How to Fix Windows Sign-In Issues | PIN, Password, and Microsoft Account Diagnosis

When Windows won't let you sign in, it helps to know right away: forgetting your password and being unable to sign in despite knowing your credentials are two entirely different problems. If you can't remember your password, see How to Reset a Forgotten Windows Password | Microsoft Account, Local Account, and PIN. This article covers the other scenario — where your password or PIN should be correct but authentication keeps failing, you're stuck in a sign-in loop, Windows Hello (face or fingerprint) stops working, or a work account is blocked. All steps apply to both Windows 11 and Windows 10. For similar symptoms on Mac (rejected password, FileVault errors, Apple ID authentication failures), see How to Fix Mac Login Issues | Password, FileVault, and Apple ID Diagnosis.

Table of Contents

1. Forgot password vs. can't sign in — these are different problems
   1. Mapping the symptom patterns
2. Diagnose first: symptom patterns and their causes
   1. "Sign-in failed" message appears
   2. Sign-in loop (returns to the same screen)
   3. "User Profile Service failed the sign-in" error
   4. PIN rejected but password works fine
   5. Windows Hello not working
   6. "We can't sign you in because your credentials recently changed"
   7. Work or school account authentication error
   8. Quick-reference table by symptom
3. Switch to password sign-in to get in
   1. Switching to password via Sign-in options
   2. Once you're in, most issues can be fixed from Settings
4. Reset your PIN
   1. Delete and re-create the PIN from Settings
   2. PIN is stored locally and is independent of your Microsoft account
5. Microsoft account authentication issues
   1. Check account status from another device
   2. Not receiving the two-step verification prompt on your phone
   3. Check "Recent security activity"
6. Temporarily switch to a local account
   1. Steps to switch from Microsoft account to local account
   2. Switching back to your Microsoft account later
7. Repairing the User Profile Service error
   1. Boot into Safe Mode and sign in with a different account
   2. Inspect and repair the ProfileList registry key
   3. Create a new user profile and migrate your data
8. Windows Hello (face and fingerprint) not working
   1. Delete and re-enroll
   2. Check the TPM chip
   3. Update camera and sensor drivers
   4. Check whether Group Policy has disabled it
9. Automatic repair and Startup Repair
   1. Force three shutdowns to enter WinRE
   2. Run Startup Repair or System Restore
10. Work or school account errors (for B2B users)
    1. Microsoft 365 Business sign-in pitfalls
    2. Device blocked by a Conditional Access policy
    3. When to contact your IT administrator
    4. Notes on Intune / Autopilot resets
11. Sign-in issues on domain-joined PCs
    1. Active Directory Domain Controller connection failure
    2. Temporarily access using local logon
    3. Cached domain credentials
12. Last resort: reset or clean install
    1. Reset while keeping personal files
    2. Clean install from USB media
13. Summary: step-by-step checklist

Forgot password vs. can't sign in — these are different problems

"Can't sign in to Windows" actually covers two fundamentally different situations. Confusing them means you'll keep trying the wrong fixes.

Mapping the symptom patterns

If you have forgotten your password — meaning you genuinely don't know the correct credentials — the solutions involve resetting your Microsoft account online, using security questions for a local account, or advanced recovery with installation media. All of those are covered in detail at How to Reset a Forgotten Windows Password | Microsoft Account, Local Account, and PIN.

This article deals with a different problem: your password or PIN should be correct, but authentication still won't go through — or you sign in and get bounced back to the sign-in screen, Windows Hello stops responding, or a work account throws an error. In most of these cases, the credentials themselves are fine; the root cause lies in a Windows setting, a system service, the network, or a policy.

Diagnose first: symptom patterns and their causes

There are several common patterns for sign-in failures. Identifying your pattern before diving into fixes will get you to a solution much faster.

"Sign-in failed" message appears

You enter a password or PIN that should be correct, but Windows shows a sign-in failed message. The most common culprits are a sync problem with your Microsoft account, an account lockout, or a network issue that prevents online authentication from completing. Start by trying to switch to password sign-in from Sign-in options (covered below).

