Windows Hello for Business is working just fine.  Non-destructive PIN reset is not...at least not as I would expect.  If a user cannot sign into Windows because he has forgotten his PIN, there is an 'I forgot my PIN' link.  If he clicks on it, he is prompted for his password.  I would expect he'd be prompted to provide his MFA credentials instead since we're moving toward a world without passwords.  What if hte user has also forgotten his password?  What's the benefit of having self-service PIN reset above the lock screen if all the user has to do is sign in with his password instead, then reset his PIN in Windows settings?  This CANNOT be the way this feature is designed to work, can it?