Enable Windows Hello on a domain joined PC

All replies

• 

  

  16

  Sign in to vote

  Hi Daryl,

  Try setting this registry key and reboot

  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
  "AllowDomainPINLogon"=dword:00000001

  ---

  If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful. Regards Simon Disclaimer: This posting is provided AS IS with no warranties or guarantees, and confers no rights.

  • Proposed as answer by Afsar Aram Sunday, June 24, 2018 5:52 AM

  Monday, March 12, 2018 9:42 PM
• 

  

  0

  Sign in to vote

  Thanks, but I did check and that registry key is already set.

  The other thing is this: it works on another PC with the same Group Policy applied.

  ---

  Daryl Sensenig Tents For Rent

  Tuesday, March 13, 2018 12:30 PM
• 

  

  0

  Sign in to vote

  Hi Daryl,

  Try to reboot your computer after configured Windows Hello for Business and PIN sign-in in Group Policy.

  If the issue persists, please try to not configure Windows Hello for Business in Group Policy and check the issue again to narrow down the issue.

  Bests,

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Monday, April 9, 2018 11:25 AM
• 

  

  0

  Sign in to vote

  Try to reboot your computer after configured Windows Hello for Business and PIN sign-in in Group Policy.

  I have rebooted many times during this process with no effect.

  I set the domain policy on Windows Hello for Business to "not configured". I ran Gpupdate /force and rebooted again. This is the screen I get in settings.

  

  ---

  Daryl Sensenig Tents For Rent

  Monday, April 9, 2018 12:47 PM
• 

  

  0

  Sign in to vote

  Hi Daryl,

  What's your OS build version? (Press "winver" in Windows search box)

  Please try to login with other user account such as local account and check the issue again. 

  Please export the applied group police with command line "gpresult /h C:\gp.html", then upload the file to One Drive and paste link here for analyses.

  Bests,

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Tuesday, April 10, 2018 11:00 AM
• 

  

  0

  Sign in to vote

  Version 1709 Build 16299.309

  I'll try your suggestions soon.

  ---

  Daryl Sensenig Tents For Rent

  Thursday, April 12, 2018 5:58 PM
• 

  

  0

  Sign in to vote

  I can setup Windows Hello on a local user account but not another domain user account.

  Here is a link to the gpresults: https://1drv.ms/u/s!Am1v8TglKk1RiI1cqrmRsKidr72rNg 

  ---

  Daryl Sensenig Tents For Rent

  Thursday, April 12, 2018 7:10 PM
• 

  

  0

  Sign in to vote

  Hi Daryl,

  I would apologize for my late reply.

  According to your uploaded GP result, I noticed the related group policy for PIN configuration is enabled on this device. 

  As you said before, the symptom not occur on other domain joined PC, not occur on local account. So I recommend to exit from domain and re-join domain again to check the issue.

  By the way, is it a VM machine or physical device?

  Bests,

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Saturday, April 21, 2018 9:35 AM
• 

  

  0

  Sign in to vote

  Physical device.

  ---

  Daryl Sensenig Tents For Rent

  Monday, April 23, 2018 5:31 PM
• 

  

  2

  Sign in to vote

  Hi Daryl,

  Please see the official suggestion:

  

  And the reason is:

  Windows 10 Version 1607 and later includes new functionality that differentiates Windows Hello for Business from a convenience sign-in PIN. 
  
  Windows Hello for Business has strong user authentication properties that are frequently and mistakenly assumed to be functioning when the Windows Hello for Business infrastructure is not in place and when a user is using a convenience PIN. This change prevents the creation of a PIN in Windows 10 and later version without Windows Hello for Business.
  
  Additionally, a user cannot create a convenience PIN in Windows 10 Version 1607 and later version when the Use Convenience PIN and Use Windows Hello for Business policies are both enabled unless the device is joined to Azure Active Directory in some way (for example, it is either Azure AD-joined or has the Computer Configuration\Administrative Templates\Windows Components\device registration\Register domain joined computers as devices policy enabled).
  