Sign-in loop (returns to the same screen)

You enter your credentials and Windows appears to accept them, then sends you right back to the sign-in screen. Although it looks like an authentication failure, the real cause in most cases is that Windows failed to load your user profile. A "User Profile Service failed the sign-in" error is occurring in the background.

"User Profile Service failed the sign-in" error

Windows explicitly shows the message "The User Profile Service failed the sign-in. User profile cannot be loaded." The profile path stored in the Windows registry is corrupt or missing. The repair steps are essentially the same as for a sign-in loop (covered later).

PIN rejected but password works fine

Password sign-in works without problems, but your PIN is repeatedly rejected. Because a PIN is stored locally on the device as part of Windows Hello, changes to the TPM chip or device configuration can render a previously working PIN unusable. The fix is to sign in with your password and then re-create the PIN.

Windows Hello not working

Face recognition or fingerprint authentication suddenly stops working. Possible causes include a driver update, a change in TPM state, a camera or fingerprint sensor hardware issue, or Windows Hello being disabled by Group Policy.

"We can't sign you in because your credentials recently changed"

Windows shows the message "We can't sign you in because your credentials recently changed. Please sign in on the sign-in screen." This means your Microsoft account password was changed from another device or the web, but this PC hasn't yet received that change. Entering the new password on the sign-in screen resolves it.

Work or school account authentication error

You can't sign in with an account provided by your company or school. Common causes include a Conditional Access policy set by your IT administrator that is blocking the device, an MFA prompt that isn't arriving on your phone, or an expired password.

Quick-reference table by symptom

Switch to password sign-in to get in

If PIN, face recognition, or fingerprint sign-in isn't working, switch to password authentication as your first move. Once you're inside Windows with a password, you can reconfigure PIN and Windows Hello from Settings — which resolves the majority of sign-in problems.

Switching to password via Sign-in options

1. Go to the Windows sign-in screen.
2. Below the PIN entry field or face recognition prompt, click Sign-in options.
3. A row of icons appears. Select the key icon (Password).
4. Enter your Microsoft account password and sign in.

If Sign-in options isn't visible, look for an "I forgot my PIN" link below the PIN field. Clicking it lets you reset the PIN using your Microsoft account password.

On Windows 10: "Sign-in options" appears as a text link below the input field. On Windows 11, it appears as icons in the same position.

Once you're in, most issues can be fixed from Settings

After signing in with your password, you can take the following actions:

• If your PIN wasn't working: go to Settings → Accounts → Sign-in options → Windows Hello PIN, click Remove, then set a new PIN.
• If Windows Hello (face or fingerprint) wasn't working: in the same Settings → Accounts → Sign-in options screen, click Remove on the face or fingerprint enrollment, then re-enroll.
• If the error was network-related: after signing in, check Windows Update and driver updates.

Reset your PIN

A PIN is authentication data stored in the device's local storage, completely separate from your Microsoft account password. If the device was reset, went through recovery, or the TPM chip changed, a previously working PIN may no longer be valid.

Delete and re-create the PIN from Settings

First sign in with your password, then follow these steps to reset the PIN.

1. Open Settings from the Start menu (or press Win + I).
2. Select Accounts.
3. Open Sign-in options.
4. Click PIN (Windows Hello) to expand it.
5. Windows 11: click Remove, confirm with your Microsoft account password, then set a new PIN.
6. Windows 10: click Remove, confirm the deletion, then click Add to create a new PIN.

If you want to reset the PIN from the sign-in screen before getting in, click "I forgot my PIN" below the PIN field. Verifying your identity with your Microsoft account password takes you directly to the PIN setup screen.

PIN is stored locally and is independent of your Microsoft account

A PIN and your Microsoft account password are entirely separate credentials. Changing your Microsoft account password does not change your PIN, and changing your PIN does not affect your Microsoft account password. However, setting or changing a PIN requires identity verification (password or MFA) with your Microsoft account. Because the PIN is managed under Windows Hello, it can become unusable if the TPM chip is disabled or its state changes.

