Reset Windows Hello Fingerprint

[Michelle Benitone]

Tofix this issue, you basically just need to the delete the existing files and re-register your face or fingerprint (it works the same for both). Please note, this will reset Windows Hello (face scan, fingerprint scan, and iris scan) for all users registered on the computer:

2. Create a backup. Create a new folder somewhere on your computer called WinBioBackup. Then, open Windows Explorer and go to C:\Windows\System32\WinBioDatabase. Back up the Dat files in this folder by copy and pasting the files into the new folder you created.

5. Register your face/fingerprint again. Go to your account settings, then Sign-in options and go through the registration process again to re-register your biometrics. If this machine has multiple users, everyone will need to re-register.

Have him do a PIN reset, it will re-initialize the whole process. There's a difference between On-Prem and Hybrid environment PIN resets though, as noted here: -us/windows/security/identity-protection/hello-for-business/hello-faq#w...

Windows Hello is an additional security feature available in Windows 10 and Windows 8.1 to protect your user account and all the sensitive data inside it. When enabled, it can be entered instead of the password. If you can no longer configure Windows Hello, e.g. to change your PIN, or have issues with sign-in options implemented by Windows Hello (see below), you might want to reset it.

Windows Hello is a more personal, more secure way to get instant access to your Windows 10 devices using fingerprint or facial recognition. Most PC's with fingerprint readers already work with Windows Hello, making it easier and safer to sign into your PC.

Windows Hello lets you sign in to your devices, apps, online services, and networks using your face, iris, fingerprint, or a PIN. Windows Hello does not replace the password. To set up its features, it is necessary to have a password set for your user account.

Tip: Winaero Twеaker is essential software for every Windows 10, Windows 8 and Windows 7 user. It allows you to customize the appearance and behavior of the operating system in a flexible way.

Try Winaero Twеaker now!

Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business.

Windows Hello represents the biometric framework provided in Windows. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.

The statement A PIN is stronger than a password is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the Multifactor Unlock feature.

To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device. Then, the attacker must find a way to spoof the user's biometrics or guess the PIN. All these actions must be done before TPM anti-hammering protection locks the device.

Windows Hello enables biometric sign-in with fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN after the biometric setup. The PIN enables you to sign in when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello.

Anytime key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There's a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Business implementation takes advantage of onboard TPM hardware to generate and protect keys. Administrators can choose to allow key operations in software, but it's recommended the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means the user will have to use MFA to reauthenticate to the IdP before the IdP allows re-registration). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.

Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Microsoft Entra ID and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are transactional keys, which means the user is always prompted when accessing the key.

Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation prompts the user for the PIN on first use. Subsequent private key operations won't prompt the user for the PIN.

The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process doesn't receive the PIN, but rather the ticket that grants them private key operations. There isn't a policy setting to adjust the caching.

When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created. The enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see Windows Hello biometrics in the enterprise and Windows Hello face authentication.

Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. An IT administrator may configure policy settings, but it's always a user's choice if they want to use biometrics or PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to Start > Settings > Accounts > Sign-in options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.

To remove Windows Hello and any associated biometric identification data from the device, open Start > Settings > Accounts > Sign-in options. Select the Windows Hello biometrics authentication method you want to remove, and then select Remove. The action unenrolls from Windows Hello biometrics authentication and deletes the associated biometrics template database file. For more details, see Windows sign-in options and account protection (microsoft.com).

If the user can sign in with a password, they can reset their PIN by selecting the I forgot my PIN link in the Settings app or from the lock screen, by selecting the I forgot my PIN link on the PIN credential provider.

For on-premises deployments, devices must be connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid deployments can onboard their Microsoft Entra tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see PIN reset.

Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at 10 ('zero').So, for example:

This check prevents repeating numbers, sequential numbers, and simple patterns. It always results in a list of 100 disallowed PINs (independent of the PIN length). This algorithm doesn't apply to alphanumeric PINs.

To help Microsoft keep things working properly, to help detecting and preventing fraud, and to continue improving Windows Hello, diagnostic data about how people use Windows Hello is collected. For example:

3a8082e126