Why Your Windows Hello PIN Resets Itself and How to Stop It
🔍 WiseChecker

Why Your Windows Hello PIN Resets Itself and How to Stop It

by

Quick fix: Clear the NGC folder once (which contains the PIN binding), re-create the PIN, and the new binding is stable. Run from Terminal (Admin): take ownership of C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc, delete its contents, restart, set up a new PIN.

You set a PIN. A few days later — sometimes after a Windows Update, sometimes spontaneously — the PIN doesn’t work. You have to reset. Then it happens again. The TPM-bound PIN data in the NGC folder is getting corrupted. A clean wipe of NGC + fresh PIN setup creates a stable binding.

Symptom: Windows Hello PIN resets/fails repeatedly without obvious trigger.
Affects: Windows 11 (and Windows 10) Windows Hello PIN.
Fix time: ~15 minutes.

ADVERTISEMENT

What causes this

Windows Hello PIN is stored as cryptographic material in C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc, bound to your TPM. Corruption in this folder — from interrupted updates, antivirus quarantine of NGC files, profile sync conflicts — produces unstable PIN behavior. A clean wipe + fresh setup re-establishes the TPM binding from scratch.

Method 1: Wipe NGC folder and re-create PIN

The reliable fix.

  1. Sign in to Windows via password (since PIN may be broken). At lock screen: Sign-in options → Password.
  2. Open Terminal (Admin).
  3. Take ownership of the NGC folder: 
    takeown /f C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /r /d y
icacls C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /grant administrators:F /t
  4. Clear NGC contents: 
    Remove-Item -Recurse -Force C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc\* -ErrorAction SilentlyContinue
  5. Restore ownership to SYSTEM (otherwise future PIN operations may fail): 
    icacls C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /setowner "NT AUTHORITY\SYSTEM" /t
  6. Reboot.
  7. At sign-in, use password (PIN is gone). After desktop loads, go to Settings → Accounts → Sign-in options → PIN (Windows Hello) → Set up.
  8. Enter Microsoft account password to authorize. Create a new PIN.
  9. The new binding is fresh. Lock and test.

This handles the most common case of NGC corruption.

ADVERTISEMENT

Method 2: Clear TPM and re-create PIN (if Method 1 doesn’t resolve)

Use when even fresh PIN setup is unstable.

  1. BitLocker first: if BitLocker is on, suspend it before clearing TPM (otherwise the drive gets locked).
    • Open Manage BitLocker → Suspend protection → Yes (will resume on next reboot).
  2. Open tpm.msc.
  3. Verify TPM status. Click Clear TPM in the right pane.
  4. Confirm and reboot. Press the keyboard key shown at boot to confirm TPM clear (typically F12, F10, or Esc).
  5. After reboot, sign in via password. TPM is now in a fresh state.
  6. Resume BitLocker if you suspended it.
  7. Set up PIN again: Settings → Accounts → Sign-in options → PIN → Set up.

Clearing the TPM resets the underlying hardware binding. Use sparingly — affects BitLocker and other TPM-dependent features.

Method 3: Disable Microsoft account password sync to stop PIN conflicts

Some PIN reset cases trace to Microsoft account password sync — changing your password elsewhere triggers PIN re-bind.

  1. Open Settings → Accounts → Windows backup → Remember my preferences.
  2. Untick Passwords if it’s ticked.
  3. If you change your Microsoft account password (account.microsoft.com), don’t change it from another device — only from this PC. This prevents push-down sync from invalidating the local PIN.
  4. If you have multiple Windows devices signed in to the same Microsoft account, ensure PIN sync is off in each.
  5. Combined with Method 1’s NGC reset, this gives a stable PIN.

This is the right approach when PIN resets correlate with multi-device password changes.

How to verify the fix worked

  • Sign in with the new PIN. Works.
  • Reboot. PIN still works.
  • Wait a week (or trigger a Windows Update). PIN still works.
  • Open Settings → Accounts → Sign-in options → PIN section. Shows your PIN is active.
  • Run Get-Service WbioSrvc, NgcCtnrSvc in PowerShell. Both Running.

If none of these work

If PIN keeps failing despite NGC wipe and TPM clear, three causes apply. Failing TPM hardware: rare but possible. Check Event Viewer → Application → Source: TPM-WMI for errors. Corrupted user profile: create a new local user account, test if PIN works there. If yes, your original profile is damaged — migrate data and use the new profile. Corporate Intune policy: managed PCs may have policies that reset PIN binding on schedule. Contact IT. For chronic PIN failures despite all measures, fall back to Microsoft account password as primary sign-in or use Windows Hello fingerprint/face exclusively.

Bottom line: NGC folder corruption causes PIN to keep resetting — clear the folder, restore SYSTEM ownership, set up PIN fresh. New binding is stable across reboots.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You