none
Enable Windows Hello on a domain joined PC RRS feed

  • Question

  • I have a Windows 10 Pro PC with Fall Creators Update installed. It is joined to our domain and I want to add a USB fingerprint reader. However, I am unable to enable Windows Hello. I have enabled Windows Hello for Business and PIN sign-in in Group policy. However, the options to configure Windows Hello are still greyed out. Any idea why this might be?

    Daryl Sensenig Tents For Rent

    Monday, March 12, 2018 8:59 PM

Answers

  • Here is the solution. Thank you.

    https://social.technet.microsoft.com/Forums/en-US/15d0a491-feed-49fe-811d-8d8248bf9e15/pin-and-fingerprint-signin-options-unavailable-greyed-out-in-windows-10-1709-enterprise?forum=win10itprogeneral


    Daryl Sensenig Tents For Rent

    Friday, January 18, 2019 5:39 PM

All replies

  • Hi Daryl,

    Try setting this registry key and reboot

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful. Regards Simon Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights.

    • Proposed as answer by Afsar Aram Sunday, June 24, 2018 5:52 AM
    Monday, March 12, 2018 9:42 PM
  • Thanks, but I did check and that registry key is already set.

    The other thing is this: it works on another PC with the same Group Policy applied.


    Daryl Sensenig Tents For Rent

    Tuesday, March 13, 2018 12:30 PM
  • Hi Daryl,

    Try to reboot your computer after configured Windows Hello for Business and PIN sign-in in Group Policy.

    If the issue persists, please try to not configure Windows Hello for Business in Group Policy and check the issue again to narrow down the issue.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 9, 2018 11:25 AM
    Moderator
  • Try to reboot your computer after configured Windows Hello for Business and PIN sign-in in Group Policy.

    I have rebooted many times during this process with no effect.

    I set the domain policy on Windows Hello for Business to "not configured". I ran Gpupdate /force and rebooted again. This is the screen I get in settings.

    Windows Hello settings screen.


    Daryl Sensenig Tents For Rent

    Monday, April 9, 2018 12:47 PM
  • Hi Daryl,

    What's your OS build version? (Press "winver" in Windows search box)

    Please try to login with other user account such as local account and check the issue again. 

    Please export the applied group police with command line "gpresult /h C:\gp.html", then upload the file to One Drive and paste link here for analyses.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 10, 2018 11:00 AM
    Moderator
  • Version 1709 Build 16299.309

    I'll try your suggestions soon.


    Daryl Sensenig Tents For Rent

    Thursday, April 12, 2018 5:58 PM
  • I can setup Windows Hello on a local user account but not another domain user account.

    Here is a link to the gpresults: https://1drv.ms/u/s!Am1v8TglKk1RiI1cqrmRsKidr72rNg 


    Daryl Sensenig Tents For Rent

    Thursday, April 12, 2018 7:10 PM
  • Hi Daryl,

    I would apologize for my late reply.

    According to your uploaded GP result, I noticed the related group policy for PIN configuration is enabled on this device. 

    As you said before, the symptom not occur on other domain joined PC, not occur on local account. So I recommend to exit from domain and re-join domain again to check the issue.

    By the way, is it a VM machine or physical device?

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, April 21, 2018 9:35 AM
    Moderator
  • Physical device.

    Daryl Sensenig Tents For Rent

    Monday, April 23, 2018 5:31 PM
  • Hi Daryl,

    Please see the official suggestion:

    And the reason is:

    Windows 10 Version 1607 and later includes new functionality that differentiates Windows Hello for Business from a convenience sign-in PIN. 

    Windows Hello for Business has strong user authentication properties that are frequently and mistakenly assumed to be functioning when the Windows Hello for Business infrastructure is not in place and when a user is using a convenience PIN. This change prevents the creation of a PIN in Windows 10 and later version without Windows Hello for Business.

