Skip to content
IT-Admins
a website from a systems administrator for systems administrators
  • Home
  • IT-Admins tool
    • Features
    • Scenarios
    • Screenshots
    • Release notes
    • FAQ
    • Download
    • Online Manual
      • Overview
      • Generic search functions
      • Configuration
      • Domain Users
      • Domain Groups
      • Domain Computers
      • Domain Contacts
      • NTFS ACLs
      • Long Paths
      • Directory compare
      • Search function
  • IT Assets database
    • IT Assets DB Video
    • Features
    • Installation
    • Release Notes
    • Update to the newest version
    • Download
    • Online manual
      • Overview
        • The floating / roaming task execution
      • Using the the sys search
      • Main menu
      • Workstations
      • Monitors
      • Departments
      • Printers
        • Printer models and supplies
        • Toner inventory
      • Incidents
      • Software and licenses
      • LDAP change reporting / synchronization
        • Employees
        • LDAP Groups
      • IP addresses – IPAM
      • DNS management
      • Servers and equipment
        • databases
        • backup reviews
        • Certificate management
        • Webserver Management
      • Vendors and contacts
      • Links and URLs
      • Reminders
      • Purchases
      • Expenses
      • Project management
        • Project tasks
      • Phones and DIDs
      • LDAP compare
      • VMware compare
      • Wiki aka. knowledge base
      • Owner / rights matrix
      • Application users
      • Change Requests
      • Foreign data views
        • RADIUS log example
        • SysLog example
      • System configuration views
        • Sys Config
        • Sys columns
        • Sys Errors
      • MAC address search
      • IT Supplies
      • Notes (applies to many modules)
      • TAGs
      • Checklists
      • History reports / emails
    • Information for developers
  • IT Printer Management
    • Installation
    • Download
    • Online Manual
      • Executing the script
      • Using the Sys-Search
      • Managing printers
      • Reviewing the log
      • User to printer (v2)
      • Computer to printer (v2)
  • IT Search
    • How it works
    • Release Notes
    • Download
    • Installation
    • Online Manual
      • Applying updates
      • Search Providers
      • Configuration
      • Error Log viewer
      • Active Users
      • Monitoring and Statistics
      • Backup and Restore
  • Blog
  • Contact
  • Links

Blog

Reset or Remove the Windows Hello PIN

March 22, 2021 Florian Rossmark

Windows 10 offers various ways to logon to your device. All of them have their pro’s and con’s. One thing is for sure, Microsoft loves the Windows Hello PIN. Even on an Active Directory Domain joined system – if you want to e.g. set up a Finger-Print login, you will be forced to generate a Windows Hello PIN, at least by default.

Funnily it can happen that you don’t even have the option to reset the PIN. What if the user forgot his PIN? No big deal? Well… it actually is a big deal. By default Windows goes back to the PIN if the Finger-Print reader does not work, what is especially common with the Microsoft Surface Keyboards, sure you can rip them off and re-attach to make it work again, but still your user-base / employee-base will say it asks for a PIN and I forgot it..

Fingerprints and PINs are stored locally on the device, in a secured vault. You can’t really alter it, but you can remove it.

In order to remove all locally stored PINs and possibly even Finger-Prints, you must delete all contents of %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC.

The quickest way to accomplish this is using the two following commands in an elevated Command Prompt / CMD (run as administrator).

Take ownership and grant rights
MS DOS
1
2
3
takeown /f %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /r /d y
 
icacls %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /grant administrators:F /t

The first one will take ownership of the folder, the second one then will grant administrators rights to it.

Once this is done, you need to delete all contents of the folder. If you are logged on as an administrator you can just use Windows Explorer. If you are logged on as a regular user, you need to do it either more manual in CMD or use e.g. a tool like 7-zip in elevated mode and navigate to the folder, be aware that 7-zip might not be able to handle %windir%, either navigate manually to the folder or use C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC to get to the path. Delete all contents.

Reboot.

This sledgehammer method will delete all stored PINs and other information for all accounts known by the device. They will need to logon with their Active Directory password and start from scratch. You might also need to click on e.g. REMOVE in the Finger-Print configuration to start over.

 

Posted in: Uncategorized Filed under: account, active directory, cleanup, lockout, password, security, windows

Post navigation

← VMware hosts network speed tests with iperf
ActiveDirectory/LDAP result limits – MaxPageSize →

Search this site

Recent blog posts

  • ActiveDirectory/LDAP result limits – MaxPageSize April 7, 2021
  • Reset or Remove the Windows Hello PIN March 22, 2021
  • VMware hosts network speed tests with iperf March 9, 2021
  • Windows Print Server Aliases January 13, 2021
  • Bypassing Windows 10 UAC for Unknown Publishers December 8, 2020
  • Make Microsoft TEAMS the default IM application October 15, 2020
  • Monitor group memberships in Active Directory with PRTG October 13, 2020
  • Auditing network users against HR lists etc. September 25, 2020
  • Monitoring relative printer page counts with PRTG June 17, 2020
  • Office 365 licenses and activated features per user March 24, 2020
  • PRTG and Cisco ASA VPN monitoring March 19, 2020
  • Amount of locked out accounts October 25, 2019
  • RDS – Fix broken local RDS links in start menu October 3, 2019
  • PRTG and VMware 6.7 vCenter host hardware status August 8, 2019
  • Search the Windows Security Eventlog for a string / text August 7, 2019
  • Active Directory password reset events and group change events August 1, 2019
  • APC InRow A/C error monitoring with PRTG July 19, 2019
  • Summarize SQL server database file size information as a single row May 21, 2019
  • Move user Documents and Desktop to OneDrive April 18, 2019
  • Compare a TRACEROUTE against an expected route March 6, 2019

Tags

account active directory apc automate backup backup exec cleanup database dfs dns domain join eventlog excel expiration filesystem gpo html index ip javascript ldap lockout monitoring network notification office Office 365 outlook password performance powershell print profile prtg rds script security server slack SNMP sql UEFI veritas vmware windows
  • Terms & Conditions
  • SPICEWORKS
  • LOPSA
  • RSS
  • LinkedIn
  • ITML
  • XING
Privacy Policy
Copyright © 2018 Florian Rossmark — Velux WordPress theme by GoDaddy