none
PIN and Fingerprint Sign-in options unavailable (greyed out) in Windows 10 1607 Enterprise

    Question

  • I have tested this on a Lenovo Yoga 260 laptop and a Lenovo M93P desktop (with attached external fingerprint reader). After installing Windows 10 Enterprise (whether via an in place upgrade or fresh install), the PIN and Fingerprint Sign-in options are unavailable as the buttons are disabled/greyed out. TPM is enabled and functioning properly and is working with Bitlocker. These options were there on 1511. The option for Picture password is still there.

    Group policies for the new Windows Hello for Business, and also the legacy convenience PIN etc. are not present/not configured.

    Any one know what the requirements are to get this working again, or is this a bug?

    Friday, August 5, 2016 9:52 PM

Answers

  • See this post for the resolution to the issue. This fixed it on my Yoga and M93P.

    https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup

    Apparently 1607 requires this registry key setting to enable PIN login on domain joined machines:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    • Marked as answer by Todd Walker Monday, August 8, 2016 1:57 PM
    Monday, August 8, 2016 1:57 PM

All replies

  • I can confirm the same issue.  I performed a fresh install of 1607 Enterprise on my Surface Book and no longer have the ability to set a PIN or use Windows Hello.

    Machine is domain joined and have no GPO settings configured for the old pin settings, nor the new Windows Hello for Business settings.

    Hope is something stupid I may be missing but cant seem to figure out what.  Not having a pin/facial recognition sucks after having it for so long.  :-|

    Friday, August 5, 2016 10:54 PM
  • Hi

    Same strange symptom here with a surface pro 4 joined on on prem domain

    But according to this post, https://technet.microsoft.com/en-us/itpro/windows/keep-secure/implement-microsoft-passport-in-your-organization?f=255&MSPPError=-2147217396

    Hello for business (that replace Windows hello on 1607) needs 2016 server??


    Saturday, August 6, 2016 7:06 AM
  • I think the problems might be related to the TPM, the Trusted Platform Module.

    My laptop is in a domain. After upgrading to the anniversary build (and after installing some updates) I had some problems starting up.

    I managed to repair some things, but both Windows Hallo (pin and finger print login) and bitlocker stopped working.

    Saturday, August 6, 2016 8:16 PM
  • I have a new Dell Latitude e7270 that was Win10 1507 OEM out of the box and then immediately upgraded to 1607. TPM is set at 2.0 and is clear from the factory. Options to setup Windows Hello (PIN, fingerprint) were all available prior to the 1607 upgrade. Post 1607 the only option enabled is Picture Password. The machine was not joined to a domain yet when the functionality was lost.

    I also have a Dell Precision 7510 that was Win10 Pro 1507 OEM and went through 1511 and 1607 upgrades after the Windows Hello options were initially populated and the options are not grayed out after upgrading to 1607. Machine has been in use prior to 1511 and is a domain member.

    Not sure if having Hello already configured in this case had any bearing on why one lost the options and the other didn't but installing the drivers over the top of 1607 on the e7270 has done nothing to enable the grayed out options.

    Saturday, August 6, 2016 9:54 PM
  • Lenovo P50 here and trying to figure it out myself. I have even set a GPO to force enable all the windows hello for business and sort and still getting grayed out options. If imaged with previous version no issues adding them then running an update. If they already present and setup, no issues with it keeping it only setting it up new post update.
    Monday, August 8, 2016 12:41 PM
  • See this post for the resolution to the issue. This fixed it on my Yoga and M93P.

    https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup

    Apparently 1607 requires this registry key setting to enable PIN login on domain joined machines:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    • Marked as answer by Todd Walker Monday, August 8, 2016 1:57 PM
    Monday, August 8, 2016 1:57 PM
  • This did not fix the issue on my Surface Book. Still unable to change the options.  That key btw get sets by the new GPO setting for Windows 10..
    Monday, August 8, 2016 8:02 PM
  • Success!  What I did to get this to work is ensure that NONE of the following policies are enabled via local or domain GPO:

    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Biometrics

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Windows Hello for Business

    THEN, add the reg key mentioned above manually:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    This unlocked the option for me on my Surface Book.  