Microsoft account authentication issues

When your Windows PC is linked to a Microsoft account, the state of that account directly affects whether you can sign in. The root cause is sometimes on the account side, not the PC itself.

Check account status from another device

Use a browser on a smartphone, tablet, or another computer to check your Microsoft account status.

1. Navigate to https://account.microsoft.com in a browser.
2. Sign in with your Microsoft account.
3. Go to the Security tab → Sign-in activity to see whether recent sign-ins are behaving normally.
4. Check Account info to confirm the account is in good standing — not suspended, deleted, or locked.

If your Microsoft account password was changed from another device, enter the new password on the Windows sign-in screen. This is also the fix for the "We can't sign you in because your credentials recently changed" message.

Not receiving the two-step verification prompt on your phone

When two-factor authentication (MFA) is enabled for Microsoft 365 or a work account, the approval notification on your phone can sometimes fail to arrive.

• Check the Microsoft Authenticator app: open the app and look for any pending push notifications. If nothing shows, force-quit the app and reopen it.
• Switch to another verification method: on the sign-in screen, click "Use a different verification option" or "I can't get the approval request" and authenticate via SMS or email instead.
• Check notification permissions: on iOS, go to Settings → Notifications → Microsoft Authenticator; on Android, go to Settings → Apps → Microsoft Authenticator → Notifications to confirm push notifications are allowed.
• Check time sync: TOTP codes are time-based and will be wrong if your phone's clock is off. Make sure your phone is set to automatic time synchronization.

Check "Recent security activity"

If Microsoft detects suspicious sign-in activity, your account may be locked as a security measure. From another device, visit https://account.microsoft.com/security and review "Recent activity." If your account is locked, follow the on-screen instructions to verify your identity and unlock it.

Temporarily switch to a local account

If Microsoft account sign-in keeps failing, you can switch to a local account as a workaround to bypass the problem. This is a temporary measure — you can switch back to your Microsoft account once the issue is resolved.

Steps to switch from Microsoft account to local account

You must already be signed in to Windows to perform this change.

1. Go to Settings → Accounts → Your info.
2. Click "Sign in with a local account instead."
3. Windows 11: a confirmation screen asks "Switch to a local account?" — click Next.
4. Enter your current Microsoft account password to confirm.
5. Set a new local account username, password, and password hint.
6. Click "Sign out and finish" to complete the switch.

After switching, sign in with the local account password you just created.

Switching back to your Microsoft account later

When you're ready to reconnect your Microsoft account, follow these steps.

1. While signed in with the local account, go to Settings → Accounts → Your info.
2. Click "Sign in with a Microsoft account instead."
3. Enter your Microsoft account email and password to sign in.
4. The account is now linked again.

If you rely on OneDrive or other Microsoft services, switch back as soon as the problem is resolved to avoid sync gaps.

Repairing the User Profile Service error

"The User Profile Service failed the sign-in. User profile cannot be loaded." — this error occurs when the profile information stored in the Windows registry is corrupt. Fixing it requires access through another administrator account or Safe Mode.

Boot into Safe Mode and sign in with a different account

First, boot into Safe Mode and sign in with a different administrator account. Detailed instructions for entering Safe Mode are at How to Boot Windows in Safe Mode | Shift+Restart, msconfig, and Command Methods.

Basic steps to enter Safe Mode:

1. While the Windows logo is on screen during boot, hold the power button to force a shutdown.
2. Repeat this three times. On the fourth boot, Windows shows "Preparing Automatic Repair."
3. Click Advanced options → Troubleshoot → Advanced options → Startup Settings → Restart.
4. After the restart, press F5 to select Safe Mode with Networking.

In Safe Mode, sign in with a different administrator account if one exists, or with the built-in Administrator account.

Inspect and repair the ProfileList registry key

Once signed in with another administrator account, open Registry Editor to check the profile information.

