If creating a policy package for SCCM: Compile to EXE, add the EXE you just created to SCCM as a package: Create Package > Environment > Program can run: Only when user is logged on > Run with administrator rights.
REG ADD “HKLM\SOFTWARE\Policies\Microsoft\PassportForWork” /v Enabled /t REG_DWORD /d 0 /f /reg:64
REG ADD “HKLM\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions” /v value /t REG_DWORD /d 0 /f /reg:64
Rename folder to something else (using SYSTEM account; if not using SYSTEM account, take ownership, first)
ren C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC NGC_
Notes
REG ADD “HKLM\SOFTWARE\Policies\Microsoft\Windows\System” /v AllowDomainPINLogon /t REG_DWORD /d 0 /f
REG ADD “HKLM\SOFTWARE\Policies\Microsoft\PassportForWork” /v DisablePostLogonProvisioning /t REG_DWORD /d 1 /f