Recently I have been troubleshooting a nasty Windows Hello for Business problem which prevented all users in a tenant from resetting their Windows Hello for Business PIN's on Azure AD joined devices while getting the error CAA20004.
Hi, i'm looking for a possibility to reset Hello for Business for a user, because he has problems with his config. My first idea was to clear the content inside the attribute msDS-KeyCredentialLink. Unfortunately i didn't made it:D Are there any ideas on how to reset the HfB for one User, so he. In my setup, Windows Hello for Business is working and PIN Reset is working as well. My questions was if user needs to reset their PIN, users needs their password while as per the article, we do not want users to know/have their passwords(by using SCRIL etc). Now from a Windows 10 client you should be able to use the 'I Forgot my Pin' option from the settings app – Users may be asked to approve an MFA prompt if configured then accept permissions for the 'Microsoft Pin Reset Client Production' app after which you may notice another enterprise app 'Microsoft Pin Reset Client Production.
If you've forgotten Windows 10 PIN, you can reset / remove it easily so long as you can log on with an alternative sign-in option – local account or Microsoft account. Note: If you're completely locked out of your Windows 10 PC and can't login with any sign-in option, try to use PCUnlocker to reset your forgotten passwords of local. How to Enable or Disable PIN Reset at Sign-in in Windows 10 Windows Hello in Windows 10 enables users to sign in to their device using a PIN (Personal Identification Number). You can use this PIN to sign in to Windows, apps, and services.
Issue
When clicking on 'I forgot my PIN':
After completing the account sign-in and MFA challenge the Error CAA20004 came up:
Troubleshooting
The Azure AD Portal shows us 'Failure reason: other'.
While recording all the https traffic to Microsofts oauth2 endpoint with Fiddler this finally unveils usable information:
AADSTS65001: The user or administrator has not consented to use the application with ID ‘ 9115dd05-fad5-4f9c-acc7-305d08b1b04e' named ‘ Microsoft Pin Reset Client Production'. Send an interactive authorization request for this user and resource.
The error indicates that an application registration is missing in the tenant for the application 'Microsoft Pin Reset Client Production'
How To Reset Microsoft Pin
Solution
After a short search I found a matching Microsoft docs article. Instead of reading through the whole article the only thing I needed to do was consenthing to the: Microsoft PIN Reset Service production application and also for the Microsoft PIN Reset Client production
Issue
When clicking on 'I forgot my PIN':
After completing the account sign-in and MFA challenge the Error CAA20004 came up:
Troubleshooting
The Azure AD Portal shows us 'Failure reason: other'.
While recording all the https traffic to Microsofts oauth2 endpoint with Fiddler this finally unveils usable information:
AADSTS65001: The user or administrator has not consented to use the application with ID ‘ 9115dd05-fad5-4f9c-acc7-305d08b1b04e' named ‘ Microsoft Pin Reset Client Production'. Send an interactive authorization request for this user and resource.
The error indicates that an application registration is missing in the tenant for the application 'Microsoft Pin Reset Client Production'
How To Reset Microsoft Pin
Solution
After a short search I found a matching Microsoft docs article. Instead of reading through the whole article the only thing I needed to do was consenthing to the: Microsoft PIN Reset Service production application and also for the Microsoft PIN Reset Client production
How To Reset Windows Hello Pin Chrome
(just klick on the links in order to consent to the app registrations) as tenant admin. Although in some tenants I have only seen the 'Microsoft PIN Reset Service production' and PIN resets are working without the 'Microsoft PIN Reset Client production'.
When checking the registered enterprise applications in Azure AD the 'Microsoft Pin Reset Client Production' was visible:
… and resetting Windows Hello for Business PIN's is from now on possible and works like a charm.
Final words
How To Reset Windows Hello Pink
Did you encounter the same difficulties? Or do you know why some tenants only have the 'Microsoft PIN Reset Service production' and not the 'Microsoft PIN Reset Client production' registered? I am curious to read your experiences in the comments.