1. Press Win + R, type regedit, and press Enter (run as administrator).
2. Navigate to:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
3. Look at the subkeys under ProfileList. If you see two keys for the same SID — one with and one without a ".bak" suffix — this is a sign of a corrupt profile.
4. Right-click the key with ".bak" → Rename → remove the ".bak" to restore the original name.
5. If the original name (without ".bak") still exists, delete it first, then rename the ".bak" key.
6. Close Registry Editor and restart the PC.

After the repair, try signing in normally.

Create a new user profile and migrate your data

If the registry repair is too involved or the problem persists afterward, create a new user account and transfer your data there.

1. While signed in with another administrator account, go to Settings → Accounts → Family and other users.
2. Click "Add someone else to this PC" (Windows 10) or "Add account" (Windows 11).
3. Select "I don't have this person's sign-in information" → "Add a user without a Microsoft account" to create a local account.
4. Grant the new account administrator privileges by changing its account type in the same settings screen.
5. Sign out, sign in with the new account, then copy your data from C:\Users\OldAccountName to the new profile.

Windows Hello (face and fingerprint) not working

When face or fingerprint authentication through Windows Hello suddenly stops working, deleting the enrollment and re-registering it resolves the problem in most cases.

Delete and re-enroll

1. Sign in with your password and open Settings.
2. Go to Settings → Accounts → Sign-in options.
3. Expand Windows Hello Face or Windows Hello Fingerprint.
4. Click Remove to delete the current enrollment data.
5. After removing it, click Set up on the same screen to re-enroll your face or fingerprint.

During re-enrollment, follow the on-screen guidance — face the camera straight-on for face recognition, or scan your finger from multiple angles for fingerprint recognition.

Check the TPM chip

Windows Hello requires a TPM (Trusted Platform Module) chip. If the TPM is disabled or its state has changed, previously enrolled credentials may become invalid.

1. Press Win + R, type tpm.msc, and press Enter.
2. The TPM Management console opens. "The TPM is ready for use" indicates the TPM is healthy.
3. If the console shows "Compatible TPM cannot be found" or "TPM is not supported," the TPM may be disabled in the BIOS.
4. Restart the PC and enter the BIOS (press F2, Del, or the appropriate key immediately after powering on). Under the Security or Advanced tab, confirm that TPM Device or PTT (Intel Platform Trust Technology) is enabled.

Because TPM is a Windows 11 system requirement, it should already be enabled on any legitimate Windows 11 machine.

Update camera and sensor drivers

An outdated or corrupt driver for the IR camera or fingerprint sensor can prevent Windows Hello from working correctly.

1. Open Device Manager (right-click Start → Device Manager).
2. Expand Cameras or Biometric devices.
3. Right-click the relevant device → Update driver → Search automatically for drivers.
4. Restart after the update, then try re-enrolling.

Downloading the latest driver manually from the manufacturer's support site is often more reliable. Dell, HP, Lenovo, and Fujitsu all maintain well-stocked driver portals.

Check whether Group Policy has disabled it

On company or school PCs, Windows Hello may be disabled by an administrator via Group Policy. Modifying Group Policy yourself is not recommended in an enterprise environment — ask your IT administrator whether Windows Hello can be enabled for your account.

On a personally owned Windows 11 Pro machine, you can check the policy yourself: press Win + R, type gpedit.msc, then navigate to Computer Configuration → Administrative Templates → Windows Components → Windows Hello for Business to review policy states.

Automatic repair and Startup Repair

If you can reach the sign-in screen but Windows fails to load after authenticating — or you're stuck in a persistent sign-in loop — the Windows Recovery Environment (WinRE) offers repair tools that can help.

Force three shutdowns to enter WinRE

1. Boot the PC. While the Windows logo is on screen, hold the power button to force a shutdown.
2. Repeat this three times.
3. On the fourth boot, Windows shows "Preparing Automatic Repair."
4. Click Advanced options to enter the Windows Recovery Environment (WinRE).

You can also reach WinRE from the sign-in screen: click the power icon in the bottom-right corner, then hold Shift while clicking Restart.

