the devices
If you have a federated environment and authentication is handled using AD FS or a non-Microsoft identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Microsoft Entra joined PIN reset.
Lastly, there is available script which you can run to troubleshoot the Entra ID Join or Hybrid Join status which can aid towards a fix - Device Registration Troubleshooter Tool - Code Samples | Microsoft Learn
Best Regards
HelloehalmiTke
thank you for your answer and for the link to the troubleshooting script.
As I said in my original post, as far as I can tell, WHfB works as expected on our hybrid joined PCs. With a PIN or a FIDO2 key we can unlock our devices and log on our Windows365 web applications. CanReset reports DestructiveAndNonDestructive and we can initiate a "I lost my pin" procedure from the settings when the user is logged in.
However, when at the login prompt or when the device is locked, if I click the "I lost my pin", absolutely nothing happens and, apparently, nothing is logged anywhere (or so it seems). No errors at all. For example, if I try a password recovery the procedure rightfully aborts telling me I do not have the right license to do so.
I tried the script you suggested and I only had an error about "Primary Refresh Token (PRT) is not available. Hence SSO will not work, and the device may be blocked if you have a device-based Conditional Access Policy". Perhaps this could be part (or the cause) of the problem. Unfortunately the script fails when I try to collect my logs, so I am still stuck.
Regards
Nico
- ehalmiTkeMay 17, 2024Copper ContributorPlease check whether Users have Set the PIN before the PIN reset policy is applied. In this scenario users need to Reset their PIN first from Settings > Accounts > Sign In options > PIN / Change / I forgot My Pin. Once the PIN is reset the users will be able to use the PIN Reset service from the Login screen.
- Nico_AlbertiMay 17, 2024Copper ContributorA logged in user can always start a pin reset (in my windows 11 test pc it worked even without asking me to authenticate myself - weird, even if sso is active). However, even after having changed my pin via that procedure, the "i forgot my pin" link at the login prompt still does not work in my win11 pc, while a windows 10 one prompts for my password (I wish I could authenticate with entra id sso, instead)
Thank you for your suggestion, however.
Regards
Nico- ehalmiTkeMay 17, 2024Copper ContributorIt may be due to Windows Requirements if the environment is hybrid:
Hybrid Cloud Kerberos - Windows 10 21H2, with KB5010415 and later; Windows 11 21H2, with KB5010414 and later
as per
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/#windows-requirements