As IT engineers we often get requests for password resets. The same can happens with User PIN also. Microsoft PIN reset service allows Windows 10 users to reset their PIN securely. In this demo I am going to demonstrate how we can enable PIN reset.
Requirements
For this, we need following,
1. Azure Active Directory
2. Azure AD registered, Azure AD joined, or Hybrid Azure AD joined Windows 10 device with version 1709 or later. (The Microsoft PIN Reset service only works with Enterprise Edition of Windows 10, version 1709 to 1809. The feature works with Enterprise Edition and Pro edition with Windows 10, version 1903 and newer)
In my demo environment, I have a user called Megan Bowen (meganb@M365x620957.onmicrosoft.com). The windows 10 device she using is already enrolled with Microsoft Intune.
Enable Microsoft PIN reset service
To enable Microsoft PIN reset service with your Azure AD tenant,
1. Go to Microsoft PIN reset service page and login as Global Administrator
2. Then Accept to give permission.
3. Then go to Microsoft PIN reset client page and login as Global Administrator
4. Then Accept to give permission.
5. This will enable Microsoft PIN reset service and Microsoft PIN reset client. To verify got to Azure Active Directory | Enterprise applications | All applications then check if you can see Microsoft Pin Reset Client Production and Microsoft Pin Reset Service Production in the list.
Create Intune Configuration profile
The next step of the configuration is to create Intune configuration profile. To do that,
1. Log in to Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com/) as Global Administrator
2. Go to Devices | Configuration Profiles
3. Then click on + Create profile
4. In the new profile window, select Windows 10 or later as platform and Custom as profile. Then click Create.
5. In the new window, provide a name for the profile and then click on Add in OMA-URI Settings window.
6. For OMA-URI Settings use the following values,
Name : Win10 PIN Reset
OMA-URI : ./Device/Vendor/MSFT/PassportForWork/TenantID/Policies/EnablePinRecovery ( Replace TenantID with Azure Active Direcotry Directory ID value )
Data Type : Boolean
Value : True
Once settings are in, click on OK.
7. Then click OK again in OMA-URI Settings.
8. To complete the profile setup, click on Create.
9. Once the profile is created, go to Assignments | Select groups to include and then select the target.
This completes the setup process. It is time for testing.
Testing
For testing, I am trying to log in as Megan, but I am going to reset PIN. To do that I click on Forgot my PIN option.
Then it loads up new window, in there I have to use my account credentials.
After that, the system sends a notification to the mobile app to complete the MFA.
Then the new page is open up with a warning about PIN reset. Click on Continue.
System prompt for a new PIN, provide new PIN and click on OK.
This completes the PIN reset process and now I can log in with the new PIN.
As we can see I was able to reset the PIN on windows 10 devices successfully.
This marks the end of this blog post. I hope now you have a better understanding of how to enable Microsoft PIN reset service for Intune managed Windows 10 devices. If you have any further questions about this feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.