PIN recovery, Temporary Access Pass, what can go wrong?

 

It's pretty normal for enterprise users contacting support team for password resets\recovery or perhaps doing it themselves using Self service password reset. However, in a passwordless environment, this can become a bit of a challenge because password will not normally be shared with the end users. If the organization is using Temporary access pass then it can be used for account recovery in general. I wrote a blog about this which you can refer to over here. This in turn should allow the end users to reset the PIN as well. It can be done right from the lockscreen, but the feature needs to be enabled first. If your devices are enrolled in Intune, then you can enable the feature using either the Identity Protection template or Account Protection Endpoint security policy. I am using Identity Protection policy to enable the feature as part of my overall Windows Hello for business configuration. Here is how you can do it.

2. Select Devices > Configuration Policy > Create Policy.
3. Select Platform Windows as Windows 10 and later.
4. Select Profile type as Templates > Identity protection.
5. Provide a Name and Description.
6. Enable PIN recovery along with other available settings as shown below.


Just like Windows Hello for Business works out of the box for AAD devices, I was expecting PIN recovery to work as well. But this is not the case. When you try to recover a PIN, you will encounter errors as shown below.



At this stage, a user will need to be provided with an active TAP which can then be used for PIN reset.


After MFA through TAP is completed, user should be able to reset their PIN, but instead they will see errors similar to the ones below.


As you can see, the error just says that PIN recovery app needs access to a service, but doesn't provide anymore details. Azure sign-in logs at least shows the name of the PIN recovery app which put me on the right track.


What's the fix? Well before you can remotely reset PINs, you must on-board the Microsoft PIN reset service on to your Azure Active Directory tenant, and configure devices you manage. This is because Windows Hello for Business allows two forms of PIN reset, namely destructive and non-destructive. While destructive PIN reset is the default and does not require any additional configuration, non-destructive on the other hand requires both onboarding of Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is also changed.

I already covered the steps for enabling the client policy for the recovery PIN feature. Now lets see how onboarding of PIN reset service can be done.

1. Access the direct URL Microsoft PIN Reset Service Production website, and sign in using a Global administrator account.

2. Accept to give consent for the PIN reset service as shown below.


3. Now access the direct URL for Microsoft PIN Reset Client Production website, and sign in using the Global administrator account.

4. Accept to give consent for the PIN reset client to access your account.


In my case, after I gave consent for Microsoft PIN Reset Client Production website, nothing happened and the screen turned grey. However, the registration went through as I was able to see the applications listing and enabled under Azure Enterprise Applications.


Once done, verify on the endpoint by running dsregcmd /status whether the PIN recovery policy is enforced or not.


That's about it. After the policies are applied, you should be able to reset the PIN again, as I was.

Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

Intune: UAC Elevation Prompt Behavior for Standard Users