Run Startup Repair or System Restore

From WinRE, go to Troubleshoot → Advanced options to access the following tools.

• Startup Repair: automatically diagnoses and fixes files or settings that prevent Windows from loading. This can take 10 to 30 minutes.
• System Restore: rolls Windows back to a restore point created before the problem started. Useful if sign-in broke after a recent update or software installation.
• Reset this PC: resets Windows while optionally keeping personal files. Covered in detail in the "Last resort" section below.

If Startup Repair doesn't help, try running the system file repair commands in Safe Mode from an elevated Command Prompt.

DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow

Run these commands from an administrator Command Prompt (right-click Start → Windows Terminal (Admin)).

Work or school account errors (for B2B users)

When you can't sign in to Windows with a company or school Microsoft 365 account (Azure AD / Microsoft Entra ID), the causes are different from the personal account scenarios above. This is a common pain point for business users.

Microsoft 365 Business sign-in pitfalls

If you're signing in with a Microsoft 365 Business account, watch out for the following:

• Password expiration: corporate policy may require regular password changes. An expired password will block authentication. Use your company's password reset portal or contact your IT helpdesk.
• License revocation: if an administrator removes your Microsoft 365 license, sign-in will stop working. Confirm with your IT team.
• Account disabled: the Azure AD account may have been disabled due to departure, role change, or other administrative action.

Device blocked by a Conditional Access policy

Conditional Access is a Microsoft Entra ID feature that blocks access from devices or locations that the organization hasn't approved. Sign-in can be blocked in the following situations:

• Non-compliant device: Intune's device compliance policy has flagged the PC as non-compliant — for example, because the OS is outdated, BitLocker is off, or antivirus is missing.
• Unregistered device: you're trying to sign in from a personal or new PC that hasn't been enrolled in the company's Intune instance.
• IP or location restriction: a policy allows access only from specific IP addresses or countries — this often catches people off guard while traveling abroad.
• MFA not completed: access is blocked because multi-factor authentication hasn't been finished.

If you see messages such as "Your device is not compliant" or "Access blocked by Conditional Access policy," there is little you can do on your own — you'll need to contact your IT administrator.

When to contact your IT administrator

Reach out to your company's IT helpdesk without delay in any of these situations:

• "Access has been blocked" or "Your device doesn't meet your organization's policy" is displayed.
• The MFA approval notification isn't arriving and no other authentication method is working.
• Your password has expired but you can't access the password reset portal either.
• You're signing in to a work account on a new PC for the first time and Intune enrollment may be required.
• A message like "This account has moved to a different organization" appears.

Notes on Intune / Autopilot resets

If you can't sign in after resetting or factory-resetting a company-issued PC, the device's Azure AD join via Intune may not have completed.

• PCs configured with Windows Autopilot are automatically enrolled in Intune during setup, but network issues can cause the enrollment to fail.
• On an Azure AD-joined PC, check the connection status at Settings → Accounts → Access work or school. If it shows as disconnected, reconnect.
• If Autopilot setup needs to run again after a reset, ask your IT administrator to reset the device's Intune enrollment on their end.

If you're also dealing with a license activation problem alongside the sign-in issue, see How to Fix Windows License Activation Errors | Error Codes, Product Keys, and Digital License Diagnosis.

Sign-in issues on domain-joined PCs

PCs joined to a corporate Active Directory (AD) domain normally communicate with a Domain Controller (DC) to process sign-ins. If the connection to the DC fails, you may not be able to sign in.

Active Directory Domain Controller connection failure

When you start a domain PC while working remotely or when a VPN connection has dropped, the DC may be unreachable, and Windows may display an error such as "The domain controller cannot be contacted."

• If you're physically on the corporate network: the issue may be with the network itself or a DC service outage — contact your IT administrator.
• If you're connecting via VPN: Windows may be trying to authenticate before the VPN tunnel is fully established. Let the network connection stabilize, then try signing in again.

