Accounts Remove PIN from Account in Windows 11

  • Staff

This tutorial will show you how to remove the Windows Hello PIN sign-in option from your account in Windows 11.

Windows Hello is a more personal, more secure way to get instant access to your Windows 11 devices using a PIN, facial recognition, or fingerprint. You'll need to set up a PIN as part of setting up fingerprint or facial recognition sign-in, but you can also sign in with just your PIN.

These options help make it easier and safer to sign into your PC because your PIN is only associated with one device and it's backed up for recovery with your Microsoft account.

How is a PIN different from (and better than) a password? On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like t758A! could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
  • PIN is tied to the device
    One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!

    Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
  • PIN is local to the device
    A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server. When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
  • PIN is backed by hardware
    The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.

    User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.

    The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
  • PIN can be complex
    The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set policies for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
  • What if someone steals the laptop or phone?
    To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammering protection locks the device. You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
  • Why do you need a PIN to use biometrics?
    Windows Hello enables biometric sign-in for Windows 11: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.

    If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.
See also:

You can remove the PIN sign-in option from your account if wanted.

If you remove the PIN from your account, it will also remove any added face or fingerprint sign-in option from your account since a PIN is required for all Windows Hello sign-in options.

Removing the PIN from a Microsoft account will also turn off Account protection in Windows Security.


EXAMPLE: PIN sign-in option on sign-in screen


Option One

Remove PIN for Current User in Settings

1 Open Settings (Win+I).

2 Click/tap on Accounts on the left side, and click/tap on Sign-in options on the right side. (see screenshot below)


3 Under Ways to sign in, click/tap on PIN (Windows Hello) to expand it open. (see screenshot below step 4)

4 Click/tap on the Remove button to the right of Remove this sign-in option. (see screenshot below)

The Remove button will be grayed out if For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device is turned on.

This will not affect a local account.


5 Click/tap on Remove to confirm. (see screenshot below)


6 Enter your account's password (not PIN) to verify, and click/tap on OK. (see screenshot below)


7 You can now close Settings if you like.

Option Two

Remove PIN for All Users using BAT file

You must be signed in as an administrator to use this option.

This option can be helpful to fix when users are unable to add or use the PIN sign-in option.

When trying to change or add a PIN logon in Windows 11, you may encounter issues such as:

-Error Message Something went wrong (code: 0x8009002d). Restart your device to see if that fixes the problem. when trying to Sign-In using Pin.
-Error Message Something went wrong. Try again later when trying to Add / modify PIN.
-Unable to configure Windows Hello because of PIN related issues.
-Clicking on the Add PIN option does nothing.
-PIN incorrect error even as you verify that the correct PIN was entered.
-Add PIN option does not show under Sign-In options.

When this happens, it's usually caused by the C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC folder getting corrupted. Emptying the NGC folder and resetting the ACLs (Access Control Lists) on the NGC folder should fix these issues.

1 Turn off For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device.

2 Click/tap on the download button below to download the file below.


(Contents of .bat file for reference)
@echo off
powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/s,/c,takeown /f C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /r /d y & icacls C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC /grant administrators:F /t & RD /S /Q C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc & MD C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc & icacls C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /T /Q /C /RESET' -Verb runAs"

3 Save the .bat file to your desktop.

4 Unblock the .bat file, and run the .bat file.

5 When prompted by UAC, click/tap on Yes to approve running the .bat file elevated (aka: Run as administrator).

6 You will now notice a command prompt quickly opening and closing to run the commands in the .bat file.

That's it,
Shawn Brink



  • PIN.png
    340 bytes · Views: 124
  • Remove_PIN_for_all_users.bat
    694 bytes · Views: 310
Last edited:
Top Bottom