Forum Discussion
"Forgot PIN" not working. How to debug?
Hi everyone. I just deployed PIN authentication on a test OU with some Hybrid Joined workstation. This method, just like Fido keys and biometric, seems to work flawlessy except that the "forgot PIN" link at the login prompt does not show anything on windows 11 machines.
Pin recovery is set via GPO, dsregcmd /status show that Canreset attribute is set to DestructiveAndNonDestructive, and Microsoft Pin Reset Service Production/Microsoft Pin Reset Client Production are installed in my Entra ID tenant.
The major problem here is that there is no error message shown and I don't know which log to look for to debug this issue.
Thank you in advance for every suggestion and sorry for my poor English
Ciao
Nico
8 Replies
Bonjour Nico, même problème. As-tu trouvé une solution ? Merci.
@ssboucha2075
I simply gave up. I tried to look at some error in the registry or in some other log, but I did not find anything. It simply doesn't work.
Ciao
Nico
Hello Nico_Alberti,
Thank you for the opened thread.
If CanReset reports as DestructiveOnly, then only destructive PIN reset is enabled. If CanReset reports DestructiveAndNonDestructive, then nondestructive PIN reset is enabled. - https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/pin-reset?tabs=intune#confirm-that-pin-recovery-policy-is-enforced-on-the-devices with anchor #Confirm that PIN Recovery policy is enforced on the devices
If you have a federated environment and authentication is handled using AD FS or a non-Microsoft identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Microsoft Entra joined PIN reset.
Lastly, there is available script which you can run to troubleshoot the Entra ID Join or Hybrid Join status which can aid towards a fix - https://learn.microsoft.com/en-us/samples/azure-samples/dsregtool/dsregtool/
Best Regards
HelloehalmiTke
thank you for your answer and for the link to the troubleshooting script.
As I said in my original post, as far as I can tell, WHfB works as expected on our hybrid joined PCs. With a PIN or a FIDO2 key we can unlock our devices and log on our Windows365 web applications. CanReset reports DestructiveAndNonDestructive and we can initiate a "I lost my pin" procedure from the settings when the user is logged in.
However, when at the login prompt or when the device is locked, if I click the "I lost my pin", absolutely nothing happens and, apparently, nothing is logged anywhere (or so it seems). No errors at all. For example, if I try a password recovery the procedure rightfully aborts telling me I do not have the right license to do so.
I tried the script you suggested and I only had an error about "Primary Refresh Token (PRT) is not available. Hence SSO will not work, and the device may be blocked if you have a device-based Conditional Access Policy". Perhaps this could be part (or the cause) of the problem. Unfortunately the script fails when I try to collect my logs, so I am still stuck.
Regards
Nico
- Please check whether Users have Set the PIN before the PIN reset policy is applied. In this scenario users need to Reset their PIN first from Settings > Accounts > Sign In options > PIN / Change / I forgot My Pin. Once the PIN is reset the users will be able to use the PIN Reset service from the Login screen.
- Well, it seems I missed the very last paragraph in https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/pin-reset?tabs=gpo If I understand correctly, for the pin reset to work pre sign-in, I need SSPR, so some non free Entra ID license. Am I correct? Thank you in advance Ciao Nico
