David Vielmetter

Windows 10 TPM issues after 1803 update

After upgrading HP Surface devices (HP Pro 612 X2 G2) to the Windows 10 April update version 1803, Windows Defender complains about an issue with the device security referencing the following Microsoft article KB4096377:

[the problem]

After following the instructions presented in KB4096377 the system no longer allows logging in with a Biometrics, Windows Hello, or with the existing user PIN code. Users must log in using their Microsoft Account password, Azure AD password or local account password. An error at logon is displayed stating:

Your PIN is no longer available due to a change in the security settings on this device. You can setup your PIN again by going to Settings > Accounts > Sign-in options.

Unfortunately once logged in users cannot set a new PIN or change the existing PIN. An unknown error is displayed when trying to change, remove or set a PIN stating “Something went wrong. Try again later.

[solution]

CAUTION: Following these steps without having an administrative account on the computer to which you know the password (not pin or biometrics) can cause you to be locked out of your computer.

  1. Click Settings->Accounts->Your info and ensure that the account is an Administrator account. Then click Sign in with a local account instead. NOTE: If you’re unsure of your local account password, you may want to create another local admin account on your computer to prevent getting locked out.
  2. Press W8K + E to open File Explorer and click View > Show/hide and check Hidden items. Assuming Windows is installed on C: drive, navigate to C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft folder. Then right click on the Ngc folder and select Properties.
  3. On the Security tab, click Advanced.
  4. Next to Owner: Unable to display current owner, click Change.
  5. Click Select a principal and select your username. Then click OK.
  6. Tick the box Full control and click OK.
  7. Tick the box Replace all child object permission entries… and click OK to all remaining properties dialogs.
  8. You’ve now taken ownership of the Ngc folder and should be able to view its contents. Open the folder and delete any files/folders within.
  9. Re-open the security tab on the properties of the Ngc folder. Add the SYSTEM account with Full control permissions.
  10. Close Windows Explorer.
  11. Open a Command Prompt as administrator.
  12. Run: icacls C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /T /Q /C /RESET
  13. Reboot.
  14. Log in. Open Settings->Accounts->Sign-in options and set a new PIN. No error should be observed now. Add desired fingerprint and setup Windows Hello (if supported). Optionally you can now also use your Microsoft account or Azure AD account for signing in again.

Posted

in

by

David Vielmetter

Tags:

, , , , , , , , , ,