Windows Reset Keys

[Kayla Munl]

Ireplaced the computer by a newer generation and since I wanted to wipe all the data on the drive like I usually do (I usually follow steps blindly while reseting Windows by restarting the computer while holding the shift button) but now after the reset of this laptop, it rebooted and asked to insert a bootable drive and to disconnect all unbootable drives/devices

For information : I do not know if the OS installed was following the upgrade from windows 8.1 to windows 10 or from a windows 10 pro product key, which would surprise me since we no not have Windows installation discs and devices.

Download the Media Creation Tool, create the media on a DVD or thumb drive, install the OS, click SKIP when asked for the key. It will automatically activate if Windows 10 was previously on that system.

When nondestructive PIN reset is enabled on a client, a 256-bit AES key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multifactor authentication to Microsoft Entra ID, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys, and it's then cleared from memory.

Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the Microsoft PIN reset service, which enables users to reset their forgotten PIN without requiring re-enrollment.

You must replace TenantId with the identifier of your Microsoft Entra tenant. To look up your Tenant ID, see How to find your Microsoft Entra tenant ID or try the following, ensuring to sign-in with your organization's account::

To configure a device with group policy, use the Local Group Policy Editor. To configure multiple devices joined to Active Directory, create or edit a group policy object (GPO) and use the following settings:

The PIN reset configuration can be viewed by running dsregcmd /status from the command line. This state can be found under the output in the user state section as the CanReset line item. If CanReset reports as DestructiveOnly, then only destructive PIN reset is enabled. If CanReset reports DestructiveAndNonDestructive, then nondestructive PIN reset is enabled.

PIN reset on Microsoft Entra joined devices uses a flow called web sign-in to authenticate users in the lock screen. Web sign-in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message: We can't open that page right now.

If you have a federated environment and authentication is handled using AD FS or a non-Microsoft identity provider, then you must configure your devices with a policy to allow a list of domains that can be reached during PIN reset flows. When set, it ensures that authentication pages from that identity provider can be used during Microsoft Entra joined PIN reset.

For Azure Government, there is a known issue with PIN reset on Microsoft Entra joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now". The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set login.microsoftonline.us as the value for the ConfigureWebSignInAllowedUrls policy.

Destructive and nondestructive PIN reset scenarios use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in Settings and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen with the PIN credential provider. Users must authenticate and complete multifactor authentication to reset their PIN. After PIN reset is complete, users can sign in using their new PIN.

For Microsoft Entra hybrid joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.

Key trust on Microsoft Entra hybrid joined devices doesn't support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.

You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see Enable Microsoft Entra self-service password reset at the Windows sign-in screen.

Obviously the magic to this piece of hardware is what's contained on it, and if that is true, any usb key could be used to accomplish the same job. I know there are software like Katana and the like that can do similar things.

The password can be reset by booting to another operating system and editing the registry hive. This is trivial, and there are many tools which can do it, such as Trinity Recovery Kit. I suspect this USB stick just boots to a version of Linux and runs a few scripts.

However resetting a windows password denies access to EFS encrypted files and DPAPI encrypted data, since the keys for these are encrypted using a KEK derived from the password. When the user changes their password, they are re-encrypted with the new KEK. Access to EFS and DPAPI resources is lost even if the administrator resets the password.

To recover the password you need a tool like John the Ripper, Lopht or HashCat. Which could also run off a USB stick. Extract the hashes from the SAM, feed them to a cracking program. Then reboot and log in with recovered passwords.

Basically you reboot the PC with a custom OS located on the USB flash drive itself; from that OS, the relevant files on the disk are modified. The USB device is nothing special: it is just a normal USB flash drive; the "added value" of this device is purely aesthetic. Downloadable boot images which can do the same thing from a "normal" USB flash drive can be obtained from various places, e.g. this one.

The boot-on-USB option was deactivated in the BIOS, and a BIOS password was set to prevent reactivation (of course, some BIOS accept "default passwords", and a BIOS password can be cleared by removing the CMOS battery, which is doable with physical access and a screwdriver).

There have been Windows password reset CDs for some years that let you do this. You can put a slightly modified image on a bootable USB stick. I presume this key simply packages existing software in a pre-packaged key.

Offline NT Password & Registry Editor - This is actually a bootable Linux system, which can read the Windows file system, and reset a password hash. It works most of the time, but the support for the Security Accounts Manager (SAM) - where Windows stores password hashes - is not perfect. So sometimes it just doesn't work, and risks corrupting the SAM. This is free.

Kon Boot - This boots the Windows system that is password protected, but hot patches it to disable asking you for a password - you just get logged in as administrator automatically. In my experience it is more reliable than the other tool. It is not free, but is quite cheap.

Password Reset Key seems to contain a modified Windows PE OS. I think it is something similar to PCUnlocker Live CD/USB drive. It's not a completely new thing. There are many freeware such as Rufus, ISO2Disc which allows you install a Windows OS on a USB drive.

I bet the use "Ultimate Boot CD running BartPE" there was a live cd on the net some time ago this did let you do all these operations.I am sure it will not decrypt the password hash on the fly..It will rather exchange that hash with an own generated... pasword reset like...And will have the same effect. _German_Police_-_Special_Windows_Boot_CD_ENG_GER_.2218__253984.gif?imageSimilar to this one. this windows live cd was also only some hundred mb. and you could start it also while pc was locked, it made a new start button pop out and gave you access to everything through this.

Press Y to reset fTPM, if you have bitlocker or encryption-enabled system, the system will not boot without a recovery key.

Press N to keep previous fTPM record and continue system boot, fTPM will NOT be enabled with new CPU unless fTPM is reset (reinitialized). You could swap back to the old CPU to recover TPM related keys and data.

disable the tpm module in bios or reset the tpm keys, either will do.

its caused by installing a fresh bios on an install of windows 10/11, which either invalidates existing keys or gives this warning if tpm was off before the upgrade and is now on.

boot into the system and see if bitlocker is being used.

if it is, you will have to roll back to the old bios.

then go to the tpm key in bios and write it down, all 48 digits of the key.

reboot and see if bitlocker still works. (it should)

When using Bitlocker, do keep a backup of the Bitlocker key, it also normally gets saved into the Microsoft account, but you will need another device to access the backup, in case the original device decides to invalidate the TPM configuration.

There is an AWS Systems Manager Automation document that automatically applies the manual stepsnecessary to reset the local administrator password. For more information, see Reset passwords and SSH keys on EC2 instances in the AWS Systems Manager User Guide.

3a8082e126