• Windows Hello PIN Permanently Locks PC when Booting in Safe Mode

    Home » Forums » AskWoody support » Windows » Windows 10 » Windows 10 versions – no longer supported » Windows 10 version 2004 – May 2020 Update » Windows Hello PIN Permanently Locks PC when Booting in Safe Mode

    Author
    Topic
    #2297007

    This just happened to me so I wanted to share my findings as a warning to others.

    If you use Windows Hello PIN to gain entry to your PC from the lock screen, be aware of an issue I encountered when using MSCONFIG to boot in safe mode (no networking) during a conventional round of debugging.

    Safe Mode launched, and presented the Lock Screen, but instead of an option to enter the PIN, you get a “something went wrong – pin unavailable” message, and a clickable option beneath that to “set up a new pin” which, of course, completely fails.

    I believe the issue relates to the system attempting to check your PIN externally, but not finding an internet connection. However, instead of offering the secondary option of logging in to the local account, you get nothing other than the error messages described above.

    This is a major problem. And here’s why :

    You cannot get out of this situation.

    When rebooting, windows still attempts to boot in safe mode, and the problem presents itself again.

    I tried the following to get out of this loop:

    a) Hit the tab key multiple times to try and cajole the account-password login to appear. It didn’t.

    b) SHIFT-CLICK the Restart option on the lock screen to open recovery console. This worked, but it didn’t help …

    c) Used the windows startup troubleshooter. It couldn’t find anything wrong.

    d) Opened an MSDOS prompt and set  <b>bcdedit /deletevalue {current} safeboot.</b>

    Upon rebooting, I could tell we weren’t going into safe mode anymore, but I still ended up at the same lock screen with the same problem – something wrong with pin. Click to setup a new one. Setup fails. No access to desktop.

    e) Used recovery console and command line to delete the contents of the NGC folder. This DID have an affect : Upon rebooting, there was just a lock screen but no Windows Hello prompt whatsoever, no response to clicking. Just a blurred (no doubt quite beautiful) bit of background scenery.

    f) In desperation, decided to wipe / reset windows, and use my backup from that morning to restore the o/s partition. I used my Veeam recovery disk and booted off that. Veeam let me down. Upon attempting to restore the volume, Veeam reported it was unable to do so due to a lack of permissions and a volume mismatch. So much for that (now looking for an alternative backup solution, too!).

    g) Back in the Windows recovery console next was a Windows Reset, keeping my files. This failed. After rebooting following the reset, the same problem occured and I couldn’t get into the o/s.

    g) Tries again – a windows reset, deleting my files. This DID get me back into the windows desktop via a new user account through the conventional setup process.

    At this point, I had no option but to throw in the towel, and just set up the o/s to my liking.

    I have now disabled Windows Hello PIN, and I recommend you do the same.

    Remember this happened just by using MSCONFIG from my ADMIN account, to go into safe boot without networking. From that little decision, an entire day was lost (several in fact). I find it unconscionable that this could happen, but there you go. Maybe I hit a combo that Microsoft hadn’t expected, but if anyone reading this can shed some light on the original issue or avoid themselves going down the same road to hell, then I’d be interested to hear!

    Thanks folks!

    Marc

     

    6 users thanked author for this post.
    Viewing 5 reply threads
    Author
    Replies
    • #2297014

      Ouch! how infuriating!
      So what prompted the action to access safemode in the first place?
      What patches were recently installed prior to the safemode/Hello PIN bootloop?
      This might narrow things down a bit (hopefully)
      Thanks for the report/ feedback and warning to all.

      Win8.1/R2 Hybrid lives on...
      2 users thanked author for this post.
    • #2297015

      I believe the issue relates to the system attempting to check your PIN externally, but not finding an internet connection.

      A Windows Hello PIN is never checked externally:

      PIN is local to the device
      A PIN is local to the device — it isn’t transmitted anywhere and it isn’t stored on the server.
      Why a PIN is better than a password

      A PIN in safe mode is valid after version 2004:

      Security
      Windows Hello

      Windows Hello PIN sign-in support is added to Safe mode.
      What’s new in Windows 10, version 2004 for IT Pros

      1 user thanked author for this post.
    • #2298400

      Thanks for those replies folks and sorry for the delay in responding, but I didn’t receive an email notification they were there.

