With the latest Windows Hello for Business feature, you can now log in to your windows 10 and 11 just by entering the PIN code. This feature also allows alternate sign-in options such as Face ID and Fingerprint.

Unlike with Face ID or Fingerprint, there may be times you need to change or reset your PIN. You may have forgotten your PIN or just want to change your PIN for security reasons.

In this article, we have mentioned ways to reset or change the PIN in Windows. We have also included the fixes for issues that stop you from changing or resetting the PIN.

How to Change PIN

You can change your PIN from the Settings App using the following instructions:

Press Windows + I to launch Settings. Go to Accounts > Sign-in options. Click on Windows Hello PIN and select Change. For Windows 11, the options are PIN (Windows Hello) > Change PIN. Follow the on-screen instructions.

How to Reset PIN

Windows Hello also allows resetting your PIN in case you forget it. Please remember that you need to pass two authentication steps to reset your PIN.

There are two ways to reset the PIN: Destructive and Non-destructive. The Destructive PIN Reset removes any credentials added to the Windows Hello container and assigns you a new PIN. The Non-Destructive PIN Reset protects all those credentials but changes the PIN associated with them.

You need to enable PIN recovery mode for non-destructive reset. Other than that, all the steps are the same. Below, we have mentioned the methods you can use for both types of reset.

Destructive PIN Reset

Here are the methods to execute a destructive PIN reset in Windows:

Reset From Settings

The normal way to reset your PIN after you’ve logged in to your system is through the settings. Please follow the directions below:

Go to Settings > Accounts > Sign in options. Under Windows Hello PIN, click on I forgot my PIN. Follow the on-screen instructions.

Reset From Lock Screen

It is also possible to reset your PIN from the lock screen if you can’t log in. To do so, select I forgot my PIN from the lock screen and follow the on-screen instructions.

Delete Ngc Folder

Ngc is the folder where Windows stores all PIN-related settings. It is possible to remove your PIN by deleting the folder. Then, you can add a new PIN from the Account Settings.

You must have ownership of the folder before deleting its contents. Follow the steps below to take ownership of the Ngc folder and remove its contents:

Navigate to C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft . The AppData folder is hidden by default. Enable Hidden items option from View menu>Show/hide tab to make it visible. Right-click on the Ngc folder and select Properties. Go to the Security tab and select Advanced.

Click on the Change option for Owner. Here, click on Advanced, and then Find Now from the next window. Locate and select your account. Then, click Ok. Select Ok again. Check Replace owner on subcontainers and objects and click Ok to apply the changes. Delete the Ngc folder.

Now, you can go to Settings Accounts>Sign in options>Windows Hello PIN and choose Add a PIN to create a new PIN.

Note: You can use the Elevated Command Prompt to take ownership of the Ngc folder. The commands are: takeown /f C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC icacls C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /grant administrators:f

Non-Destructive PIN Reset

The methods mentioned here only show how you can enable PIN Recovery. After turning on PIN recovery, reset your PIN from settings to execute a non-destructive reset.

Note: PIN recovery is only possible on a device registered with Azure Active Directory. Enabling the Microsoft PIN reset service on your Azure AD tenant is also a requirement.

Enable PIN Recovery With Microsoft Intune

Microsoft Intune allows remote configuration of your device. Follow the steps below to enable PIN Recovery with Intune.

Sign in to the Microsoft Endpoint Manager admin center as a Global administrator. Navigate to Endpoint Security > Account Protection > Properties. Look for Enable PIN recovery and set it to Yes. Sign in to the Azure portal with a Global admin account. Go to Intune > Device configuration > Profiles. Click the profile with PIN reset configuration and select Assignments. Set your user profile inside the Included group. Select Review + Save. Then, choose Save.

Enable PIN Recovery With Local Group Policy Editor

Local Group Policy Editor also allows configuring policies for the Windows Hello for Business feature. Please find below how you can enable the PIN recovery policy with this editor.

Open Run command and enter gpedit.msc. Go to Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business. Double-click on Use PIN Recovery. Select Enabled and click Ok. Close the Local Group Policy Editor.

Enable PIN Recovery With Registry Editor

It is also possible to enable PIN recovery by changing an entry in your registry. Here’s how you can do so:

Launch the run command and enter regedit. Go to: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork Locate EnablePinRecovery and double-click on it. Then, set its value to 1. If you can’t find this entry, right-click on an empty space and select New>DWORD (32-bit) Value. Set its name as EnablePinRecovery and value as 1.

Troubleshooting Can’t Change/Reset/Add/Enter PIN

The first thing to do in this situation is to restart your PC. Move on to the solutions if this proves ineffective.

Before trying any solutions, make sure to delete the Ngc folder if you haven’t already done so. It will solve this issue in most cases.

Disconnect From Work or School Account

Being connected with a work or school account may enforce some policy disabling you from changing your PIN.

Disconnecting the account from Settings>Accounts>Access work or school will likely fix this issue. You may have to sign out from all apps logged in with your school or work account as well.

Startup Repair

Repairing your PC may fix this problem. You can do it from the Windows Recovery Environment. Follow these instructions to perform a startup repair:

Press and hold Shift while clicking Restart on the login screen to access Advanced Startup Options. Then, go to Troubleshoot > Advanced options > Startup Repair.

System Restore

You may resolve this issue by restoring your system to an existing restore point. Here’s how you can do so.

Search for restore on the search bar and select Create a restore point. It’ll open the System Protection tab of System Properties. Here, click on System Restore.

Follow the on-screen instructions.

You can perform a system restore from the Windows Recovery Environment if you’re unable to log in to your account. Go to Troubleshoot>Advanced options>System Restore to access this option.

Related Question

How do I know if the PIN Recovery mode is enabled or not?

It is possible to check the status of devices joined with Azure AD using the dsregcmd command. With this command, you can check if a non-destructive reset is possible or not.

Enter the command dsregcmd /status in the elevated command prompt. In User State, check for the value of CanReset. If the value is DestructiveAndNonDestructive, your PIN Recovery mode is on.