Temporarily access using local logon

Even when the DC is unreachable, cached domain credentials may allow you to sign in temporarily. However, this only works if the PC has successfully signed in to the domain before and the credentials haven't changed since then. Long offline periods or recent password changes will break cached login.

To sign in explicitly as a local or cached domain user:

• Enter the username as .\username or COMPUTERNAME\username to target a local account.
• For a cached domain credential, use DOMAINNAME\username.

Cached domain credentials

Windows caches the last 10 successful domain sign-ins locally by default. Administrators can change this number via Group Policy ("Interactive logon: Number of previous logons to cache"). If the cache is set to zero, signing in is completely impossible when the DC is unavailable.

Domain PC sign-in problems usually cannot be resolved without IT department privileges. Note down the symptoms and contact your helpdesk promptly.

Last resort: reset or clean install

If none of the steps above have fixed the problem, resetting or clean installing Windows will resolve it at the root level.

Reset while keeping personal files

1. On the sign-in screen, click the power icon in the bottom-right corner, hold Shift, and click Restart.
2. From the options screen, choose Troubleshoot → Reset this PC.
3. Select "Keep my files" (documents, pictures, and other user data are preserved).
4. Choose "Cloud download" or "Local reinstall" (either works; cloud download installs the latest version).
5. On the confirmation screen, click Reset to begin. This takes 30 to 90 minutes.

After the reset, you'll be asked to sign in with your Microsoft account. If you've forgotten your password, refer to How to Reset a Forgotten Windows Password | Microsoft Account, Local Account, and PIN.

Clean install from USB media

If the PC reset also fails, or if you can't enter WinRE at all, a clean install from USB media is the final option.

1. On another PC, download the Media Creation Tool from the official Microsoft website and create installation media on a USB drive (8 GB or larger).
2. Plug the USB into the problem PC, power it on, and immediately press F2, F8, F12, or Del (varies by model) to open the boot menu.
3. Boot from the USB and proceed through "Install Windows." Select "Install now."
4. If prompted for a product key, select "I don't have a product key" — if you have a digital license, Windows will activate automatically once you connect to the internet.
5. When choosing a drive, select Custom, pick the target drive, format the partition, then install.

A clean install deletes all personal files. Be sure to back everything up to an external drive or cloud storage before proceeding.

Summary: step-by-step checklist

Here is the recommended sequence for resolving Windows sign-in problems. Start with the step that matches your symptom.

1. Identify the symptom: determine whether you're dealing with a sign-in loop, "sign-in failed" message, Windows Hello failure, profile error, or work account error.
2. Forgot your password? Go to the other article: see How to Reset a Forgotten Windows Password | Microsoft Account, Local Account, and PIN.
3. Try switching to password sign-in via Sign-in options — this is the first move for most PIN and Windows Hello errors.
4. If you get in with a password → go to Settings → Accounts → Sign-in options to remove and re-create the PIN or Hello enrollment.
5. "We can't sign you in because your credentials recently changed": check your Microsoft account password from another device and enter the new password.
6. Microsoft account issue: from another device, visit account.microsoft.com and check account status and security notifications.
7. MFA prompt not arriving: check Authenticator app notification settings, verify time sync, or switch to an alternative authentication method.
8. Sign-in loop or User Profile Service error: boot into Safe Mode and repair the ProfileList registry key.
9. Windows Hello (face/fingerprint) not working: check TPM status with tpm.msc, update drivers, then delete and re-enroll.
10. Work account error: Conditional Access, Intune enrollment, and MFA configuration require your IT administrator.
11. Domain PC error: try cached credential sign-in for temporary access, then contact your IT helpdesk.
12. Automatic repair: from the sign-in screen power icon, hold Shift and click Restart to enter WinRE, then run the repair tools.
13. All else fails: go to Settings → System → Recovery → Reset this PC (keep files) or perform a clean install from USB.

The majority of cases are resolved at steps 3 through 6. Correctly identifying the cause of the sign-in failure is the fastest path to a fix. For other Windows issues, see the Windows Troubleshooting Guide | Solutions by Symptom.