Introduction:
Windows Hello for Business is a game-changer for enterprise security, offering a seamless and secure way to authenticate users on Windows devices. It replaces traditional passwords with biometric authentication (like facial recognition or fingerprint scanning) and a backup PIN. This PIN acts as a secondary authentication method, ensuring users can still access their devices even if biometrics fail or aren’t available.
While Windows Hello for Business enhances security and simplifies the login process, it’s not without its challenges. One such issue I recently encountered involves the PIN reset functionality. Specifically, when users attempt to reset their PIN from the Windows logon screen, the process fails to initiate. This blog post dives into the problem, its root causes, and the steps I took to resolve it—including registry key modifications that might help others facing similar issues.
Understanding Windows Hello for Business:
Before diving into the issue, let’s briefly recap what Windows Hello for Business is and why it’s important.
- Windows Hello: A user-friendly authentication method that allows users to sign in using biometrics (face, fingerprint) or a PIN. It’s designed to be phishing-resistant and includes brute force protection.
- Windows Hello for Business: An enterprise-grade version of Windows Hello that adds advanced security features like device attestation, certificate-based authentication, and integration with Microsoft Entra ID (formerly Azure AD). It also supports conditional access policies, ensuring devices meet organizational security requirements.
For more details, check out the Microsoft documentation Windows Hello for Business overview.
For primary and secondary authentication in Microsoft Entra ID and how each works, please read Authentication methods and features - Microsoft Entra ID | Microsoft Learn
The Issue: PIN Reset Failure at Logon Screen (Logged off state) with error message something went wrong.
During a recent rollout of Windows Hello for Business (using the cloud trust type), I configured an Intune policy with Windows Hello settings along with PIN reset functionality. This policy was deployed to both Hybrid Azure AD-joined and Entra ID-joined devices. While the initial setup worked flawlessly, I noticed a critical issue: the PIN reset feature didn’t work at the Windows logon screen.
When users clicked “I forgot my PIN” (on hybrid devices), it prompt user to enter the password to verify identify and it goes back to lock screen again. . No pop-up appeared to guide user through the PIN reset process. (PIN reset process is different in hybrid vs Entra joined).
Interestingly, the PIN reset functionality worked perfectly when accessed (windows login) via Settings > Accounts > Sign-in options. This inconsistency prompted me to investigate further.
Root Cause and Investigation:
After extensive testing and research, discovered that the issue arises from certain general or known limitations that affect both Hybrid and Entra joined devices. These limitations are documented in Microsoft’s official article: Self-Service Password Reset (SSPR) for Windows devices.
The problem arises because some of the settings required for PIN reset conflict with device OS hardening policies. These policies are often implemented to enhance security but can inadvertently block legitimate functionality like PIN reset.
Registry Keys and Fixes:
To resolve the issue, I had to modify specific registry keys on the affected devices. Below are the registry changes that fixed the problem for both Hybrid Azure AD-joined and Entra ID-joined devices:
For Hybrid Azure AD-Joined Devices:
- HideFastUserSwitching
- Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -
Value:
1(Enabled)
- Path:
-
DontDisplayLastUserName
- Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - Value:
1(Enabled)
- Path:
-
DisableLockScreenAppNotifications
- Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -
Value:
1(Enabled)
- Path:
For Entra ID-Joined Devices:
- HideFastUserSwitching
-
Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -
Value:
1(Enabled)
-
-
DontDisplayLastUserName
-
Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -
Value:
1(Enabled)
-
After the changes are applied, users can reset the PIN at device logon screen (Logged off state).
You can validate these settings, along with the other limitations documented in the Microsoft article, to address the PIN reset issue. If, after validating these changes, the problem persists, further investigation will be necessary to identify underlying causes.
Hope this blogpost is helpful
4 Comments
Great blogpost, we had exactly the same issue. We had two parameters "enabled" that broke the PIN reset functionality. Disabling both of these resolved the issue.
Hi, It is not working in our Hybrid Azure AD-joined devices, but it works for Entra ID-joined devices. Any settings do I need to look for. thanks.
Hi,
sorry for the delayed response.
Have you looked at the ms blog post with limitations https://learn.microsoft.com/en-us/entra/identity/authentication/howto-sspr-windows#general-limitations?
this has worked for me with all blockers.
Have you got this working? if so, what was the fix.
Thanks,
Eswar
thanks. i believe the value should be 0 rather than 1.