    Tuesday, August 9, 2016 1:31 PM
  • Success!  What I did to get this to work is ensure that NONE of the following policies are enabled via local or domain GPO:

    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Biometrics

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Windows Hello for Business

    THEN, add the reg key mentioned above manually:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    This unlocked the option for me on my Surface Book.  


    Nice catch... This was the problem I still had on my Dell...
    Just compared the SP4 settings with my laptop and I enabled Windows Hello for Business on it lol...

    Gérald

    Tuesday, August 9, 2016 2:36 PM
  • Just to clarify, AllowDomainPINLogon registry key is the same as the Turn on convenience PIN sign-in policy.  From an Enterprise standpoint, it's better to configure using the GPO rather than the GPP.  As long as you set the below policy to enabled the PIN option will be available and will allow the configuration of Hello.

    Computer\Policies\Administrative Templates\System\Logon\Turn on convenience PIN sign-in (set to enable)

    If you leave the Windows Hello for Business policies unconfigured the user can choose to configure Hello as they please.  You can force or disable it using the policies found under the following location:

    Computer\Policies\Administrative Templates\Windows Components\Windows Hello for Business 

    • Proposed as answer by Natealus Wednesday, October 5, 2016 2:28 AM
    Thursday, August 11, 2016 11:47 AM
  • Lee, although I completely agree it should be the same as enabling the GPO, it doesn't work in my testing.  In fact that GPO setting is supposed to be deprecated for 1607, and to use the Windows Hello for Business GPO's instead.  I can tell you with 100% certainty that with no GPO settings configured (old or new) that the Windows Hello feature remains disabled.

    The notes about the GPO are exactly what you are stating but in my domain it just simply doesn't work.  Have you verified yourself that you do see this behavior working as the documentation states, again on fresh builds on 1607, not upgrades (which Windows Hello remains enabled if it was already)?

    Thanks!

    Thursday, August 11, 2016 1:47 PM
  • I don't think that "Turn on convenience PIN sign-in " is deprecated... It's just that this setting target a Windows 8.x/2012/2012R2 OS only so it is ignored because the running OS is Windows 10 and the key is not created.

    Gerald


    Thursday, August 11, 2016 2:34 PM
  • Right Gerald, that's what I actually meant.  Deprecated from a Windows 10 1607 standpoint..
    Thursday, August 11, 2016 7:54 PM
  • I have foud something official after some googling, finally : https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/

    But still, as long as the "Turn on convenience PIN sign-in" policy states "Windows 8.x/2012/2012R2 OS only" ... it is a bug (even if it is only bugy "targeting").

    I'am glad that I have found this policy .... pffff. Now it is enabled in our Group policy (Win2008R2 server) and Win10 1607 is happy and allows to use Fingerprints again !!!

    • Proposed as answer by Monsen Thursday, November 17, 2016 5:08 PM
    Wednesday, September 7, 2016 5:31 PM
  • Success! THE Trick was:

    The policies are defines as follow:

    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in

    enabled in GPO (local or domain)

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Windows Hello for Business

    Not defined in GPO (local and domain)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "AllowDomainPINLogon"=dword:00000001

    is the same as GPO in 1st point.

    • Proposed as answer by cjg_716 Wednesday, July 5, 2017 5:39 PM
    Monday, September 12, 2016 9:41 PM
  • Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Biometrics

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Windows Hello for Business

    THEN, add the reg key mentioned above manually:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001


    Nice, got this working! I also had Windows Hello for Business disabled, so that must be enabled too. With those old Biometric GPO settings I tried to make Fingerprint work in Windows 7 few years back and I left those settings enabled, so now I had to disable them.
    Tuesday, September 20, 2016 12:49 PM
  • I`ve tried all suggestions but it not solved my problem.

    I`ve already had policy with Turn on convenience PIN sign-in and some settings for PIN complexity, and a setting in registry. But after fresh install of Win10 1607 PIN option was greyed out.

    I`ve removed my policy for PIN settings and added it again with the same settings. And after gpupdate /force now I can setup PIN again in Win10 1607 Enterprise


    Thursday, September 22, 2016 10:15 AM
  • Hi, William,

    When you say "NONE", do you mean "Not Configured" for all the three GPO settings?

