Windows-itpro-docs: Windows Hello, SCRIL and Pin Reset Issue

@officedocsbot assign @jvsam

Hi again @iffarrukh, this issue is duplicate of #5211, however, this documentation is more relevant to your issue compared to the other one. Adding my reply here and closing #5211.

Hello @iffarrukh, have you tried the recommendation on the doc to generate a new random 128 bit password?

Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password....

As for the Pin Reset Service, there are some requirements that you need to meet for it to work correctly. Have you looked at the Windows Hello for Business deployment guide to re-check your implementation? If you are using Azure AD, please look at the Passwordless scenarios here specifically the one where "User manages their Windows Hello for Business credentials."

For further troubleshooting, it will be best to open a service/support ticket. There are also other support resources that you can explore like the Microsoft Tech Community or the Technet forums where you can post your question and get help from the community.

Kindly keep us informed if you find any relevant information that can be incorporated into this documentation and we will submit it for review. We always strive to give users the best Windows 10 experience by ensuring that contents of the Microsoft Docs are useful, accurate and up-to-date.

Thank you.

@iffarrukh : You may also want to check out external pages describing related scenarios, like this page:

• https://secureidentity.se/pw-reset-sc-only-accounts/

Consider using web search to look for more SCRIL documentation like this, but please be aware that a small amount of search hits may be fake pages trying to trap any visitor, due to hidden security-related metadata text in those pages.

Hi
Thanks for the info but I think I was not clear about the problem.

In my setup, Windows Hello for Business is working and PIN Reset is working as well.

My questions was if user needs to reset their PIN, users needs their password while as per the article, we do not want users to know/have their passwords(by using SCRIL etc)..

So how users can reset their PIN on their Windows 10 workstations without knowing their password??

Fair enough, thank you for clarifying your question.

I am not an expert on this topic, but from an IT support viewpoint, it looks like the user will be stuck in that situation, because if there was an easy reset method without using a known password login, it could too easily be exploited by anyone, making the security measures close to redundant. Furthermore, I would expect the user to get help from their IT department when that happens, because you should not be able to let anyone with a forgotten PIN and without any known login information be able to gain access to the device. From a security viewpoint, I don't see a need to make it easier to gain illegal access.

You may want more feedback from someone like the author of the documentation page or someone else with equal knowledge about this topic to have a definitive answer to your question.

edit: A possible workaround could be to use biometric devices (fingerprint reader, face recognition, eye scanner etc.) connected to Windows Hello for Business, but I presume that is one step beyond your scenario.

Thanks for the comments.

But I disagree, as today, we can reset your on premise active directory password(with Office365 and SSPR) using secret questions and MFA. And I think that might be applicable to Windows 10 in future but we will see.

Thanks for all your help.

Hi @iffarrukh, I also encourage you to submit this on UserVoice. This way, your feedback goes directly to the Microsoft product team and I assure you, they would love to hear what you think. If there's already a request, suggestion or feedback similar to yours, you can add your vote to the request. Thank you.