"Forgot PIN" not working. How to debug?

Copper Contributor

Hi everyone. I just deployed PIN authentication on a test OU with some Hybrid Joined workstation. This method, just like Fido keys and biometric, seems to work flawlessy except that the "forgot PIN" link at the login prompt does not show anything on windows 11 machines.


Pin recovery is set via GPO, dsregcmd /status show that Canreset attribute is set to DestructiveAndNonDestructive, and Microsoft Pin Reset Service Production/Microsoft Pin Reset Client Production are installed in my Entra ID tenant.


The major problem here is that there is no error message shown and I don't know which log to look for to debug this issue.


Thank you in advance for every suggestion and sorry for my poor English



6 Replies
Well, it seems I missed the very last paragraph in https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/pin-reset?... If I understand correctly, for the pin reset to work pre sign-in, I need SSPR, so some non free Entra ID license. Am I correct? Thank you in advance Ciao Nico

Hello @Nico_Alberti,


Thank you for the opened thread.


If CanReset reports as DestructiveOnly, then only destructive PIN reset is enabled. If CanReset reports DestructiveAndNonDestructive, then nondestructive PIN reset is enabled. - PIN reset - Windows Security | Microsoft Learn with anchor #Confirm that PIN Recovery policy is enforced on the devices


If you have a federated environment and authentication is handled using AD FS or a non-Microsoft identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Microsoft Entra joined PIN reset.


Lastly, there is available script which you can run to troubleshoot the Entra ID Join or Hybrid Join status which can aid towards a fix - Device Registration Troubleshooter Tool - Code Samples | Microsoft Learn


Best Regards


thank you for your answer and for the link to the troubleshooting script.


As I said in my original post, as far as I can tell, WHfB works as expected on our hybrid joined PCs. With a PIN or a FIDO2 key we can unlock our devices and log on our Windows365 web applications. CanReset reports DestructiveAndNonDestructive and we can initiate a "I lost my pin" procedure from the settings when the user is logged in.


However, when at the login prompt or when the device is locked, if I click the "I lost my pin", absolutely nothing happens and, apparently, nothing is logged anywhere (or so it seems). No errors at all. For example, if I try a password recovery the procedure rightfully aborts telling me I do not have the right license to do so.


I tried the script you suggested and I only had an error about "Primary Refresh Token (PRT) is not available. Hence SSO will not work, and the device may be blocked if you have a device-based Conditional Access Policy". Perhaps this could be part (or the cause) of the problem. Unfortunately the script fails when I try to collect my logs, so I am still stuck.




Please check whether Users have Set the PIN before the PIN reset policy is applied. In this scenario users need to Reset their PIN first from Settings > Accounts > Sign In options > PIN / Change / I forgot My Pin. Once the PIN is reset the users will be able to use the PIN Reset service from the Login screen.
A logged in user can always start a pin reset (in my windows 11 test pc it worked even without asking me to authenticate myself - weird, even if sso is active). However, even after having changed my pin via that procedure, the "i forgot my pin" link at the login prompt still does not work in my win11 pc, while a windows 10 one prompts for my password (I wish I could authenticate with entra id sso, instead)
Thank you for your suggestion, however.
It may be due to Windows Requirements if the environment is hybrid:
Hybrid Cloud Kerberos - Windows 10 21H2, with KB5010415 and later; Windows 11 21H2, with KB5010414 and later
as per