Windows 10 offers various ways to logon to your device. All of them have their pro’s and con’s. One thing is for sure, Microsoft loves the Windows Hello PIN. Even on an Active Directory Domain joined system – if you want to e.g. set up a Finger-Print login, you will be forced to generate a Windows Hello PIN, at least by default.
Funnily it can happen that you don’t even have the option to reset the PIN. What if the user forgot his PIN? No big deal? Well… it actually is a big deal. By default Windows goes back to the PIN if the Finger-Print reader does not work, what is especially common with the Microsoft Surface Keyboards, sure you can rip them off and re-attach to make it work again, but still your user-base / employee-base will say it asks for a PIN and I forgot it..
Fingerprints and PINs are stored locally on the device, in a secured vault. You can’t really alter it, but you can remove it.
In order to remove all locally stored PINs and possibly even Finger-Prints, you must delete all contents of %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC.
The quickest way to accomplish this is using the two following commands in an elevated Command Prompt / CMD (run as administrator).
1 2 3 | takeown /f %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /r /d y icacls %windir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /grant administrators:F /t |
The first one will take ownership of the folder, the second one then will grant administrators rights to it.
Once this is done, you need to delete all contents of the folder. If you are logged on as an administrator you can just use Windows Explorer. If you are logged on as a regular user, you need to do it either more manual in CMD or use e.g. a tool like 7-zip in elevated mode and navigate to the folder, be aware that 7-zip might not be able to handle %windir%, either navigate manually to the folder or use C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC to get to the path. Delete all contents.
Reboot.
This sledgehammer method will delete all stored PINs and other information for all accounts known by the device. They will need to logon with their Active Directory password and start from scratch. You might also need to click on e.g. REMOVE in the Finger-Print configuration to start over.
