Windows Hello PIN not working after update: causes and solutions

Sometimes, after a Windows update, you suddenly see the message “Your PIN is not available” or Windows Hello stops working (fingerprint, face, facial recognition…). Unfortunately, it's a fairly common problem. The PIN of Windows Hello It doesn't work after installing large patches for Windows 10, Windows 11, or even after updating servers and domains.

The good news is that it's a relatively easy situation to fix. In this article, you'll find a guide that explains how. Why does Windows Hello PIN stop working after updating? We include different methods to solve it: from the simplest (logging in with password and reconfiguring PIN) to advanced solutions with the Ngc folder, the registry, the domain or even system restore.

Why Windows Hello PIN isn't working after updating

Most of the time, the error appears right after installing a major update, changing versions (for example, to Windows 11 or version 24H2), or after modifying the domain infrastructure. The typical symptom is a message like this: “Your PIN is not available” or that Windows Hello is disabled by itself, asking you for the classic account password.

There are several common reasons behind this behavior, and it is important to understand them because each one points to a different or complementary solution.

One of the most frequently recurring factors is that The PIN's internal files are damaged or become inconsistent.All Windows Hello information (PIN, keys, settings) is saved in the protected folder Ngc within Windows. If an update fails partially, changes permissions, or incorrectly modifies that folder, the PIN becomes invalid and Windows blocks it for security reasons.

The operating system's internal permissions system also comes into play. Windows uses special accounts such as SYSTEM or LocalService with more privileges than a normal administrator. The Ngc folder belongs to one of these contexts. If, for any reason, the permissions or the owner of that folder become corrupted during the update, the system is unable to correctly read your PIN settings and, therefore, Windows Hello is no longer available.

We must not forget other factors that do not depend directly on the update but that can reveal the flaw immediately afterward: possible malware that interferes with the authentication systemThird-party security programs that access credentials, or even someone attempting too many failed logins with the PIN, causing Windows Hello credentials to be locked.

Relationship between Microsoft account, local account and Windows Hello

With Windows 11, Microsoft has significantly tightened the authentication system. On many computers, especially recent laptops, the system requires login with Windows Hello is linked to a Microsoft accountnot just to a local account, to ensure more security and advanced options (backup, synchronization, policies, etc.).

It is relatively common that, after updating to Windows 11, a notice like this appears in the login options “You must add a password before you can use this login option.” When you try to set up a PIN, facial recognition, or fingerprint, what it's actually telling you is that the system wants your user to sign in with a Microsoft account and have an active and associated password before allowing the use of Windows Hello.

In that situation, what you need to do is open the Settings app, go to Accounts > Your information and click on the option “Sign in with a Microsoft account instead”Once the device is successfully linked to your Microsoft account, you can return to the sign-in options and you'll see that facial recognition, fingerprint, and PIN options can now be configured without error messages.

If you already had your Microsoft account linked but have changed something important (for example, the main email address (associated with the account) it is possible that, for a few days, there will be a desynchronization between the device and the account. A major Windows update can trigger this mismatch, causing errors with Windows Hello or the system to malfunction. Ask for PIN and password again as a way to verify that it's still you.

Typical problems with Windows Hello after updating

Beyond the typical “Your PIN is not available”, there are several recurring failures that many users have reported after installing cumulative updates, security patches, or major new versions of Windows.

First, there are the specific error messages related to the PIN. For example, when you try to log in and see text like “Something went wrong (code: 0x8009002d). Restart your device to see if that fixes the problem.”or a generic “An error occurred. Please try again later.” when trying to add or change the PIN in the settings.

In other cases, upon entering Settings > Accounts > Sign-in optionsThe PIN (Windows Hello) section appears to be disabled; it does not display the button to add or change the PIN, or when pressed, it does not work. absolutely nothing happensThis usually means that the internal infrastructure of Windows Hello is not responding properly, typically due to corrupted permissions, damaged files, or services that are not in the correct state.

Situations have also been seen where, after a specific patch (for example, a cumulative update that introduces new features such as EU recallWindows Hello starts requiring a PIN instead of directly recognizing your face. The camera turns on, detects your face, and shows that it recognizes you, but The login process is not completed and it remains waiting for the PIN.In these cases, biometrics works at the hardware level, but something fails in the credential validation or in the association with the account.

Finally, in companies that use Windows Hello for Business With a focus on cloud-based authentication, after upgrading all domain controllers to Windows Server 2025 and raising the forest and domain levels, some administrators have found that fingerprint and PIN authentication suddenly become invalid. Employees can only log in with a password, and when attempting to use Google Hello, they receive a message stating that... The login information could not be verifiedeven after recreating the AzureADKerberos account.

Technical reasons: Ngc folder, permissions, and malware

The key to almost all of these problems lies in how Windows stores Windows Hello information. The system uses a special folder called Ngc located on the route C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NgcIt stores everything related to your PIN and the keys that back it up.

This folder, for security reasons, has a very high level of protection: it belongs to the service account. LocalService And its permissions are designed so that not even a team administrator can gain direct access. It's an additional layer that prevents an attacker who gains administrator privileges from... read or manipulate PIN data easily.

The problem arises when an update modifies these permissions, changes the folder owner, or leaves files partially written. At that point, the Windows Hello authentication system loses its solid foundation and decides that the PIN is no longer trustworthy. Hence the typical message that The PIN is not available. or you may have to reconfigure your login method.

This is in addition to the possible presence of malicious software or conflicting applicationsThere is malicious code specifically designed to interfere with Windows authentication: it blocks normal access, modifies the registry, attempts to replace credentials, or disables Windows Hello components to force the user into less secure actions. Some third-party antivirus programs or overly aggressive security solutions can also cause conflicts with the Ngc folder or the Credential Service.

To make matters worse, if someone enters the PIN incorrectly several times (for example, a curious person in the office trying their luck), the system can temporarily block the authentication method and proceed directly to request the passwordIf this freeze coincides with an update or a configuration change, it may seem like the update is to blame when in reality it's due to several factors at once.

First steps: Log in with your password and reset your PIN

Before getting into advanced solutions, the first thing is to make sure you can Log in to the system using your passwordFrom the login screen, click on “Login options” and choose the password icon instead of the PIN or Windows Hello icon.

Enter your Microsoft account password or your local account password. If you can access the desktop without any problems, you're halfway there, because from there you'll be able to... delete and recreate the PIN from within Windows, without needing to touch advanced permissions yet.

Once in the system, open Configuration (Windows key + I), enter Accounts > Sign-in options and look for the section PIN (Windows Hello)If it's active, try tapping Remove, enter your password when prompted, and delete the current PIN. Then select the option to set a new PIN and the assistant continues by entering a code that you remember well.

In many cases, this resolves the problem: Windows recreates its internal structure coherently, and the PIN works again without error messages. If restarting the computer maintains correct behavior, the original failure was probably due to a minor synchronization problem or slight corruption from the Hello settings.

If, on the other hand, every time you update the system the PIN is deactivated again or asks you to configure it as if it were the first time, it is very possible that there is a deeper problem with the Ngc folder, with system policies or even with the Windows registry, and then you have to roll up your sleeves a little more.

Repair the PIN by deleting the Ngc folder

When the PIN cannot be cleared from settings, login options are unresponsive, or error messages keep appearing even after recreating the code, the most effective solution is usually completely reset the Ngc folderIt's a delicate process, but when done correctly, it leaves the system as if a PIN had never been configured and allows you to recreate it from scratch.

The most direct and automatic way to do this is by using the command prompt from the advanced boot environmentTo get there, restart your computer while holding down the key CAPS KEY (SHIFT)When you start up, instead of going directly into Windows, you will see the advanced options menu.

Within that menu, choose Solve problems and then go to Advanced options > Command PromptA console window with elevated privileges will open, allowing you to interact with the Ngc folder without the usual restrictions of a normal session.

In that console, the first step is to regain control of the folder. To do this, run a command that resets the permissions internally: icacls C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /T /Q /C /RESETThis resets the access control lists for everything within Ngc, preparing the way to rename it.

Next, run a second command to rename the folder: Ren C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc Ngc.oldThis way, Windows will no longer find the original folder when it restarts and will generate a new, clean Ngc structure on the next startup.

Once these steps are completed, close the command prompt window and choose the option to continue with the normal startupThe computer will start Windows and you can log in with your usual password. Once you're back on the desktop, go to the login options and set up a new PIN in the Windows Hello section. All the data that was on the old Ngc card is now stored in the Ngc.old folder, which is no longer in use.

How to delete NGC from Explorer with advanced permissions

If you prefer not to touch the boot environment and can log in with your administrator user, it is also possible to reset Ngc from within Windows itself using File Explorer and the tab of Security from the folder properties, although this path involves more steps.

First, you'll need to open File Explorer and enable the display of hidden items. Then, navigate to the path C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft and locate the folder called Ngc. If you try to enter it, you'll see that you don't have permission, which is completely normal, since the owner is not you but a system service.

Right-click on the Ngc folder and select PropertiesIn the window that opens, go to the tab Security and press the button AdvancedAt the top you'll see a field called Owner. You'll need to click there. Change to take ownership of the folder.

In the dialog box that appears, type your username (the one you use to log in, which must have administrator privileges) and click on Check names for the system to validate it. Once it appears correctly, accept the change and check the box. “Replace owner on subcontainers and objects” so that the new owner also applies to everything within Ngc.

After applying and accepting the changes, you should now be able to access the Ngc folder without any problems. Open it by double-clicking, then select all files and subfolders Delete any files inside. You don't need to delete the Ngc folder itself; simply empty it completely so the system can recreate the correct structure the next time you set up a new PIN.

Once you have emptied Ngc, restart your computer and, after logging back in with your password, go back to Settings > Accounts > Sign-in options To add a new PIN in the Windows Hello section, the system will regenerate all the cryptographic data, and unless there's another conflict, you should be able to log in using your PIN without any issues.

Use Registry and policies to enable PINs on domains

On domain-joined computers, PIN usage may be blocked by group policies or registry settings. In these scenarios, even if you delete the Ngc folder, Windows will not allow you to proceed. Set up a Windows Hello PIN until politics allows it.

One way to force PIN entry on domain-joined computers is to modify a Windows registry key. However, this operation is intended for advanced users and administrators: an incorrect registry change can cause instability. Ideally, you should perform a previous backup of the registry before touching anything.

To begin, press Windows + R, type regedit and accept. Once inside the Registry Editor, go to File > ExportSelect "Everything" in the export range, choose a name, and save the .reg file as a backup in case you need to revert the change.

Then, navigate to the route HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SystemIn the right panel, if it doesn't exist, create a new value of type DWORD (32 bits) with the name AllowDomainPINLogonIf it's already created, simply edit it.

Double-click on AllowDomainPINLogon and change the value data to 1This tells the system that PIN usage is allowed on a domain-joined computer. Close Registry Editor, and then restart your computer for the change to take effect.

Once the changes have been applied and after restarting, check the Login optionsIf everything went well, you should now be able to add a PIN even on corporate computers where the option was previously disabled or invisible. Combining this change with a reset of the Ngc folder resolves most of the problems on domain-joined workstations.

Troubleshooting, uninstalling updates, and system restore

If you've tried the solutions above and are still experiencing strange issues with Windows Hello after a specific update, you can also try the following: diagnostic tools that comes with the operating system itself and, ultimately, in the mechanisms for reverting updates and restoring.

First, you can run the user account troubleshooterwhich in Windows 10 and 11 is part of the Troubleshooting Center. To access it, open Settings with Windows + I, then go to Updates and security (or in System > Troubleshooting in some versions) and click on Solve problems.