    Thanks,

    Success!  What I did to get this to work is ensure that NONE of the following policies are enabled via local or domain GPO:

    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Biometrics

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Windows Hello for Business

    THEN, add the reg key mentioned above manually:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    This unlocked the option for me on my Surface Book.  




    learning....

    Sunday, October 16, 2016 8:27 PM
  • Hi, William,

    When you say "NONE", do you mean "Not Configured" for all the three GPO settings?

    Thanks,


    Yes :)
    Monday, October 17, 2016 5:28 AM
  • That's correct.
    Tuesday, October 18, 2016 2:24 PM
  • See this post for the resolution to the issue. This fixed it on my Yoga and M93P.

    https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup

    Apparently 1607 requires this registry key setting to enable PIN login on domain joined machines:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    This worked perfectly.  Thank you.

    -T

    Wednesday, November 30, 2016 11:36 PM
  • Has anyone accomplished this in 1607 by GPO, not GPP/regs? Apperently, SCM security templates broke my Fingerprint functionality, because there are Biometric settings there...
    Friday, December 23, 2016 9:28 AM
  • any more suggestions. can't get this working on a Surface 4.

    Have tried with the settings enabled and also not configured but no luck.

    Wednesday, January 4, 2017 1:53 PM
  • any more suggestions. can't get this working on a Surface 4.

    Have tried with the settings enabled and also not configured but no luck.

    Do you have AD enviroment? You use Group Policies? Do your other models work with Fingerprint?

    I currently have interesting challenge here. My Lenovo and Fujitsu laptops enrolls fingerprint fine, but not HP. Fingerprint driver manufacturer is different. Next step I´m going to test different drivers.

    Very important key here is to read, what is the error message - is Windows Hello disabled (GPO issue), or didn´t it find suitable device for itself (driver issue).


    • Edited by yannara Wednesday, January 4, 2017 4:09 PM
    Wednesday, January 4, 2017 4:09 PM
  • Yes we have an 2012R2 AD enviroment and we are using GP, Not really trying to use the fingerprint logon but the face recognition logon, but it seems that it also need the pinlogon and we can't get it enabled when the computer is connected to domain
    Tuesday, January 10, 2017 9:51 AM
  • Yes we have an 2012R2 AD enviroment and we are using GP, Not really trying to use the fingerprint logon but the face recognition logon, but it seems that it also need the pinlogon and we can't get it enabled when the computer is connected to domain

    - Make sure you do not have any Biometric settings configured in GPO
    - Make sure you do not have any Windows Hello settings configured in GPO
    - Configure only this: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "AllowDomainPINLogon"=dword:00000001
    - To make things easier, would you able to spare any Laptop with Fingerprint device first? Make sure the Fingerprint option is available there. -> then you´re okay.

    If your fingerprint works, but face recognition does not, I suggest you open another thread.

    • Proposed as answer by yannara Tuesday, January 10, 2017 3:45 PM
    Tuesday, January 10, 2017 3:45 PM
  • I noticed, that MS has released new GPO templates for 1607 this year (2017), maybe something has changed. I wonder, should I try using traditional GPO settings with 1607 latest CU installed. I would like to avoid using that registy and be able to configure other Biometric and Windows Hello settings...

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Wednesday, January 11, 2017 12:38 PM
  • Yannara, if you test this please post back your results. :-)
    Thursday, January 19, 2017 6:06 PM
  • Yannara, if you test this please post back your results. :-)

    Cumulative Updates and new GPO templates has nothing new around this, but I opened a case to MS, and I learned, that enabling Convenience PIN in System\Logon will allow you to use Fingerprint, that you don´t have to use thar registry setting. (I guess it is the same thing). This is by design, and the difference is, will you use Windows Hello or Windows Hello for Business.

    Old, traditional Biometric settings or some Windows Hello will still mess up Fingerprint showing, and that is by design too.


    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    • Proposed as answer by yannara Thursday, January 19, 2017 6:12 PM
    Thursday, January 19, 2017 6:12 PM
  • Hello team!

