Reset the passcode on Windows devices using Intune

You can reset the passcode for Windows devices. The reset passcode feature uses the Microsoft Pin Reset Service to generate a new passcode for devices that run Windows 10 Mobile.

Supported platforms

  • Windows 10 Mobile running Creators Update and later (Azure AD joined).

The following platforms are not supported:

  • Windows
  • iOS
  • macOS
  • Android

Authorize the PIN reset services

To reset the passcode on Windows devices, onboard the PIN reset service to your Intune tenant.

  1. Go to Microsoft PIN Reset Service production, and sign in using the tenant administrator account.
  2. Accept consent for the PIN reset service to access your account: Accept the PIN Reset Server request for permissions
  3. Go to Microsoft PIN Reset Client production, and sign in using the tenant administrator account. Accept consent for the PIN reset client to access your account.
  4. In the Azure portal, confirm that the PIN reset services are listed in Enterprise applications (All applications): PIN reset service permissions page


After you Accept the PIN reset requests, you may get a Page not found message, or it may appear as if nothing happens. This behavior is normal. Be sure to confirm that the two PIN Reset applications are listed for your tenant.

Configure Windows devices to use PIN reset

To configure the PIN reset on the Windows devices you manage, use an Intune Windows 10 custom device policy. Configure the policy using the following Windows policy configuration service provider (CSP):

Use the device policy - ./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery

Replace tenant ID with your Azure AD Directory ID, which is listed in the Properties of Azure Active Directory in the Azure portal.

Set the value for this CSP to True.


After you create the policy, you assign (or deploy) it to a group. The policy can be assigned to user groups or a device groups. If you assign it to a users group, then the group may include users who have other devices, such as IOS. Technically, the policy doesn't apply, but these devices are still included in the status details.

Reset the passcode

  1. Sign in to the Microsoft Endpoint Manager Admin Center.
  2. Select Devices, and then select All devices.
  3. Select the device you want to reset the passcode. In the device properties, select Reset passcode.
  4. Select Yes to confirm. The passcode is generated, and is displayed in the portal for the next seven days.

Next step

If the passcode reset fails, a link is provided in the portal that provides more details.