News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Windows Hello PIN Permanently Locks PC when Booting in Safe Mode

    Posted on MarcVRML Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Windows 10 Windows 10 version 2004 – May 2020 Update Windows Hello PIN Permanently Locks PC when Booting in Safe Mode

    Viewing 4 reply threads
    • Author
      Posts
      • #2297007 Reply
        MarcVRML
        AskWoody Lounger

        This just happened to me so I wanted to share my findings as a warning to others.

        If you use Windows Hello PIN to gain entry to your PC from the lock screen, be aware of an issue I encountered when using MSCONFIG to boot in safe mode (no networking) during a conventional round of debugging.

        Safe Mode launched, and presented the Lock Screen, but instead of an option to enter the PIN, you get a “something went wrong – pin unavailable” message, and a clickable option beneath that to “set up a new pin” which, of course, completely fails.

        I believe the issue relates to the system attempting to check your PIN externally, but not finding an internet connection. However, instead of offering the secondary option of logging in to the local account, you get nothing other than the error messages described above.

        This is a major problem. And here’s why :

        You cannot get out of this situation.

        When rebooting, windows still attempts to boot in safe mode, and the problem presents itself again.

        I tried the following to get out of this loop:

        a) Hit the tab key multiple times to try and cajole the account-password login to appear. It didn’t.

        b) SHIFT-CLICK the Restart option on the lock screen to open recovery console. This worked, but it didn’t help …

        c) Used the windows startup troubleshooter. It couldn’t find anything wrong.

        d) Opened an MSDOS prompt and set  <b>bcdedit /deletevalue {current} safeboot.</b>

        Upon rebooting, I could tell we weren’t going into safe mode anymore, but I still ended up at the same lock screen with the same problem – something wrong with pin. Click to setup a new one. Setup fails. No access to desktop.

        e) Used recovery console and command line to delete the contents of the NGC folder. This DID have an affect : Upon rebooting, there was just a lock screen but no Windows Hello prompt whatsoever, no response to clicking. Just a blurred (no doubt quite beautiful) bit of background scenery.

        f) In desperation, decided to wipe / reset windows, and use my backup from that morning to restore the o/s partition. I used my Veeam recovery disk and booted off that. Veeam let me down. Upon attempting to restore the volume, Veeam reported it was unable to do so due to a lack of permissions and a volume mismatch. So much for that (now looking for an alternative backup solution, too!).

        g) Back in the Windows recovery console next was a Windows Reset, keeping my files. This failed. After rebooting following the reset, the same problem occured and I couldn’t get into the o/s.

        g) Tries again – a windows reset, deleting my files. This DID get me back into the windows desktop via a new user account through the conventional setup process.

        At this point, I had no option but to throw in the towel, and just set up the o/s to my liking.

        I have now disabled Windows Hello PIN, and I recommend you do the same.

        Remember this happened just by using MSCONFIG from my ADMIN account, to go into safe boot without networking. From that little decision, an entire day was lost (several in fact). I find it unconscionable that this could happen, but there you go. Maybe I hit a combo that Microsoft hadn’t expected, but if anyone reading this can shed some light on the original issue or avoid themselves going down the same road to hell, then I’d be interested to hear!

        Thanks folks!

        Marc

         

        5 users thanked author for this post.
      • #2297014 Reply
        Microfix
        AskWoody MVP

        Ouch! how infuriating!
        So what prompted the action to access safemode in the first place?
        What patches were recently installed prior to the safemode/Hello PIN bootloop?
        This might narrow things down a bit (hopefully)
        Thanks for the report/ feedback and warning to all.

        Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
        2 users thanked author for this post.
      • #2297015 Reply
        anonymous
        Guest

        I believe the issue relates to the system attempting to check your PIN externally, but not finding an internet connection.

        A Windows Hello PIN is never checked externally:

        PIN is local to the device
        A PIN is local to the device — it isn’t transmitted anywhere and it isn’t stored on the server.
        Why a PIN is better than a password

        A PIN in safe mode is valid after version 2004:

        Security
        Windows Hello

        Windows Hello PIN sign-in support is added to Safe mode.
        What’s new in Windows 10, version 2004 for IT Pros

        1 user thanked author for this post.
      • #2298400 Reply
        MarcVRML
        AskWoody Lounger

        Thanks for those replies folks and sorry for the delay in responding, but I didn’t receive an email notification they were there.

         

        Microfix asked :

        “So what prompted the action to access safemode in the first place?”

        • All was well. The PC was freshly built. Windows 2004 was freshly installed. All patching was up to date. The software suite I rely on for production workflow was in place. But for one matter : I was seeing a small delay between launching a particular program via a DDE link, and returning control back to the UI so additional windows on the desktop could be interacted with. That short delay felt like a 3rd party software issue with something getting in the way of the dde channel, as it didn’t happen on my older PC (which also used Win2004). So … as I’ve done many times before, good practice involved a clean boot into safe mode to see if the problem happened there, and then I’d figure out which program was causing the delay.

        MSCONFIG was launched, safe mode (no networking) was chosen and … bang. Windows Hello Pin where art thou.

        “What patches were recently installed prior to the safemode/Hello PIN bootloop?”

        • I couldn’t say specifically, except that Win2004 was fully updated at that time as part of the general Microsoft install process, and me hitting the “check for updates” until no more showed up.

        Anonymous stated:

        “A Windows Hello PIN is never checked externally:”

        Fair enough – that blows my theory out of the water. Still, what happened was Windows Hello Pin didn’t even offer a dialog box where the pin could be typed in – it was just a message stating “something” went wrong, and I should click here to “setup new pin”. Clicking that link once did nothing. Clicking again brought up a dialog stating “this operation requires downloading a Windows application from the Microsoft Store. Do you want to do this?” And I answered “yes”. After that, nothing happened.

        Anonymous also stated :

        “A PIN in safe mode is valid after version 2004”

        Thanks Anonymous. No it ain’t. Or, more specifically in my case, no it weren’t.

        It is of course entirely possible I’m just unlucky and during the setup of the o/s originally, something didn’t get installed properly, but Windows Hello PIN was working fine up to that point for at least 2 days. Had I booted into my o/s with a normal boot, I’m sure it would still be waving hello to me even today, but regrettably, the safe-mode boot via msconfig totally knackered it.

        (And they want me to use Bitlocker! Ha!).

        1 user thanked author for this post.
        • #2298414 Reply
          Microfix
          AskWoody MVP

          I linked this topic to win10-version-2004-systemwide-password-amnesia as I thought they may have be related which veers towards a patch (if your then system OS was bang up to date)So, now that you are not using Hello PIN, is the system behaving itself?
          Just for timescales: when did this all happen? August/September post patch tuesday?

          Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
      • #2298416 Reply
        MarcVRML
        Guest

        Hi Microfix … this happened in the first week of September. And yes … I am now 2 weeks password-free and doing fine! FYI I’m using a Windows Microsoft online account (ugh) but have disabled Hello, and have removed sign-in requirements for my account, which is (and always has been) administrator-level.

        1 user thanked author for this post.
    Viewing 4 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Windows Hello PIN Permanently Locks PC when Booting in Safe Mode

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.