    Thanks for solution.

    For me also works! I had problem after hot - swapping my laptop and after that i was not able to use old fingerprint and add new one. 

    I was following your instruction and now is working! thanks!

    Saturday, January 21, 2017 9:01 AM
  • Success!  What I did to get this to work is ensure that NONE of the following policies are enabled via local or domain GPO:

    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Biometrics

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Windows Hello for Business

    THEN, add the reg key mentioned above manually:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    This unlocked the option for me on my Surface Book.  


    Doesn't work for me.
    Wednesday, February 8, 2017 5:24 AM
  • i have Windows server 2008 and 1 win 10 pro with finger-print reader.

    i cant find the these object/name

    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in
    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Biometrics
    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Windows Hello for Business

    i only can find 
    -Allow the use of Biometrics
    -Allow users tolog on using biometrics
    -Allow domain users to log on using biometrics
    i enabled all three, and add the reg key

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    still have no luck. (figerprint option is GREYED out)
    please help!

    Friday, February 17, 2017 1:46 AM
  • i have Windows server 2008 and 1 win 10 pro with finger-print reader.

    i cant find the these object/name

    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in
    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Biometrics
    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Windows Hello for Business

    i only can find 
    -Allow the use of Biometrics
    -Allow users tolog on using biometrics
    -Allow domain users to log on using biometrics
    i enabled all three, and add the reg key

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    still have no luck. (figerprint option is GREYED out)
    please help!

    Add GPO templates for 1607 into your AD. https://www.microsoft.com/en-us/download/details.aspx?id=53430

    Also, enable Convenience PIN in System\Logon


    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!



    • Edited by yannara Friday, February 17, 2017 4:51 PM
    Friday, February 17, 2017 4:50 PM
  • FYI - I could enable PIN by making sure the 3 policies above were not enabled, and adding the registry key. 

    When I enabled the Convenience PIN it would not work with or without the registry key.

    Thanks.

    Friday, March 17, 2017 9:21 PM
  • Urgh... I had 1607 with fine working Fingerprint, I upgraded it with 1703... Fingerprint function lost, and cannot enable it. Nice :D

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Thursday, April 13, 2017 2:39 PM
  • Can confirm the same issue with Windows Hello no longer working in 1703. Regedit fixed it under 1607 and key is untouched in the upgrade to 1703. Something else is breaking it this time. 
    Tuesday, April 18, 2017 10:28 PM
  • Thanks, this fixed it on an HP Spectre x360 that had been added to the domain. Now to get the camera to recognise me consistently...
    Thursday, May 4, 2017 7:57 AM
  • Can confirm the same issue with Windows Hello no longer working in 1703. Regedit fixed it under 1607 and key is untouched in the upgrade to 1703. Something else is breaking it this time. 
    Hey yannara, just to add info here, I did a clean install of 1703 and the same reg changes are working for me.  Have you tried removing the key, reboot and then set it back?
    Wednesday, May 24, 2017 3:34 PM
  • Hey yannara, just to add info here, I did a clean install of 1703 and the same reg changes are working for me.  Have you tried removing the key, reboot and then set it back?

    No, this was with inplace-upgrade. I never bothered to do wipe and load with 1703 yet, since it has some other issues as well. I´m waiting for CBB in August :)

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Wednesday, May 24, 2017 9:10 PM
  • Has anyone figured this out with 1703? I just got the new Surface Pro and it has 1703 loaded, and I'm running into this problem. The old registry trick, or enabling the Convenience PIN GP entry no longer works.

    Guh.

    --Hans

    Friday, June 16, 2017 3:05 AM
  • So maybe I just figured it out?

    I had to do a "clean installation of windows" to reset everything. (settings>recovery>More recovery options...)

    Then, I logged in with a local admin account to put the registry entry to allow PIN in. 

    THEN I joined the domain and added my domain user as a local admin to the computer.

    Then I reboot to get the computer on the domain.

    Then I logged in as my domain user and...the PIN option is there! WTF.

    Whatever...it works now.


    • Edited by dyndragon Friday, June 16, 2017 3:24 AM added detail
    Friday, June 16, 2017 3:23 AM
  • I just got the new Surface Pro today. Had the same issue with build 1703.