Inside, look for the section on Additional troubleshooters and select the option related to User accountsRun the wizard and follow the steps it indicates. This tool reviews various internal parameters of your profile, permissions, and credentials, and may detect and correct errors that affect the PIN and other login methods.

If the problem started right after a specific update (for example, a cumulative update like KBxxxxxxx), another recommended option is to uninstall only the latest update to check if it's directly responsible for the problem. To do this, go to Settings > Update & Security and enter View update history.

In the window that opens, locate the most recent update, note its identifier (it starts with KB followed by numbers) and press on Uninstall updatesThe classic panel will open, where you can double-click on the update in question and confirm that you want to remove it. After restarting, check if Windows Hello is working normally again.

If even uninstalling the update doesn't solve the problem, or if the fault dates back further but has been exacerbated by recent patches, there's always the option of restore system to a previous point where everything was working properly. To do this, open the Control Panel, change the view to small icons, and go to SystemFrom there, access Recovery and choose Open System Restore.

Select the option of choose a restoration point Prior to the date the PIN problems began, and let Windows complete the process. When finished, the system will revert to its previous state in terms of system files, drivers, and settings, which usually eliminates persistent Windows Hello errors. Keep in mind, however, that any system changes made after that point will be lost, although your personal documents should remain intact.

Security, antivirus, and programs that cause conflicts

When discussing authentication problems, the role of security cannot be overlooked. A persistent PIN failure after several updates can be a sign of a security issue. something else touching the system underneathsuch as malware, Trojans, or applications that interfere too much with credential handling.

The minimum recommendation is to take advantage the antivirus integrated into Windows, Microsoft DefenderRun a full system scan if you notice your PIN behaving strangely, not saving correctly, or suddenly disappearing. Quick scans don't always detect threats hiding in less obvious areas, so a thorough scan is recommended.

If the system is so unstable that you can't even run an antivirus scan from within Windows, a useful tactic is to boot with a antivirus in Live mode (using a USB drive or CD) to scan the hard drive without the operating system loaded. This greatly reduces the chances of malware hiding or blocking the scan, and can be key to Remove threats that affect the PIN.

You should also be careful with the third-party applications you install, especially additional security solutions, overly invasive password managers, or tools that promise to "optimize" Windows by modifying the registry or login settings. Some of these may be incompatible with Windows Hello, modifying permissions or introducing changes that result in PIN and biometric errors.

If you notice that the PIN problem started right after installing one of these programs, the wisest course of action is uninstall that application and check if the problem disappears. It's not uncommon for certain third-party antivirus programs or complex security suites to conflict with the Windows authentication system, so sometimes it's best to revert to simpler, more compatible solutions.

Other login and automatic startup options

While you're struggling with PINs and updates, you might consider using other login methods or even completely disable authentication on startup the equipment in very specific cases (for example, a desktop PC at home that only you use).

Windows Hello offers more than just PIN verification. If your computer has fingerprint reader or camera compatible with facial recognitionYou can configure them for faster and more convenient access. On many modern laptops, simply opening the lid and facing the webcam allows the system to recognize you and take you directly to the desktop.

You can also continue using the classic one Microsoft account password or from your local account, which always acts as a backup method. In fact, it's important that you remember that password because, without it, you won't be able to create or reset a new PIN if something goes wrong, or respond correctly to the account recovery wizard.

In very specific situations, you can configure the equipment to do automatic login without asking for a PIN or password. To do this, use the command netplwiz From the Run dialog box (Win + R). A User Accounts Management window will open where you can uncheck the box "Users must enter a user name and password to use this computer," then select which user will log on automatically.

When your Windows Hello PIN stops working after an update, there's almost always an explanation: corrupted files in the Ngc folder, changes in permissions, domain policies, issues with your Microsoft account, or even third-party programs causing problems. By following the steps to log in with a password, recreate the PIN, repair or clear Ngc, adjust policies, and using diagnostic tools, you should be able to resolve the issue. regain access Without having to go to the extreme of formatting the computer, and with a few good maintenance practices you will avoid the same headache from repeating itself over and over again.