Locked out! Windows 11 will not accept password login, but there is no option to enter Win Hello PIN instead

Win 11 will not allow me to do a password login into my local account. My Password is correct (I get an appropriate error message if I intentionally enter wrong password), but login is rejected as below, with no ability to enter my Windows Hello PIN instead. I know my PIN, but the login screen offers no option to enter it.

My sense is that if I could disable the setting that is making Windows obsess about using ONLY Windows Hello to log into any account then I could fix things up from there. But I have not been able to do this.



Here is what I have already tried...

SAFE MODE:
This is the ONLY way for me to log in... in Safe Mode the password is accepted with no PIN required. This is how I have tried all the other corrective steps listed below, but nothing has had any effect when I reboot normally. Hence this post asking for your help!

WINDOWS/SETTINGS/ACCOUNT:

Settings > Accounts > Additional Settings >
"For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device" -- SET TO OFF

NEW ACCOUNT
Settings > Accounts > Create New Account

Created a new local admin account with a password. Rebooted. New account had the same login problem... unable to login because it wants a PIN but with no UI ability to enter it.

WINDOWS SERVICES:

Windows Biometric Service - DISABLED
Web Account Manager - DISABLED

NGC FILES:

Deleted all files in C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc (in case they were corrupted) in case they were corrupted.

REGEDIT:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions set to 0

GPEDIT:

Local Computer Policy / Computer Configuration / Windows Components / Biometrics /
Allow domain users to login using biometrics - DISABLED
Allow the use of biometrics - DISABLED
Allow users to login using biometrics - DISABLED

Local Computer Policy / Computer Configuration / System / Logon /
Always use classic logon - ENABLED
Turn on convenience PIN sign in - DISABLED
Turn on security key sign in - DISABLED

Local Computer Policy / Computer Configuration / Windows Components / Windows Hello for Business
Use certificate for on-premises authentication - DISABLED
Use Windows Hello for Business - DISABLED
Use Windows Hello for Business cerificates as smart card certificates - DISABLED

User Computer Policy / User Configuration / Windows Components / Windows Hello for Business
Use Windows Hello for Busines - DISABLED
Use certificate for on-premises authentication - DISABLED

I also took the step of disabling the Group Policy Client Service entirely... this test was more involved but doable... as directed here Disabling the Group Policy Client Service in Windows

Any ideas?

I would like to have you run a Clean Boot.

A clean boot is a troubleshooting technique that allows you to get the computer up and running so that you can perform diagnostic tests to determine which elements of the normal boot process are causing problems.

How to perform a Clean Boot.

Warning: Disabling items in Services or Startup may leave your antivirus disabled until the process is ended. For this reason, I would suggest that you perform this process off-line.

Press the keys to open Run, then type msconfig in the search box. This will open System Configuration.

If you are prompted for an administrator password or for confirmation, you should enter the password or provide confirmation.

(1) Click/tap on the General tab.

(2) Click/tap on the Selective startup option.

(3) Remove the check mark in the Load startup items check box.



4. Click on the Services tab.

5. Place a check mark in the Hide all Microsoft services check box, this will remove the Microsoft Services from the list but will still be running.

6. Click Disable all, this will remove all of the check marks in the Services list.



7. Click on Apply then OK



Click on Restart in the window that opens.

When the computer is restarted, it will boot normally.

If the problem does not continue after the restart, please do the following.

8. Divide the number of these startup services and programs by two, and you place checks in the first half of these, then restart the computer.

9. If the problem doesn't return in those services and programs, remove the checks and place checks in the remaining services and programs and restart the computer.

10. When you find which half the service or program is in, go on to the next step.

11. The half which has the service causing this problem, remove half of the checks as you did previously to see which half has this service. Do the same for the programs. Restart the computer.

12. If it isn't in the first half of these services and programs, do the same with the last half of the services and programs.

13. Once you have narrowed it down to the last three or four services and programs, remove the checks one at a time till you find the service or program at fault.

Once you have found the service or program, post it in your topic. Do not take any action until I suggest the next step.

Several complaints about the same thing over on MS forum. Most of the folks found it was because of a VPN. Do you use a VPN? If so get rid of it.

I found a couple of other posts that solved it in the weirdest way I have ever heard of...turning on airplane mode. That makes absolutely no sense to me but it worked for quite a few people.

What would make sense to me is to disable your wireless (or ethernet adapter, whichever your use) Boot normally to see if your password will work.

Prove that your password is good by using another device. See if you can log in to your MS account Microsoft account | Sign In or Create Your Account Today – Microsoft
If you can, while you're there click on Security>Advanced Security options. Make sure you have multiple ways of account recovery. Another email account and your cell phone so they can send a security code.