    I installed 2 reg files from the page below. Now my domain users can setup PIN and fingerprints.

    https://www.bleepingcomputer.com/tutorials/enable-pin-sign-in-for-domain-users/ 

    Hint: No need to change anything on the server GPO.

    Thanks a bunch to Bleeping Computers I can sleep a little better tonight :)

    Monday, June 19, 2017 1:54 PM
  • I went around and around on this too with a new Surface Pro (1703). My error was changing the local group policy to enable the Biometrics and Windows Hello for Business that was described in an MS article.  After enabling those the registry entry does not work (on one iteration an error above was displayed over the Add PIN button).  When I finally set those back on unconfigured the registry entry (only used AllowDomainPINLogon=1) worked.
    • Edited by PhotoTed Wednesday, June 28, 2017 12:07 PM
    Wednesday, June 28, 2017 12:06 PM
  • Hi There,

    Currently I have upgraded our on prem DC to 2016 and I want to use the functionality of Windows Hello for our windows 10 clints (Surface and HP's, DELL etc). But I cant see the right GPO for it, or is it called "Microsoft Passport for work", or is this the right one?

    I enabled the "Use Micorsoft Passport for Work" but still I can't use Windows Hello, even the use for Pin is greyed out.. When I look at the Local GPO I can switch on the "use the concentional PIN" but can't find this one on my GPO server side? Is this correct? Im convinced I go the latest templates...

    My Devices (build 1703) are domain joined and when im loggin in as admin (no settings or GPO's on) I am able to config Windows Hello... but domains users are not?!

    Can someone push me in the right direction, thanks!



    • Edited by Spoiler83 Thursday, July 6, 2017 10:18 AM
    Thursday, July 6, 2017 10:04 AM
  • this solutions does not work for me, when I set gpo in registry I had that key. I cannot stil pin enabled, only shows me red text "Something went wrong. Try again later"
    When I have not domain account all worked fine, when I added notebook to domain all was disabled. 
    Sync not working
    Fngerprint not working
    PIN not working
    Hello not working
    I have Lenovo l460, windows 10 1703 Enterprise and DC is w2012r2

    Martin Hubka nework admin

    Wednesday, July 12, 2017 12:37 PM
  • Folks, wait for CBB being released in August. I feel it is waste of time to attempt solving this issue today. Just putting my 5 cents in the game ;)

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Wednesday, July 12, 2017 1:45 PM
  • Is it right that I cant find the GPO "“Turn on convenience PIN sign-in”"?! Its not in the Logon folder.. Again, my DC's are upgraded to 2016 with equal domain and forest lvl. Replaced the admx files with the newst out there...

    • Edited by Spoiler83 Tuesday, July 18, 2017 2:34 PM
    Tuesday, July 18, 2017 10:11 AM
  • Is it right that I cant find the GPO "“Turn on convenience PIN sign-in”"?! Its not in the Logon folder.. Again, my DC's are upgraded to 2016 with equal domain and forest lvl. Replaced the admx files with the newst out there...

    Use filters and seek the setting inside all folders.

    In 1703 July release, my Fingerprint works fine as in 1607, no problem anymore.


    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Friday, August 4, 2017 5:49 AM
  • Success!  What I did to get this to work is ensure that NONE of the following policies are enabled via local or domain GPO:

    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Biometrics

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Windows Hello for Business

    THEN, add the reg key mentioned above manually:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    This unlocked the option for me on my Surface Book.  


    Hi! I run into this issue with a Lenovo L570 running Windows 10 Pro.

    I tried the above solution but could not get the vingerprint option enabled (or the PIN). I fixed this by ONLY enabling the following:

    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in

    The other 2 GPO options are on 'not configured'. The registry key is default enabled.


    Monday, September 25, 2017 1:30 PM
  • Looks like its very messy. I had to enable all of these policies and set the regkey manually to enable fingerprint logon feature.

