none
Windows Hello for Business on a domain joined PC RRS feed

All replies

  • Hi,

    New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. For general information, see Windows Hello for Business.

    According to your description, make sure your account belongs to Administrator group, then refer to this case to enable PIN login, if your accounts are not an administrator account, you need to contact system admin for support.

    For domain user, you need to enable the GPO below.

    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in

    All 3 Policies under Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business\ must be in the state "Not configured" or “Enable”.

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by R.a.lf Friday, October 27, 2017 10:18 AM
    Friday, October 27, 2017 8:39 AM
    Moderator
  • Hi Carl,

    Your answer helped me out a lot!
    I stumbled on this thread after updating to 1709.

    I enabled:

    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in

    And I enabled this one :

    Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business\Use biometrics

    After a reboot, the PIN wasn't grayed out anymore and it worked as it did before the upgrade to 1709
    Thanks!

    Friday, October 27, 2017 10:18 AM
  • Hi,

    I'm glad to be of help to you.

    If any further help needed, please feel free to post back.

    Best regards,

    Carl


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, October 28, 2017 9:24 AM
    Moderator
  • Thanks for your suggestions. Unfortunately that does not work for me. :-( It is still grayed out.

    Anything else I could check?

    Sunday, October 29, 2017 9:11 AM
  • Hi,

    Thank you for your update.

    I find you said “Our domain controller is currently still running Windows Server 2008.” Based on my check again, Windows Hello for business has some required. Windows Server 2008 Domain control does not seem to meet the requirements.

    Windows Hello for Business

    https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification

    Two similar cases in the link below.

    https://social.technet.microsoft.com/Forums/windows/en-US/dcd14acd-54c8-4cfb-b64b-2c65a6d6b85b/windows-hello-for-business-biometric-requires-2016-domain?forum=ws2016

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f9931f4-b029-40c3-9d6f-08982d5a28fd/windows-hello-for-business-with-on-premise-active-directory?forum=win10itprosecurity

    Best regards,

    Carl


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 31, 2017 9:59 AM
    Moderator
  • Finally I decided to do an Windows inplace upgrade with the Media creation tool. It went through without any issues and Windows Hello with PIN is working now! As I am on Windows 10 Pro I needed to insert the following regkey

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    Unfortunately I am still unable to use my IR camera with Hello. In EventLog there is the following output everytime I start Facial recognition

    "Das Paket „Microsoft.BioEnrollment_10.0.16299.15_neutral__cw5n1h2txyewy+App“ wurde beendet, da das Anhalten zu lange dauerte." BioEnrollment has stopped working due to a timeout.

    I already tried to repair AppX packages with powershell, but no difference.

    Any ideas?

    Tuesday, November 7, 2017 3:42 PM