Recently I have been troubleshooting a nasty Windows Hello for Business problem which prevented all users in a tenant from resetting their Windows Hello for Business PIN’s on Azure AD joined devices while getting the error CAA20004.
In my setup, Windows Hello for Business is working and PIN Reset is working as well. My questions was if user needs to reset their PIN, users needs their password while as per the article, we do not want users to know/have their passwords(by using SCRIL etc). I can't reset my Windows Hello pin. I DO NOT have the option to 'Remove' the pin in the 'Sign In Options' settings. I have tried to reset the passcode on lock screen, but it doesn't work either because my domain credentials aren't tied to the passcode portion. I have removed my fingerprint and the.DAT file assocaited with it.
When clicking on “I forgot my PIN”:
After completing the account sign-in and MFA challenge the Error CAA20004 came up:
The Azure AD Portal shows us “Failure reason: other”.
While recording all the https traffic to Microsofts oauth2 endpoint with Fiddler this finally unveils usable information:
AADSTS65001: The user or administrator has not consented to use the application with ID ‘ 9115dd05-fad5-4f9c-acc7-305d08b1b04e’ named ‘ Microsoft Pin Reset Client Production’. Send an interactive authorization request for this user and resource.
The error indicates that an application registration is missing in the tenant for the application “Microsoft Pin Reset Client Production”
After a short search I found a matching Microsoft docs article. Instead of reading through the whole article the only thing I needed to do was consenthing to the: Microsoft PIN Reset Service production application and also for the Microsoft PIN Reset Client production
(just klick on the links in order to consent to the app registrations) as tenant admin. Although in some tenants I have only seen the “Microsoft PIN Reset Service production” and PIN resets are working without the “Microsoft PIN Reset Client production”.
When checking the registered enterprise applications in Azure AD the “Microsoft Pin Reset Client Production” was visible:
… and resetting Windows Hello for Business PIN’s is from now on possible and works like a charm.
PIN Isn't Available And Missing It In Sign-in Options ...
Windows Hello Reset Pin Password
Did you encounter the same difficulties? Or do you know why some tenants only have the “Microsoft PIN Reset Service production” and not the “Microsoft PIN Reset Client production” registered? I am curious to read your experiences in the comments.