    • Computer Configuration\Administrative Templates
      • \System\Logon
        • Turn on conveniece PIN sing-in (Enable)
      • \Biometrics
        • Allow the use of biometrics (Enable)
        • Allow users to log on using biometrics (Enable)
        • Allow domain users to log on using biometrics (Enable)
      • \Windows Hello for Business
        • Use a hardware security device (Enable)
        • Use biometrics (Enabled)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001 


    • Edited by aaaaasd Tuesday, October 17, 2017 2:38 PM formatting
    • Proposed as answer by aaaaasd Tuesday, November 21, 2017 1:22 PM
    • Unproposed as answer by aaaaasd Tuesday, November 21, 2017 1:22 PM
    Tuesday, October 17, 2017 2:38 PM
  • Changing GP settings and adding the reg key enabled the option.
    Wednesday, November 1, 2017 11:18 AM
  • Surface Pro (5) none of this works. (Nov 2017) Windows 10 version 1709

    I have corrected many Surface Pro 4 with this same solution.

    Newest Surface Pro (5) I have found no solution so far.

    Plan to reset the device and enable \ apply settings THEN join the domain.

    Thursday, November 2, 2017 10:48 PM
  • I am also not able to fix this issue on a newly purchased Surface Pro (5) with 1709.  Any updates on this?

    Thank you, Ibrahim Benna MCSA+Messaging, MCSE+Messaging,MCITP, MCT, MVP "Did you backup your Information Store Today?!" ***Don't forget to mark helpful or answer***

    Monday, November 13, 2017 7:29 PM
  • Thanks a lot. It's Worked.
    Saturday, November 18, 2017 7:00 AM
  • Hi

    I have the same issue with a desktop build with 1709.

    The above fixes worked for me on 1703 when using the registry key "AllowDomainPINLogon" and enabling the "Allow the use of biometrics", Allow users to log on using biometrics" and "Allow domain users to log on using biometrics" settings on the local group policy of the PC.

    Tried various combinations of the above fixes but none seems to work on 1709. So frustrating...

    Thursday, November 23, 2017 8:43 AM
  • I have the same issue with 1709, spent ages trying all the options but nothing works :(
    Thursday, November 23, 2017 5:40 PM
  • We do encounter the same issue on 1709 build.

    None of the above is working as desired.
    In build 1703 and previous ones it was working well.

    Does anyone have positive results to share for build 1709? Probably MS is working on new GPO templates for this build.

    piccolodiavolo

    Thursday, November 30, 2017 5:06 PM
  • Implemented on Win10 1709 build via GPO; fingerprint setup button under Windows Hello no longer greyed out:

    computer\policies\administrative templates\system\logon:

    "Turn on convenience PIN sign-in" ENABLED

    computer\policies\administrative templates\administrative templates\windows components\biometrics:

    "Allow domain users to logon on using biometrics": ENABLED

    "Allow the use of biometrics": ENABLED

    No further need for registry key; the regkey "AllowDomainPINLogon" is identical to GPO setting "Turn on convenience PIN sign-in".



    • Edited by T. Fieg Tuesday, December 5, 2017 12:58 PM
    • Proposed as answer by Marlana80 Tuesday, July 3, 2018 7:14 PM
    Tuesday, December 5, 2017 12:49 PM
  • Implemented on Win10 1709 build via GPO; fingerprint setup button under Windows Hello no longer greyed out:

    computer\policies\administrative templates\system\logon:

    "Turn on convenience PIN sign-in" ENABLED

    computer\policies\administrative templates\administrative templates\windows components\biometrics:

    "Allow domain users to logon on using biometrics": ENABLED

    "Allow the use of biometrics": ENABLED

    No further need for registry key; the regkey "AllowDomainPINLogon" is identical to GPO setting "Turn on convenience PIN sign-in".



    NB:Surface Pro(5) 1703 or 1709 with same issue.

    AD:Windows Server 2012 R2

    Any update?

    Saturday, December 23, 2017 10:17 AM
  • Hi,

    It works when you configure the following settings:

    - Upgrade AD schema to Windows Server 2016 (version 87)
    - Configure "Turn on convenience PIN sign-in" (System/Logon) to 'Enabled'
    - Configure "Allow domain users to log on using biometrics" (Windows Components/Biometrics) to 'Enabled'
    - Configure "Allow users to log on using biometrics" (Windows Components/Biometrics) to 'Enabled'
    - Configure "Use a hardware security device" (Windows Components/Windows Hello for Business) to 'Enabled'

    I'm running on Microsoft Windows 10 Enterprise Insider Preview build 17063, using a Microsoft Surface Book 2 device.