    Additionally, a user cannot create a convenience PIN in Windows 10 Version 1607 and later version when the Use Convenience PIN and Use Windows Hello for Business policies are both enabled unless the device is joined to Azure Active Directory in some way (for example, it is either Azure AD-joined or has the Computer Configuration\Administrative Templates\Windows Components\device registration\Register domain joined computers as devices policy enabled).

    To allow convenience PINs to be created on devices that are not joined to Azure AD, make sure that the following conditions are true:
    • The Use Windows Hello for Business policy is not enabled.
    • The Turn on convenience PIN sign-in policy is enabled.                                                                                                                                                                                          For more information, please see: Can't configure a PIN when Convenience PIN and Hello for Business policies are enabled in Windows 10 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 25, 2018 11:08 AM
    Moderator
  • Most of the group policy settings were as you recommended, but I did update what wasn't. I ran gpupdate /force. I rebooted the computer, but I'm still having the same issues.

    I'm about ready to give up on the idea of fingerprint login on this PC.


    Daryl Sensenig Tents For Rent

    Friday, April 27, 2018 8:05 PM
  • hi daryl

    did you ever get this working ? 

    thanks tony

    Tuesday, December 4, 2018 1:31 PM
  • Nope, never could get it to work.

    Daryl Sensenig Tents For Rent

    Friday, December 7, 2018 2:19 PM
  • Momominta, thank you, had some of it figured out (don't configure "Windows Hello for Business" as an example) but your advice  to enable all of these (regardless of Microsoft's documentation / advice that it wasn't required) "Use BioMetrics",  "Use a hardware security device", "Turn on convenience PIN sign-in", "Allow domain users to log on using biometrics" on a Windows 10 1803 machine that is joined to the domain worked (instantaneously as soon as I applied the Group Policy).

    Take care,

    Friday, January 4, 2019 6:02 PM
  • Here is the solution. Thank you.

    https://social.technet.microsoft.com/Forums/en-US/15d0a491-feed-49fe-811d-8d8248bf9e15/pin-and-fingerprint-signin-options-unavailable-greyed-out-in-windows-10-1709-enterprise?forum=win10itprogeneral


    Daryl Sensenig Tents For Rent

    Friday, January 18, 2019 5:39 PM
  • I've been fighting this for a looong time. I've tried all these group policy settings: turn on convenience PIN login, enable windows hello for business, enable biometrics, etc. etc. etc.  I finally found the solution.

    The PCs in my company are Windows 10 build 1809. Mostly Lenovo X1 Yogas and P330s and some Surface Pros. They are domain-joined to a 2012 R2 domain and they are subscribed to Office 365 for email and Office Pro Plus. We have an E3 license in Office 365.  When a user registers the Office apps using their own O365 license, it connects Windows to their work account.  Disconnecting that allowed me to setup PIN and Fingerprint.  Here's how to do it:

    1. Go to Windows Settings -> Accounts -> Access Work or School.  The key setting is the "Work or School Account" with the colorful windows logo by it. Disconnect that. Don't touch the "Connected to whatever domain" setting.

    2. Then click on "Sign-in Options".  Fingerprint and PIN are no longer greyed out. If it's still greyed out, then make sure "convenience PIN sign-in" is enabled.

    3. Add the PIN, then the Fingerprint.

    4. Go back to "Access Work or School" in Settings -> Accounts.

    5. Click Connect and Enter the user's email address and password.

    The only group policy currently in effect is the "Turn on Convenience PIN sign-in" setting under Policies, Administrative Templates, System, Logon.  Note that this is NOT Windows Hello for Business. This is still just password stuffing. Some day, convenience PIN sign-in will be depracated and we'll have to do it the secure way.
    • Proposed as answer by DarthDew Thursday, May 23, 2019 4:52 PM
    Thursday, May 23, 2019 4:52 PM
  • Please refer to the requirements.

    https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-guide

    Thursday, November 7, 2019 1:54 PM