If that or none of the suggestions already given by others do not work, backup your personal files using safe mode, Then do a system reset and remove everything or a clean install. Sorry, but a repair install will not work in safe mode.

If it asks for PIN, Windows Hello is clearly enabled. Using 11 and Hello with a local account is atrocity.

mackintg said:

Created a new local admin account with a password. Rebooted. New account had the same login problem... unable to login because it wants a PIN but with no UI ability to enter it.

Web Account Manager - DISABLED

Click to expand...

User Data services and Web Account Manager are required to be able to login.

Since you can boot to safe mode, do this:
That will give you CMD with SYSTEM rights at logon. You can use it to regedit, run services, change the password:

I've never been in this position but, since you can log in in Safe mode, can't you do that then use
Enable or Disable Passwordless Sign-in for Microsoft Accounts - ElevenForumTutorials
Option 2 .Reg file
to disable Windows Hello so you can then log in normally with your password?

I use this procedure even though I have a Local user account so that the checkbox appears in NetPlWiz so I can set up automatic login.
Enable or Disable Automatically Sign in Account at Startup - ElevenForumTutorials


Denis

Have you tried enabling the built in administrator account and then try logging in with that account?

net user administrator/active:yes

Thanks all to the suggestions above. I appreciate the help!

@FreeBooter - That took a while, but nothing lets me log in except safe mode. Anything else hits the same problem, even with all services disabled and no startup apps.

@TairikuOkami- I agree, using Windows Hello on a local account IS an atrocity! :) I have been trying to disable it for hours, including all the new suggestions from this post... but no luck, read below. If you have any other suggestions on how to disable it, that would be great so that I can log in with just my password, that would be great. I tried the net user password change you suggested but this did nothing. If I enter that new password, it continues to demand that I use Windows Hello.

@glasskuter - No, I am not using VPN. This problem occurs whether or not I am connected to a network. Yes, I can log into my Windows Account using that password, no problem. Also, if I type in a junk password when I am trying to log into my laptop, it will display an error saying the password is bad. I only get the "you must use Windows Hello" error when I enter the correct password. Also, this is the password that works OK in Safe Mode.

@Try3 ... Interesting suggestion to enable passwordless... just tried that, no effect. The "only allow Windows Hello" option in Settings/Sign-in-options have been turned off from the start. I booted in safe mode, made the regedit changes to [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device] "DevicePasswordLessBuildVersion"=dword:00000002 . In netplwiz, the checkbox option to control "must enter a password" was not displayed at all, because (as noted on that page) it will be hidden if Windows Hello is required. My system erroneously thinks that is the case. I tried the less secure "option 2" on that page using regedit... no effect at all. My system still demands a Windows Hello PIN but offers no UI to let me enter it.

@LesFerch ... yes, sorry I forgot to add that to the list of things I had already tried. No change. Neither my normal account (member of admin) nor the administrator account can log in with a password, even after net activate.

Today, I will demonstrate the automatic Login to Windows without selecting the user account and entering the password with this coded batch script. This method works for both local user account and Microsoft account.


After you login to your account, normally try in-place upgrade.

You can also perform in-place upgrade of Windows 11. In-place upgrade is to use to replace the current operating system files on your computer. Unlike a clean installation of Windows, you can start a Windows in-place upgrade when your OS is still running. And an in-place upgrade can keep your files, settings, & apps during the upgrade process. You can perform a Windows 11 in-place upgrade is to use the Windows 11 Media Creation Tool. Make sure to select Upgrade this PC now and click Next. Follow the on-screen guide to perform a Windows 11 in-place upgrade.

@FreeBooter An inplace upgrade will NOT work in safe mode so if he can not get into windows by any other method that won't work.
IMO I think the TPM's mind is scrambled. The TPM can be reset from both within Windows and in the UEFI bios. MS strongly advises it be done from within windows. I do not know if that can be done from safe mode or not either, but I doubt it.

Pay attention to the precautions listed in this tutorial and MS article and backup all personal data and all keys protected by the TPM. Even if you have to resort to clean install and have no other option except to reset the TPM from UEFI, clearing the tpm before installing would be appropriate in this case.

FreeBooter said:

After you login to your account, normally try in-place upgrade.

Click to expand...

I have asked the OP to perform in-place upgrade after user account normal login process happens. @glasskuter

mackintg said:

Interesting suggestion to enable passwordless

Click to expand...