    BR - Frank

    • Edited by F. Keunen Monday, December 25, 2017 8:56 PM
    Monday, December 25, 2017 8:51 PM
  • Thanks, this worked for me also. Fresh install of Win 1709 on an HP Spectre x360 with face sign-in via Windows Hello, option to setup was greyed out. Checked Group Policy, enabled the Windows Hello policies, no different. Created the registry entry. Fixed!

    Come on MS, you need to fix this.

    Friday, January 19, 2018 12:50 PM
  • On all of the following 3 laptops fingerprint was grayed-out. All were already joined to our edu AD. Did only:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    That is, after doing *only* the above registry-hack and changing nothing in group-policy, all AD users could now add fingerprint and pin (had to add pin for fingerprint to work).  You may also need to update driver, or remove and let it re-add itself.

    (1.)  windows 10-64-ent 1703 Dell Latitude E5440 windows 10-65-ent 1703

    (2.) windows 10-64-ent 1703 Lenovo Carbon X5 Model 20HQS23W00 

    (3.) windows 10-64-ent 1709 Lenovo Carbon X5 Model 20HQS23W00  (fresh install of 1709)

    For another laptop identical to 3 I'm still having problems: fp ok for local user, but not ad user. However, it may have been updated from 1703 to 1709 instead of a fresh install. I'll post back if I get it fixed. Problem is we had tried all the group-policy crap first, and I'm not sure I cleaned it all out. BTW will gpudate /force return most values to the AD defaults, or do the defaults vary with the version, 1609, 1703, 1709, etc?


    • Edited by evileye2 Friday, February 2, 2018 9:46 PM
    Friday, February 2, 2018 9:45 PM
  • Windows server 2016, windows 10 pro 1709, fixed by only turning on GPO with 
    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in

    all others not configured

    • Proposed as answer by Marlana80 Tuesday, July 3, 2018 7:15 PM
    Friday, March 9, 2018 4:44 PM
  • I have gg and tried these steps with my Dell Vostro - using Wins 10 pro - configured by a Domain in my company

    1. Set 3 policy: Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business in "not configured"

    Run - gpedit.msc - Administrative Templates - Windows Component - Windows hello for business

    2. In gpedit: Administrative Templates - System - Logon - Enable "Turn on convenience PIN sign in" 

    3. Run - regedit - [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] - create a Dword32 key - AllowDoaminPINLogon - set value = 1

    Restart and then Finger print setup is available!

    That mine, try your!


    Tuesday, March 20, 2018 9:16 AM
  • I have gg and tried these steps with my Dell Vostro - using Wins 10 pro - configured by a Domain in my company

    1. Set 3 policy: Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business in "not configured"

    Run - gpedit.msc - Administrative Templates - Windows Component - Windows hello for business

    2. In gpedit: Administrative Templates - System - Logon - Enable "Turn on convenience PIN sign in" 

    3. Run - regedit - [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] - create a Dword32 key - AllowDoaminPINLogon - set value = 1

    Restart and then Finger print setup is available!

    That mine, try your!


    Thank you for the solution. It worked for me too. The restart is mandatory.

    For step 3: I already had that key defined, but I've deleted it and added it again.

    Also, I had the following settings enabled: "Administrative Templates - Window Components - Biometrics - Allow the use of biometrics" and "Administrative Templates - Window Components - Biometrics - Allow domain users to log on using biometrics". Don't know if they make a difference or not though.


    Thursday, April 5, 2018 10:26 AM
  • Not defined in GPO was 'Enabled', when set as proposed it worked like a charm... (Lenovo Yoga)
    • Edited by Vidoje.V Thursday, May 3, 2018 12:45 PM
    Thursday, May 3, 2018 12:44 PM
  • I have gg and tried these steps with my Dell Vostro - using Wins 10 pro - configured by a Domain in my company

    1. Set 3 policy: Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business in "not configured"

    Run - gpedit.msc - Administrative Templates - Windows Component - Windows hello for business

    2. In gpedit: Administrative Templates - System - Logon - Enable "Turn on convenience PIN sign in" 

    3. Run - regedit - [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] - create a Dword32 key - AllowDoaminPINLogon - set value = 1

    Restart and then Finger print setup is available!