  To allow convenience PINs to be created on devices that are not joined to Azure AD, make sure that the following conditions are true:

  • The Use Windows Hello for Business policy is not enabled.
  • The Turn on convenience PIN sign-in policy is enabled.                                                                                                                                                                                          For more information, please see: Can't configure a PIN when Convenience PIN and Hello for Business policies are enabled in Windows 10 

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  • Edited by Joy-Qiao Thursday, April 26, 2018 1:37 AM

  Wednesday, April 25, 2018 11:08 AM
• 

  

  0

  Sign in to vote

  Most of the group policy settings were as you recommended, but I did update what wasn't. I ran gpupdate /force. I rebooted the computer, but I'm still having the same issues.

  I'm about ready to give up on the idea of fingerprint login on this PC.

  ---

  Daryl Sensenig Tents For Rent

  Friday, April 27, 2018 8:05 PM
• 

  

  0

  Sign in to vote

  hi daryl

  did you ever get this working ? 

  thanks tony

  Tuesday, December 4, 2018 1:31 PM
• 

  

  0

  Sign in to vote

  Nope, never could get it to work.

  ---

  Daryl Sensenig Tents For Rent

  Friday, December 7, 2018 2:19 PM
• 

  

  0

  Sign in to vote

  Momominta, thank you, had some of it figured out (don't configure "Windows Hello for Business" as an example) but your advice  to enable all of these (regardless of Microsoft's documentation / advice that it wasn't required) "Use BioMetrics",  "Use a hardware security device", "Turn on convenience PIN sign-in", "Allow domain users to log on using biometrics" on a Windows 10 1803 machine that is joined to the domain worked (instantaneously as soon as I applied the Group Policy).

  Take care,

  Friday, January 4, 2019 6:02 PM
• 

  

  2

  Sign in to vote

  Here is the solution. Thank you.

  https://social.technet.microsoft.com/Forums/en-US/15d0a491-feed-49fe-811d-8d8248bf9e15/pin-and-fingerprint-signin-options-unavailable-greyed-out-in-windows-10-1709-enterprise?forum=win10itprogeneral
  

  ---

  Daryl Sensenig Tents For Rent

  • Marked as answer by Daryl Sensenig Friday, January 18, 2019 5:39 PM

  Friday, January 18, 2019 5:39 PM
• 

  

  0

  Sign in to vote

  I've been fighting this for a looong time. I've tried all these group policy settings: turn on convenience PIN login, enable windows hello for business, enable biometrics, etc. etc. etc.  I finally found the solution.
  
  The PCs in my company are Windows 10 build 1809. Mostly Lenovo X1 Yogas and P330s and some Surface Pros. They are domain-joined to a 2012 R2 domain and they are subscribed to Office 365 for email and Office Pro Plus. We have an E3 license in Office 365.  When a user registers the Office apps using their own O365 license, it connects Windows to their work account.  Disconnecting that allowed me to setup PIN and Fingerprint.  Here's how to do it:
  
  1. Go to Windows Settings -> Accounts -> Access Work or School.  The key setting is the "Work or School Account" with the colorful windows logo by it. Disconnect that. Don't touch the "Connected to whatever domain" setting.
  
  2. Then click on "Sign-in Options".  Fingerprint and PIN are no longer greyed out. If it's still greyed out, then make sure "convenience PIN sign-in" is enabled.
  
  3. Add the PIN, then the Fingerprint.
  
  4. Go back to "Access Work or School" in Settings -> Accounts.
  
  5. Click Connect and Enter the user's email address and password.
  
  The only group policy currently in effect is the "Turn on Convenience PIN sign-in" setting under Policies, Administrative Templates, System, Logon.  Note that this is NOT Windows Hello for Business. This is still just password stuffing. Some day, convenience PIN sign-in will be depracated and we'll have to do it the secure way.

  • Proposed as answer by DarthDew Thursday, May 23, 2019 4:52 PM

  Thursday, May 23, 2019 4:52 PM
• 

  

  0

  Sign in to vote

  Please refer to the requirements.

  https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-guide

  Thursday, November 7, 2019 1:54 PM
• 

  

  0

  Sign in to vote

  This worked great for my new HP laptop.  Thank you!

  Wednesday, November 27, 2019 6:32 PM
• 

  

  0

  Sign in to vote

  I resolved used this link
  https://youtu.be/T8txjqEIy2I
  

  Thursday, July 9, 2020 1:42 AM