Disable

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device]
"DevicePasswordLessBuildVersion"=dword:00000000

Do not bother with any other repairs until you have disabled Hello. It might be all you need.

mackintg said:

I tried the less secure "option 2" on that page using regedit

Click to expand...

I suspect that you meant Option 2 of the NetPlWiz tutorial [rather than the Hello tutorial].
I agree. I have never stored my user account password in that Registry key.


Denis

FreeBooter said:

have asked the OP to perform in-place upgrade after user account normal login process happens.

Click to expand...

I understand and I should have directed that post to the OP rather than you. Sorry. I just didn't want the OP to think if none of the other suggestions worked that he could do an in-place upgrade from within safe boot.

If you have a working Win10/11 system and a USB you can format, you can use this CMD script to quickly(on USB 3.0) create a bootable password reset disk

GitHub - illsk1lls/RescueMaker: Create and burn a simple rescue USB with any Win10/11 host OS.

@FreeBooter - At the suggestion of @Try3 , I already tried passwordless ENABLED and DISABLED, and automated login as possible solution (it didn't work). Watching your video, I think we can assume your script just does the reg DB edits that I went through manually as @Try3 shared here. Since this does not solve my problem, @glasskuter is correct... inplace upgrade does not work in safe mode, and safe boot is my only way past the Windows Hello barrier.

@glasskuter - I also suspected that my TPM was fried. I tried resetting while in Win Safe Mode using the TPM management console; the "Reset" action was offered, but upon normal reboot I got the same old login problem. I tried to use the alternative of the Windows Security app, but it just hung with a blank screen... either a symptom of being in Safe Mode, or evidence that my TPM is corrupt. I moved on to the TPM PowerShell cmdlets [clear-tpm] and [initialize-tpm], which seemed to function normally, but a reboot in normal mode showed no change. Lastly, I resorted to EUFI/BIOS... I reset the TPM chip, rebooted, entered the Bitlocker recovery key when prompted, and... no change Same problem.

@Try3 - Yes, I tried both DISABLING passwordless DevicePasswordLessBuildVersion=0 and ENABLING passwordless with DevicePasswordLessBuildVersion=2. Neither one had any effect on my login problem. I enabled passwordless hoping that I could also use the automatic login to bypass Windows Hello. (and yes, as you surmised, I had to use "option 2" here). None of these configurations made any difference.

@BobOmb - Resetting my password is not the problem. I know my password, and I have already changed it a few times to see if that helps to get me past the evil Windows Hello (it doesn't).

Thank you all for the suggestions! What an impass. I am starting to think that resetting to a clean wipe Win 11 reinstall is emerging as my only path forward.

Any other ideas?

Enable hidden administrator account from Windows 11 recovery environment and use the Admin account to reset user password, or you can use Kali Linux to reset user password to empty.

In this video, you will find detailed instructions on how to enable the hidden administrator account on Windows 11,10, 8, 7 or Vista based computers, by modifying the Windows Registry Offline in case you cannot login to Windows by using another account with admin rights.


In this guide, you’re going to learn how to reset a forgotten local user login password on any Windows computer using Kali Linux.

mackintg said:

@BobOmb - Resetting my password is not the problem.

Click to expand...

I thought you were stuck on an ms account, the reset wouldve converted it over to a local account and in the process removed windows hello… had it been an MS account this would have likely worked.. but I see now its local..

depending on the machine set up and how much different kinds of software I had installed (and what work was involved on rebuilding my machine) I might be inclined to make a new administrator profile and slide everything from the old profile over to the new profile with something like “Fabs auto back up”

That way you don’t lose any installed software and basically get to keep nearly everything from the old profile, and your system will be running again

If you have trouble making a new admin account you can use the bootable pw reset tool in the link i sent to create one as well

@BobOmb - thanks for the suggestion, but I have already tried that. While in Safe Mode, I created a new account, set type to Admin and tried logging into a normal boot with that new account. Same problem... will not allow login except through Windows Hello, but there is no UI enter PIN.

Was glancing through this. Wow. Very strange, indeed. Just a quick question: Have you tried to use the "smart card" methodology? (Lots of Google articles on this). Perhaps it will let you work around the problem? (Note: will only work with a local account - not a Microsoft account).

out of curiosity, do you have hibernate enabled? if so, try the below in safemode, in an admin cmd prompt


then reboot

It’s a longshot, but you may be having some squirrley issues with hiberfile.sys trying to load

@BobOmb - no, hibernate not enabled.

Thanks again, everyone, for your great advice. I gave up and did a Windows Reset. Got all my docs, just have to reinstall apps. Bummer, but could be worse. Good thing that Safe Mode got me in!