Forum Discussion
"Forgot PIN" not working. How to debug?
HelloehalmiTke
thank you for your answer and for the link to the troubleshooting script.
As I said in my original post, as far as I can tell, WHfB works as expected on our hybrid joined PCs. With a PIN or a FIDO2 key we can unlock our devices and log on our Windows365 web applications. CanReset reports DestructiveAndNonDestructive and we can initiate a "I lost my pin" procedure from the settings when the user is logged in.
However, when at the login prompt or when the device is locked, if I click the "I lost my pin", absolutely nothing happens and, apparently, nothing is logged anywhere (or so it seems). No errors at all. For example, if I try a password recovery the procedure rightfully aborts telling me I do not have the right license to do so.
I tried the script you suggested and I only had an error about "Primary Refresh Token (PRT) is not available. Hence SSO will not work, and the device may be blocked if you have a device-based Conditional Access Policy". Perhaps this could be part (or the cause) of the problem. Unfortunately the script fails when I try to collect my logs, so I am still stuck.
Regards
Nico
- A logged in user can always start a pin reset (in my windows 11 test pc it worked even without asking me to authenticate myself - weird, even if sso is active). However, even after having changed my pin via that procedure, the "i forgot my pin" link at the login prompt still does not work in my win11 pc, while a windows 10 one prompts for my password (I wish I could authenticate with entra id sso, instead)
Thank you for your suggestion, however.
Regards
Nico- It may be due to Windows Requirements if the environment is hybrid:
Hybrid Cloud Kerberos - Windows 10 21H2, with KB5010415 and later; Windows 11 21H2, with KB5010414 and later
as per
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/#windows-requirements