Skip to content

IT-Admins

a website from a systems administrator for systems administrators

    • Home
    • IT-Admins CMDB
      • Features
      • Release Notes
      • Download
      • Installation
      • Online Manual
        • General Functions
        • Settings
        • Common Modules
          • Main Page
          • Workstations
          • Monitors
          • Printers
          • Toner-Inventory
          • Servers
          • Infrastructure Assets
          • Other Assets
          • Purchases
          • Employees
          • Software
          • Projects and Project Tasks
          • Phones/DIDs
          • IP Addresses
          • Responsibility Matrix
          • IT Supplies
        • Less Common Modules
          • Departments
          • Vendors
          • Expenses
          • Checklist Templates
          • LDAP Groups
          • Phones and Phone Models
          • Links
          • Reminders
          • Printer Models and Supplies
          • VLANs
          • Databases
          • WebServer
          • Certificates
          • DNS Entries and Zones
        • Research Modules
          • TAGs
          • Notes
          • Checklists
          • Incidents
          • MAC address search
          • LDAP sync Log
          • WMI Log
          • LDAP compare
          • Service Log
    • IT-Admins tool
      • Features
      • Scenarios
      • Screenshots
      • Release notes
      • FAQ
      • Download
      • Online Manual
        • Overview
        • Generic search functions
        • Configuration
        • Domain Users
        • Domain Groups
        • Domain Computers
        • Domain Contacts
        • NTFS ACLs
        • Long Paths
        • Directory compare
        • Search function
    • IT Search
      • How it works
      • Release Notes
      • Download
      • Installation
      • Online Manual
        • Applying updates
        • Search Providers
        • Configuration
        • Error Log viewer
        • Active Users
        • Monitoring and Statistics
        • Backup and Restore
    • EOL Solutions
      • IT Printer Management (EOL)
        • Installation
        • Download
        • Online Manual
          • Executing the script
          • Using the Sys-Search
          • Managing printers
          • Reviewing the log
          • User to printer (v2)
          • Computer to printer (v2)
      • IT Assets Database (EOL)
        • IT Assets DB Video
        • Features
        • Installation
        • Release Notes
        • Update to the newest version
        • Download
        • Online manual
          • Overview
            • The floating / roaming task execution
          • Using the the sys search
          • Main menu
          • Workstations
          • Monitors
          • Departments
          • Printers
            • Printer models and supplies
            • Toner inventory
          • Incidents
          • Software and licenses
          • LDAP change reporting / synchronization
            • Employees
            • LDAP Groups
          • IP addresses – IPAM
          • DNS management
          • Servers and equipment
            • databases
            • backup reviews
            • Certificate management
            • Webserver Management
          • Vendors and contacts
          • Links and URLs
          • Reminders
          • Purchases
          • Expenses
    • Current Page Parent Blog
    • Contact
    • Links

    Reset or Remove the Windows Hello PIN

    Windows 10 offers various ways to logon to your device. All of them have their pro’s and con’s. One thing is for sure, Microsoft loves the Windows Hello PIN. Even on an Active Directory Domain joined system – if you want to e.g. set up a Finger-Print login, you will be forced to generate a Windows Hello PIN, at least by default.

    Funnily it can happen that you don’t even have the option to reset the PIN. What if the user forgot his PIN? No big deal? Well… it actually is a big deal. By default Windows goes back to the PIN if the Finger-Print reader does not work, what is especially common with the Microsoft Surface Keyboards, sure you can rip them off and re-attach to make it work again, but still your user-base / employee-base will say it asks for a PIN and I forgot it..

    Fingerprints and PINs are stored locally on the device, in a secured vault. You can’t really alter it, but you can remove it.

    In order to remove all locally stored PINs and possibly even Finger-Prints, you must delete all contents of %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC.

    The quickest way to accomplish this is using the two following commands in an elevated Command Prompt / CMD (run as administrator).

    Take ownership and grant rights
    MS DOS
    1
    2
    3
    takeown /f %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /r /d y
     
    icacls %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /grant administrators:F /t

    The first one will take ownership of the folder, the second one then will grant administrators rights to it.

    Once this is done, you need to delete all contents of the folder. If you are logged on as an administrator you can just use Windows Explorer. If you are logged on as a regular user, you need to do it either more manual in CMD or use e.g. a tool like 7-zip in elevated mode and navigate to the folder, be aware that 7-zip might not be able to handle %windir%, either navigate manually to the folder or use C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC to get to the path. Delete all contents.

    Reboot.

    This sledgehammer method will delete all stored PINs and other information for all accounts known by the device. They will need to logon with their Active Directory password and start from scratch. You might also need to click on e.g. REMOVE in the Finger-Print configuration to start over.

     

    Tags: accountactive directorycleanuplockoutpasswordsecuritywindows

    March 22, 2021 by Florian Rossmark configuration solutions windows

    You may also like...

    • Office 365/Exchange Public Folders – find out if they are still in use

      Office 365/Exchange Public Folders – find out if they are still in use

    • ns a website from a systems administrator for systems administrators Home IT-Admins CMDB IT-Admins tool IT Search EOL Solutions Blog Contact Links Updated domain join script including KeePass / Pleasant Password server entries for local admins

      Updated domain join script including KeePass / Pleasant Password server entries for local admins

    • Office 365 licenses and activated features per user

      Office 365 licenses and activated features per user

    • Next ActiveDirectory/LDAP result limits – MaxPageSize
    • Previous VMware hosts network speed tests with iperf

    Recent blog posts

    • Linux and DHCP reservations aren’t working June 28, 2022
    • Check your webpage for mobile friendly readiness June 15, 2022
    • Tools for WebAnalytics and SEO April 21, 2022
    • Useful registry keys to supplement settings not available in standard GPO templates April 7, 2022
    • Windows 11 and SQL (Express) issues April 1, 2022

    Blog Archives

    Tags

    script network dfs SNMP rds website print certificate notification html sql office monitoring eventlog database UEFI prtg veritas lockout excel password outlook ip ssl dhcp slack javascript ldap active directory server windows powershell cleanup automate account vmware performance gpo profile Office 365 web backup filesystem security backup exec
    en English
    en Englishde Germanes Spanishfr Frenchar Arabiczh-CN Chinese (Simplified)nl Dutchhu Hungarianit Italianja Japaneseko Koreanpl Polishpt Portugueseru Russiantr Turkishuk Ukrainian
    • Terms & Conditions
    • SPICEWORKS
    • LOPSA
    • RSS
    • LinkedIn
    • ITML
    • XING

    IT-Admins © 2022. All Rights Reserved.

    Powered by WordPress. Theme by Alx.