Step 1: Create (or locate) a bootable Linux USB key/CD or Hiren's boot disk.
You need admin access to the file system of the locked PC. A flash drive with a bootable Linux "live" OS or Hiren's will accomplish this.
Step 2: Boot to the machine's BIOS, disable UEFI boot and change boot type to CSM
If F2 key doesn't boot to BIOS, it's usually F1, F10, DEL or ESC. Check your machine's manual or simply Google "how to boot (make) to BIOS."
Disable UEFI "secure boot" (location of this setting in BIOS varies by manufacturer. Typically under Security or Advanced settings).
Change boot mode from UEFI to CSM.
Save changes and exit BIOS.
Step 3: Boot to Linux USB/CD or Hiren's
Tapping F12 at boot typically displays a boot select menu. Again, this varies by manufacturer.
Step 4: Temporarily replace UtilMan.exe with a copied and renamed CMD.exe
This is the "hack" that makes all of this possible. UtilMan.exe is for "Ease of Access" (AKA universal access), but can be exploited as a backdoor (with physical access to the machine).
Once in Linux or Hiren's, open C:\Windows\System32 on the hard drive of the locked out PC.
*IMPORTANT* Locate utilman.exe and temporarily rename it to utilman.exe.BAK
Copy CMD.exe and paste it into the same directory: C:\Windows\System32
Temporarily rename CMD - Copy.exe to: UtilMan.exe (this is what we will use to reset the local admin password)
At this point we are done in Linux/Hiren's. Exit and boot to BIOS.
Step 5: Boot to BIOS and re-enable UEFI boot
On the system I tried, Windows would not boot without UEFI enabled in BIOS (this may not be the case on all, however). Reverse your earlier step in BIOS set the boot type back to from CSM to UEFI. It's a good idea not to re-enable secure boot just yet in case you have to boot back into Linux to retry earlier steps, but that's at your own discretion.
Step 6: Use forged "Ease of Access" (CMD.exe) to reset local admin password
At Windows login screen, click "Ease of Access" icon in bottom left corner. If the earlier steps were done properly, this will launch the forged "UtilMan.exe" which is actually CMD.exe. Type these two commands to enable the local administrator account and reset the password:
net user administrator /active
net user administrator *
After resetting the password, you should be able to login as the local administrator.
Step 7: Set UtilMan.exe back to normal and delete duplicate CMD.exe
Boot back into BIOS and re-enable CSM boot, then boot to Linux/Hiren's and delete the duplicate CMD.exe (named "UtilMan.exe"), then rename UtilMan.exe.BAK to its original, correct name: utilman.exe
It's a good idea to check Ease of Access to be sure it's working again and also re-enable UEFI secure boot.