Reset the Hello PIN prompts “This device is not currently joined to your organization. Please contact your administrator”.

Today we had a problem where a user forgot his PIN for Windows 10.

At login screen when attempting to reset the pin it prompts  “This device is not currently joined to your organization. Please contact your administrator”.

Also at the Hello Pin settings there is no pin reset link.
settings->Accounts->Sign-in options, 

This procedure worked for me, I found it somewhere on the internet but don’t know exactly where.

So credits are not mine 🙂 

  1. Use your password to log in to Windows 10.
  2. If you have facial recognition enabled, go into sign-in options and remove it first.
  3. Next, open Control Panel
  4. In Control Panel open File Explorer Options.
  5. In the View tab under Advanced Settings, select Show hidden files and uncheck ‘Hide protected operating system files’.
  6. Open File Explorer and browse to this path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft.
  7. Right click Ngc folder and choose Properties.
  8. Navigate to Security tab and click on Advanced button.
  9. Locate the Owner section at the top and click Change link.
  10. In the ‘From this location’ field, make sure it is the name of the computer. Click the Locations button to change if it is not.
  11. In the ‘Enter the object name to select’ field enter Administrators. Click on ‘Check Names’. It should auto fill the full path for the Administrators group. Now click OK.
  12. Check ‘Replace owner on subcontainers and objects’ and click Apply and OK. 
  13. The original post repeated these steps on subcontainers. Some folders cannot be deleted regardless of the owner. So what I found works better is to simply rename the Ngc folder to something else, like Old_Ngc.
  14. Once the folder is renamed, create a new folder named Ngc.
  15. Close all of the windows and reboot.

Once the system is rebooted, the sign-in options should now allow you ‘Add’ a PIN.

Some things I discovered : 

  • When nothing is configured Windows uses Hello insteaad of Hello for Business
  • Settings are stored in the Windows 10 folder at location 

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC

  • Microsoft documentation :

Can’t configure a convenience PIN – Windows Client | Microsoft Docs

Pin Reset – Windows security | Microsoft Docs

https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd

  • Regkeys used by Hello.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System

0 or (delete) = Disable ad 1 = Enable.

Windows Registry Editor Version 5.00
; Created on: Jan 2022

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"AllowDomainPINLogon"=1

Leave a Reply

Your email address will not be published.