Skip to content

IT-Admins

a website from a systems administrator for systems administrators

    • Home
    • IT-Admins CMDB
      • Features
      • Release Notes
      • Download
      • Installation
      • Online Manual
        • General Functions
        • Settings
        • Common Modules
          • Main Page
          • Workstations
          • Monitors
          • Printers
          • Toner-Inventory
          • Servers
          • Infrastructure Assets
          • Other Assets
          • Purchases
          • Employees
          • Software
          • Projects and Project Tasks
          • Phones/DIDs
          • IP Addresses
          • Responsibility Matrix
          • IT Supplies
        • Less Common Modules
          • Departments
          • Vendors
          • Expenses
          • Checklist Templates
          • LDAP Groups
          • Phones and Phone Models
          • Links
          • Reminders
          • Printer Models and Supplies
          • VLANs
          • Databases
          • WebServer
          • Certificates
          • DNS Entries and Zones
        • Research Modules
          • TAGs
          • Notes
          • Checklists
          • Incidents
          • MAC address search
          • LDAP sync Log
          • WMI Log
          • LDAP compare
          • Service Log
    • IT-Admins tool
      • Features
      • Scenarios
      • Screenshots
      • Release notes
      • FAQ
      • Download
      • Online Manual
        • Overview
        • Generic search functions
        • Configuration
        • Domain Users
        • Domain Groups
        • Domain Computers
        • Domain Contacts
        • NTFS ACLs
        • Long Paths
        • Directory compare
        • Search function
    • IT Search
      • How it works
      • Release Notes
      • Download
      • Installation
      • Online Manual
        • Applying updates
        • Search Providers
        • Configuration
        • Error Log viewer
        • Active Users
        • Monitoring and Statistics
        • Backup and Restore
    • EOL Solutions
      • IT Printer Management (EOL)
        • Installation
        • Download
        • Online Manual
          • Executing the script
          • Using the Sys-Search
          • Managing printers
          • Reviewing the log
          • User to printer (v2)
          • Computer to printer (v2)
      • IT Assets Database (EOL)
        • IT Assets DB Video
        • Features
        • Installation
        • Release Notes
        • Update to the newest version
        • Download
        • Online manual
          • Overview
            • The floating / roaming task execution
          • Using the the sys search
          • Main menu
          • Workstations
          • Monitors
          • Departments
          • Printers
            • Printer models and supplies
            • Toner inventory
          • Incidents
          • Software and licenses
          • LDAP change reporting / synchronization
            • Employees
            • LDAP Groups
          • IP addresses – IPAM
          • DNS management
          • Servers and equipment
            • databases
            • backup reviews
            • Certificate management
            • Webserver Management
          • Vendors and contacts
          • Links and URLs
          • Reminders
          • Purchases
          • Expenses
    • Current Page Parent Blog
    • Contact
    • Links

    Reset or Remove the Windows Hello PIN

    Windows 10 offers various ways to logon to your device. All of them have their pro’s and con’s. One thing is for sure, Microsoft loves the Windows Hello PIN. Even on an Active Directory Domain joined system – if you want to e.g. set up a Finger-Print login, you will be forced to generate a Windows Hello PIN, at least by default.

    Funnily it can happen that you don’t even have the option to reset the PIN. What if the user forgot his PIN? No big deal? Well… it actually is a big deal. By default Windows goes back to the PIN if the Finger-Print reader does not work, what is especially common with the Microsoft Surface Keyboards, sure you can rip them off and re-attach to make it work again, but still your user-base / employee-base will say it asks for a PIN and I forgot it..

    Fingerprints and PINs are stored locally on the device, in a secured vault. You can’t really alter it, but you can remove it.

    In order to remove all locally stored PINs and possibly even Finger-Prints, you must delete all contents of %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC.

    The quickest way to accomplish this is using the two following commands in an elevated Command Prompt / CMD (run as administrator).

    Take ownership and grant rights
    MS DOS
    1
    2
    3
    takeown /f %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /r /d y
     
    icacls %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /grant administrators:F /t

    The first one will take ownership of the folder, the second one then will grant administrators rights to it.

    Once this is done, you need to delete all contents of the folder. If you are logged on as an administrator you can just use Windows Explorer. If you are logged on as a regular user, you need to do it either more manual in CMD or use e.g. a tool like 7-zip in elevated mode and navigate to the folder, be aware that 7-zip might not be able to handle %windir%, either navigate manually to the folder or use C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC to get to the path. Delete all contents.

    Reboot.

    This sledgehammer method will delete all stored PINs and other information for all accounts known by the device. They will need to logon with their Active Directory password and start from scratch. You might also need to click on e.g. REMOVE in the Finger-Print configuration to start over.

     

    Tags: accountactive directorycleanuplockoutpasswordsecuritywindows

    March 22, 2021 by Florian Rossmark configuration solutions windows

    You may also like...

    • Microsoft RADIUS / NPS SQL logging

      Microsoft RADIUS / NPS SQL logging

    • Office 365/Exchange Public Folders – find out if they are still in use

      Office 365/Exchange Public Folders – find out if they are still in use

    • Excel custom views and Excel files that appear different for various users

      Excel custom views and Excel files that appear different for various users

    • Next ActiveDirectory/LDAP result limits – MaxPageSize
    • Previous VMware hosts network speed tests with iperf

    Recent blog posts

    • APC NetBotz 250 SNMP monitoring with PRTG December 6, 2022
    • Linux and DHCP reservations aren’t working June 28, 2022
    • Check your webpage for mobile friendly readiness June 15, 2022
    • Tools for WebAnalytics and SEO April 21, 2022
    • Useful registry keys to supplement settings not available in standard GPO templates April 7, 2022

    Blog Archives

    Tags

    powershell eventlog windows ldap veritas dfs monitoring active directory profile backup excel html password javascript UEFI filesystem outlook office account lockout gpo automate Office 365 security slack cleanup website web ip SNMP notification backup exec dhcp server database rds network performance ssl vmware print script certificate sql prtg
    en English
    en Englishde Germanes Spanishfr Frenchar Arabiczh-CN Chinese (Simplified)nl Dutchhu Hungarianit Italianja Japaneseko Koreanpl Polishpt Portugueseru Russiantr Turkishuk Ukrainian
    • Terms & Conditions
    • Privacy Policy
    • Opt-out preferences
    • SPICEWORKS
    • LOPSA
    • RSS
    • LinkedIn
    • ITML
    • XING

    IT-Admins © 2023. All Rights Reserved.

    Powered by WordPress. Theme by Alx.

      Manage Cookie Consent
      To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
      Functional Always active
      The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
      Preferences
      The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
      Statistics
      The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
      Marketing
      The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
      Manage options Manage services Manage vendors Read more about these purposes
      View preferences
      {title} {title} {title}