Forum Discussion

Mariusz_80's avatar
Mariusz_80
Copper Contributor
Jun 12, 2026

CanReset value flipping on cloud only devices

Hello,

 

I have a problem with cloud only Windows 11 devices configured with passwordless policy. I have noticed that when you run dsregcmd /status command, CanReset value under User State is flipping between "No" and "DestructiveAndNonDestructive". When it's latter, everything works fine, users can start wizard for facial recognition or make PIN changes under Sign In options in Windows. But when it flips to No, everything is blocked. It seems to happen randomly, you can leave device untouched for few hours and just check dcregcmd and the value will change. CanReset is the only value that changes in the dsregcmd report. 

 

It happens for different devices located on different networks. Also, I have disabled web gateway completely for one device just for testing but no change. Any suggestions would be welcome. 

intune
mobile device management (mdm)

1 Reply

  • Sherryberry's avatar
    Sherryberry
    Occasional Reader
    Jun 18, 2026

    dsregcmd /status CanReset flips between "No" and "DestructiveAndNonDestructive", passwordless Win11.

    CanReset is not random even though it looks that way. That value reflects whether the device can currently reach the Microsoft PIN reset service and pull a valid token to confirm the reset capability. When it can reach it you get DestructiveAndNonDestructive, when it cannot you drop to No, and PIN change and facial setup get blocked. So a value that flips is really intermittent reachability or an intermittent token problem, not a setting that is changing on its own.

    Two areas to check:

    Network and SSL inspection. The PIN reset path needs these endpoints reachable without TLS break and inspect: passwordreset.microsoftonline.com, pinreset.microsoft.com and its subdomains, plus login.microsoftonline.com. If a proxy or web gateway is inspecting or sometimes caching these, you get exactly this flapping. You disabled the gateway on one device, try fully bypassing SSL inspection for those URLs on a test device and watch the value over a few hours.

    The two service apps. Confirm "Microsoft Pin Reset Service Production" and "Microsoft Pin Reset Client Production" are present and consented in the tenant, otherwise non destructive reset capability never resolves cleanly.

    If your CA requires a compliant or hybrid device and compliance flaps for any reason, the token used for that capability check fails when compliance is briefly false, which would also show as CanReset going to No. Worth correlating the flip times against sign in logs. A quick network trace at the moment it shows No usually nails which endpoint is the one timing out.