Reset the passcode on Windows devices using Intune

Important

Windows 10 Mobile and Windows Phone 8.1 support has ended. Windows 10 Mobile and Windows Phone 8.1 enrollments will fail and related apps can no longer be added to Intune. These profile types are being removed from the Intune UI. Devices currently enrolled will stop syncing with the Intune service.

Existing policies and profiles on these platforms are becoming read-only, and can't be changed. You can remove assignments, and then delete the policies and profiles.

If Windows Phone 8.1 or Windows 10 Mobile are being used, we recommend moving to Windows 10 devices. Windows 10 has built-in security and device features that have a first class integration with Microsoft Intune.

You can reset the passcode for Windows devices. The reset passcode feature uses the Microsoft Pin Reset Service to generate a new passcode for devices that run Windows 10 Mobile.

Supported platforms

  • Windows 10 Mobile running Creators Update and later (Azure AD joined).

The following platforms are not supported:

  • Windows
  • iOS
  • macOS
  • Android

Authorize the PIN reset services

To reset the passcode on Windows devices, onboard the PIN reset service to your Intune tenant.

  1. Go to Microsoft PIN Reset Service production, and sign in using the tenant administrator account.

  2. After you have logged in, choose Accept to give consent for the PIN reset service to access your account. Accept the PIN Reset Server request for permissions

  3. Go to the Microsoft PIN Reset Client production, and sign in using the tenant administrator account.

  4. After you have logged in, choose Accept to give consent for the PIN reset client to access your account. Accept the PIN Reset Client request for permissions

  5. In the Azure portal, verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the Enterprise applications (All applications) blade. Filter the Application status drop down to "Enabled", and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production are enabled in your tenant. PIN reset service permissions page

Note

After you have accepted the PIN reset service and client requests, you may get a You do not have permission to view this directory or page. message, or it may appear as if nothing happens. This behavior is normal. Be sure to confirm that the two PIN Reset applications are listed for your tenant.

Configure Windows devices to use PIN reset

To configure the PIN reset on the Windows devices you manage, use an Intune Windows 10 custom device policy. Configure the policy using the following Windows policy configuration service provider (CSP):

Use the device policy - ./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery

Replace tenant ID with your Azure AD Directory ID, which is listed in the Properties of Azure Active Directory in the Azure portal.

Set the value for this CSP to True.

Tip

After you create the policy, you assign (or deploy) it to a group. The policy can be assigned to user groups or a device groups. If you assign it to a users group, then the group may include users who have other devices, such as iOS/iPadOS. Technically, the policy doesn't apply, but these devices are still included in the status details.

Reset the passcode

  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select Devices, and then select All devices.
  3. Select the device you want to reset the passcode. In the device properties, select Reset passcode.
  4. Select Yes to confirm. The passcode is generated, and is displayed in the portal for the next seven days.

Next step

If the passcode reset fails, a link is provided in the portal that provides more details.