Windows Hello for Business Pin Reset Client / Service Production Applications are not working as expected - PIN reset is not working on Hybrid Joined devices.

Ilias Drosos July 2, 2024 Microsoft Intune

If you are trying to deploy the applications published from Microsoft to enable Pin Reset from lockscreen on your Entra ID Joined / Entra Hybrid Joined devices you are probably reading this article :

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/pin-reset?tabs=intune

Following the guide to enable the PIN reset you need to register two applications :

Microsoft PIN Reset Service Production website

and

Microsoft PIN Reset Client Production website

After logging in you see the prompts published in the article but at the next step you get an error about the Reply URL for the Service Production Website and a "white" screen for the Client Production website .

That doesn't mean the apps are not deployed but they are not deployed as they should .

Some information and permissions are missing .

So next step will be to go the apps and Grant admin permissions . Even you don't see any permissions underneath Grant admin consent and wait 2-5 minutes . After 5 minutes approximately permissions will appear and the apps will be ready to be used.

For reference here are the IDs of the correct apps : Microsoft Pin Reset Client Production application

9115dd05-fad5-4f9c-acc7-305d08b1b04e

Microsoft Pin Reset Service Production Application

b8456c59-1230-44c7-a4a2-99b085333e84

This is the result , notice that only one of them has a Homepage URL :

Now retry resetting the PIN from the lockscreen on your devices .

Don't forget to exclude these two enterprise Apps from any conditional access policies which enforce MFA (if you have policies with all apps selected exclude only these two) as they seem to interfere with the process and they are totally unnecessary since MFA is enforced either way .

In my tests on Windows 10 it works perfectly fine but on Windows 11 the button Forgot My PIN does nothing . I read this is a known behavior and to workaround it you need to follow these steps :