       

      Microfix asked :

      “So what prompted the action to access safemode in the first place?”

      • All was well. The PC was freshly built. Windows 2004 was freshly installed. All patching was up to date. The software suite I rely on for production workflow was in place. But for one matter : I was seeing a small delay between launching a particular program via a DDE link, and returning control back to the UI so additional windows on the desktop could be interacted with. That short delay felt like a 3rd party software issue with something getting in the way of the dde channel, as it didn’t happen on my older PC (which also used Win2004). So … as I’ve done many times before, good practice involved a clean boot into safe mode to see if the problem happened there, and then I’d figure out which program was causing the delay.

      MSCONFIG was launched, safe mode (no networking) was chosen and … bang. Windows Hello Pin where art thou.

      “What patches were recently installed prior to the safemode/Hello PIN bootloop?”

      • I couldn’t say specifically, except that Win2004 was fully updated at that time as part of the general Microsoft install process, and me hitting the “check for updates” until no more showed up.

      Anonymous stated:

      “A Windows Hello PIN is never checked externally:”

      Fair enough – that blows my theory out of the water. Still, what happened was Windows Hello Pin didn’t even offer a dialog box where the pin could be typed in – it was just a message stating “something” went wrong, and I should click here to “setup new pin”. Clicking that link once did nothing. Clicking again brought up a dialog stating “this operation requires downloading a Windows application from the Microsoft Store. Do you want to do this?” And I answered “yes”. After that, nothing happened.

      Anonymous also stated :

      “A PIN in safe mode is valid after version 2004”

      Thanks Anonymous. No it ain’t. Or, more specifically in my case, no it weren’t.

      It is of course entirely possible I’m just unlucky and during the setup of the o/s originally, something didn’t get installed properly, but Windows Hello PIN was working fine up to that point for at least 2 days. Had I booted into my o/s with a normal boot, I’m sure it would still be waving hello to me even today, but regrettably, the safe-mode boot via msconfig totally knackered it.

      (And they want me to use Bitlocker! Ha!).

      1 user thanked author for this post.
      • #2298414

        I linked this topic to win10-version-2004-systemwide-password-amnesia as I thought they may have be related which veers towards a patch (if your then system OS was bang up to date)So, now that you are not using Hello PIN, is the system behaving itself?
        Just for timescales: when did this all happen? August/September post patch tuesday?

        Win8.1/R2 Hybrid lives on...
    • #2298416

      Hi Microfix … this happened in the first week of September. And yes … I am now 2 weeks password-free and doing fine! FYI I’m using a Windows Microsoft online account (ugh) but have disabled Hello, and have removed sign-in requirements for my account, which is (and always has been) administrator-level.

      1 user thanked author for this post.
    • #2594301

      I have the same problem, messing with mscoonfig after a bluetooth dissappearing from the menus episode. I followed a tutorial that recommended selective startup – load system services and load startup items and from the boot tab – safe boot with minimal. This has entered me in this loop of PIN isn’t available. No fix yet??

      • #2594308

        Did you have a password (MS password) before you set up a PIN? That password may be what you need to log in (before you set up the PIN in Windows Hello).

    • #2630411

      Set up a new Dell laptop with Windows 11 Pro.  After setup checked to make sure safe mode could be enabled.  And then.  Got the message, “something happened and …set up PIN…”.  Tried to set up PIN.  Then kept looping.  Reset the PC.  No help with safe mode issue.  Dell installed new drive with new Windows 11 OS loaded on it.  No help.  Finally did a clean install and it solved the problem.  Talked to a Microsoft tech and he was aware of this issue.  He also mentioned that a clean install should fix the accessing safe mode issue.  FYI.  I didn’t see where Windows 11 allows a password.  Only a numeric or alpha/numeric PIN.  By the way, I also got a Lenovo laptop that did the exact same thing.  So it’s not the manufacturer,

    Viewing 5 reply threads
    Reply To: Windows Hello PIN Permanently Locks PC when Booting in Safe Mode

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: