On Azure AD–joined Windows 10/11 devices, users can sign in offline using the Primary Refresh Token (PRT) that’s cached locally. If you’ve already revoked their PRT from the cloud, they may still be able to unlock the device with a cached password—or, if they use Windows Hello for Business (WHfB), with a PIN or biometric.
This guide shows you how to:
- Permanently remove the NGC folder so PIN/biometric sign-in no longer works.
- Toggle the availability of the Password credential provider so that, with no password tile, Windows cannot fall back to the cached PRT.
Both steps require Administrator (or SYSTEM) privileges and a reboot to take effect.
1. Remove Biometrics and NGC Folders
WHfB credentials live under the NGC folder and in the Windows Biometric Database. Deleting them forces WHfB to fail completely. You can script this in a batch file or PowerShell wrapper:
# Remove Biometrics and NGC folders
net stop WbioSrvc
takeown /f C:\Windows\System32\WinBioDatabase\* /a /r /d y
icacls C:\Windows\System32\WinBioDatabase\* /inheritance:r /grant Administrators:(F) /T
del /f /q C:\Windows\System32\WinBioDatabase\*
takeown /f C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC\* /a /r /d y
icacls C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC\* /grant Administrators:F /t
rmdir /s /q C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC
How it works
A reboot flushes any in-memory copies of the keys.
net stop WbioSrvc unloads the biometric service so files can be deleted.
takeown and icacls give Administrators full control.
del and rmdir remove the database and NGC folder.
2. Disable/Enable Password-Based Sign-In via Registry
Once WHfB is gone, Windows will still present a Password tile and use the PRT for offline logons. To remove that tile, write the ExcludedCredentialProviders value under the local policy registry and reboot:
# The following below can be run in one script, or a separate script. It either disables, or enables the password login feature, which prevents a user from logging in with a cached password from AzureAD
# Read the desired action from the environment
$action = $env:disableOrEnable
# Registry constants
$registryPath = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$valueName = 'ExcludedCredentialProviders'
$passwordProvider = '{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}'
# Validate action
if ($action -notin 'Enable','Disable') {
Write-Error "Invalid action: '${action}'. Please set `$env:disableOrEnable to 'Enable' or 'Disable'."
exit 1
}
# Ensure the registry key exists
if (-not (Test-Path $registryPath)) {
try {
New-Item -Path $registryPath -Force | Out-Null
} catch {
Write-Error "❌ Failed to create registry path ${registryPath}: ${_}"
exit 1
}
}
if ($action -eq 'Disable') {
# Block password sign-in: write the Multi-String registry value
try {
# Remove any old value first
Remove-ItemProperty -Path $registryPath -Name $valueName -ErrorAction SilentlyContinue
New-ItemProperty `
-Path $registryPath `
-Name $valueName `
-PropertyType MultiString `
-Value $passwordProvider `
-Force | Out-Null
Write-Host "✅ Password sign-in disabled (ExcludedCredentialProviders set)."
} catch {
Write-Error "❌ Failed to disable password sign-in: ${_}"
exit 1
}
}
else {
# Enable password sign-in: remove the registry value if present
try {
if (Get-ItemProperty -Path $registryPath -Name $valueName -ErrorAction SilentlyContinue) {
Remove-ItemProperty -Path $registryPath -Name $valueName -Force
Write-Host "✅ Password sign-in enabled (ExcludedCredentialProviders removed)."
}
else {
Write-Host "ℹ️ No ExcludedCredentialProviders value found; password sign-in already enabled."
}
} catch {
Write-Error "❌ Failed to enable password sign-in: ${_}"
exit 1
}
}
# 4) Reboot to apply the change
Write-Host "Rebooting now to apply changes..."
Restart-Computer -ForceKey points
- The Password credential provider’s CLSID is
{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}. - MultiString registry under
…\Policies\Systemtells LogonUI which providers to exclude. - A reboot rebuilds LogonUI without the password tile, so cached PRTs cannot be used.
Putting It All Together
- Deploy the batch script (Section 1) to remove WHfB credentials.
- Set the environment variable and run the PowerShell toggle (Section 2):
$env:disableOrEnable = 'Disable'to block passwords$env:disableOrEnable = 'Enable'to restore them
- Reboot after each script.
After both scripts have run and the device has restarted:
- No NGC folder → PIN and biometrics are gone.
- No Password tile → no cached-password login path.
Users must now authenticate online via Azure AD or fail to sign in. This two-step method gives you on-device control to harden against offline access—even if their old PRT still exists in Azure AD.
The only thing that this does not account for, is potentially having RDP enabled on the computer, which may allow the user to authenticate from a local to local device (such as using their personal laptop to rdp into the pc. )