    That mine, try your!


    Ir works. only be sure to make sure Windows Hello for business NOT configured

    JEFFDEG

    Thursday, May 24, 2018 7:03 AM
  • See this post for the resolution to the issue. This fixed it on my Yoga and M93P.

    https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup

    Apparently 1607 requires this registry key setting to enable PIN login on domain joined machines:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    On top of this, I recently discovered that Lenovo has got Yoga X380 laptop that has Windows 10 spesific drivers. Such specific drivers that do not install correctly with Lenovo System Update tool. Autoinstall driver for biometrics device installs generic Windows 10 drivers - but if Windows is 1703 version, then you need the biometrics driver that is tailored (!!!) for Windows 10 version 1703.

    I recon to see manufacturer driver listing for laptop that has persisten problems with biometric login - if there is some Windows 10 spesific version based driver for the biometric device. Nasty surprsie, but found it.


    (edit: this discovery of mine was written in  May 2018, where as the orginal solution - that still is needed was written in August 2016. My discovery is only to bring latest update for this matter.. Thus win 10 1703 is old at this point.. )
    • Edited by IT-Multitool Monday, June 4, 2018 4:50 AM more detail to answer.
    Monday, June 4, 2018 4:48 AM
  • I'm on build 1709 still, going to update to 18xx pretty soon. However, I wanted to try setting up my fingerprint again prior to updating. I had given up on using FP's a couple months ago because I can't figure out which setting it is that is defeating me.

    Today, my Fingerprint "add another" button was grayed out. I found this thread and then set the "use Windows Hello for Business" policy to "not configured" because it was set to "enabled". This fixed it for me. However, I now have a more difficult problem to fix that I had fixed previously somehow, but something changed and it's broken again.

    What happens is: I click on Add Fingerprint, a "Windows Hello setup" box pops up for a second then disappears.

    I have found people talking about UAC and "admin approval" mode, but this is not the problem in my case because I am an admin locally and my policy is set to "elevate without prompting". And the policy "UAC: Run all admins in Admin Approval mode" is disabled. Basically, I am a true admin and never get a UAC prompt, kind of like Windows used to be before UAC.

    If I edit my local policy to enable "use Windows Hello for business", the "add another" button grays out, just like when setting it with GPO (as expected). The "use biometrics" setting has no effect.

    This kind of seems like an issue with the Windows Store, like the Windows Hello app is trying to use the Store and gets denied since the Store is completely broken by GP. I am going to update my build and then pursue this further. Any ideas or clues would be greatly appreciated. Thanks!

    FYI, our AD schema is probably 2012 R2, not 2016 yet.

    Monday, July 9, 2018 4:53 PM

  • Today, my Fingerprint "add another" button was grayed out. I found this thread and then set the "use Windows Hello for Business" policy to "not configured" 

    Success! Tank you very much This is the solution! "use Windows Hello for Business" has to be set to "not configured". When you set it to "enabled" it doesn't work... irrational... but it works :)
    Wednesday, July 11, 2018 8:45 AM
  • Thank you!  This took care of not being able to add a fingerprint scanner to a Windows 10 Pro Desktop PC.  We have a domain login and I had set the GP on the DC to allow Biometrics, and set the local GP to allow, but Fingerprint Setup and PIN setup were still greyed out, even after logouts and reboots.  

    Adding this 32-bit DWORD Reg hack did the trick.  Muchas gracias!

    Thursday, September 13, 2018 1:00 AM
  • Worked Perfectly after creating a key as explained here.

    thank you

    Monday, October 1, 2018 8:30 AM
  • Can this be set in Group Policy? 

    Can the PIN , that it requires after setting up , complexity be set also (Length, expiration , ect)??

    Thursday, November 8, 2018 9:02 PM