Here is my summary of how to prevent this problem from happening, and what to do if you find yourself in the situation where you are unable to sign into Windows.
Summary of the Problem
You boot your computer and, on the screen where you would normally sign on you are presented with a message that says "Something happened and your PIN isn't available". This message may vary for other means of logging in using Windows Hello (facial recognition, fingerprint sensor, etc). No option to enter a password is provided. As a result of this situation, you are unable to sign onto Windows.
Cause of the Issue
When you configure your computer in some specific manners, Windows Hello in unavailable when you perform certain actions, and you will not be given a choice to provide a password. As an example, if you perform a clean install of Windows and you sign on with a Microsoft account, Windows Setup will also ask you to create a PIN. Note that a PIN is a Windows Hello logon method. Now, assume that you run
msconfig and you choose to perform a
Diagnostic startup. This is a sure way to trigger this situation. When you then reboot you will encounter the problem noted above. It's possible that other things may trigger this, but this is one scenario that I am aware of that causes this issue.
We will now discuss ways to avoid this problem in the first place, followed by how to get yourself out of this situation if you encounter it.
Preventing the Issue Before it Happens
There are several ways to prevent this issue.
1) In Windows settings, disable the option that says "For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device". Note that this option is enabled by default if you are signing in with a Microsoft account. If you disable this option, then you will be given an option to use a password to sign in.
2) Logon with a "hybrid" account. This will give you all of the benefits of signing in with a Microsoft account including syncing of settings, etc. but without several drawbacks. The first mention of a hybrid account came to my attention from a Tutorial by Kari, and ever since seeing that tutorial that is how I always sign in now. I highly suggest using this type of account. Personally, I refuse to use anything else now
.
Here is Kari's tutorial on this topic:
A Microsoft account (MSA) is a good choice if a user wants to use the same account on multiple devices, or wants to make it easy to use all / any Microsoft services. Setting up a preinstalled Windows 10 on a new device, after a clean install, or creating a new user on existing Windows...
www.elevenforum.com
How to Resolve the Issue Once Encountered
1) From the screen where you are unable to sign on, if you have any other LOCAL Admin accounts available to sign in with, choose one of those accounts to sign in with, then run msconfig and change the startup back to normal.
2) If no other local account is available, we can enable the built-in Administrator account. Note that that the Administrator account is a local user account but is disabled by default. To do this, follow these steps:
Boot into the Windows Recovery Environment. To do this, on the screen where you are unable to sign in, click on the power button. Then, while holding down the SHIFT key, click on Restart.
The Recovery Environment should start.
NOTE: If the Recovery Environment will not start for some reason, then follow these steps:
Boot from Windows installation media, for example, a Windows UFD (USB Flash Drive) or DVD. A recovery disk can also be used. On the first screen, select the appropriate options and then click on Next.
Select “Repair your computer”.
You should now be in the Recovery Environment. Select Troubleshoot > Advanced options > Command Prompt
From the command prompt, we will perform a change to the registry to enable the Administrator account.
From the command prompt, determine what drive letter your Windows installation is on. In the Recovery Environment this is not always C:. As an example, run these commands:
C:
DIR
Check to see if the Windows directory is present. If not, repeat with the next drive letter like this:
D:
DIR
Repeat until you find the drive that has Windows.
Now run this command from the command prompt:
regedit
Within the registry editor, perform these steps:
Select
HKEY_LOCAL_MACHINE
From the
File menu, click
Load Hive… and then select the following path:
NOTE: Replace the C: with the drive letter that you determined to have Windows.
C:\Windows\System32\Config\SAM
You will be asked to give this hive a name. I like to use
TempHive but use whatever you like. In the instructions below, replace TempHive with the name you selected.
Goto this location within the registry editor:
HKEY_LOCAL_MACHINE\TempHive\SAM\Domains\Account\Users\000001F4
Double-click the value named
F.
In the 8th row, 1st column, change the value from
11 to
10
Changing this to 10 enables the Administrator account.
Click
OK
Select the
TempHive hive within the registry editor, select
File >
Unload Hive..., and then close the registry editor.
At the command prompt, type
Exit.
In Recovery Options, click on
Continue (Exit and Continue to Windows)
The system will start Windows but now you should be able to select the
Administrator account to sign on with.
Once signed on, run
msconfig and set the startup back to normal.
Reboot
Sign on as normal.
Open an elevated command prompt and run this command to once again disable the Administrator account:
net user administrator /active:no
End of Recovery
Note: There is another way to accomplish this. I’m not going to go into as much detail as the above procedure because I consider this simply an emergency plan B, but the above procedure should really work for you.
Plan B
Get into the Recovery Environment using the same steps that were noted above.
Open a command prompt. Locate the Windows drive in the same way as the above procedure described.
Once you are on the Windows drive, you will change directories and rename a couple of files.
Technical Note: When you encounter this issue, you will note that there is a power button and an accessibility icon at the lower right of the screen. What we are doing here is renaming files so that when you click on the accessibility icon it will end up actually running a command prompt. We do this because there is no other way to open a command prompt otherwise and we need this to recover.
Run these commands:
ren utilman.exe utilman1.exe
ren cmd.exe utilman.exe
Close all screens and reboot normally (not to the recovery tools).
When you get to the screen where you are unable to sign on, click the accessibility icon in the lower right. A command prompt will open.
In the command prompt, run this command:
start msconfig
In msconfig, choose to boot normally. Reboot. You should now be able to sign on properly once again, but we are not done yet. We now need to undo the renaming of files. The files in question are not allowed to be renamed or deleted while booted normally in Windows, so we need to do this in the Recovery Environment.
Boot back into the Windows Recovery Environment once more and open a command prompt as was noted in the procedure above.
Navigate to the
Windows\System32 folder on your Windows drive.
Run these commands:
del cmd.exe
ren utilman.exe cmd.exe
ren utilman1.exe utilman.exe
At the command prompt, type
Exit.
In Recovery Options, click on
Continue (Exit and Continue to Windows)
End of Plan B
