none
Enabling Face Recognition on a Domain connected Surface

    Question

  • I hope everyone had a nice christmas,

    I'm trying to get my new Surface Pro 4 to login to the domain with Face Recognition but something isen't correct.

    Domain: DC: Windows 2012 R2, Domain and Forest level: Windows Server 2012

    Surface: OS Version_ 10.0.14393, Build 14393

    I modified a Group Policy with the following settings, also enforced it. (Only Computer Configuration)

    Under System/Logon:
    Allow users to select when a password is required when resuming from connected standby Disabled 
    Show first sign-in animation  Disabled 
    Turn off picture password sign-in Enabled 
    Turn on convenience PIN sign-in Enabled

    Windows Components/Biometrics:

    Allow domain users to log on using biometrics Enabled 
    Allow the use of biometrics Enabled 
    Allow users to log on using biometrics Enabled

    The Group Policy also contains the following settings that probable is irrelevant:

    Local Policies/Security Options

    User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
    User Account Control: Run all administrators in Admin Approval Mode Enabled

    Control Panel/Personalization

    Force a specific default lock screen and logon image Enabled

    I have run GPupdate /force on the surface multiple times and also restarted but no luck.

    On the surface I still can't enable the setting, I attaced a image from the surface, I now it's in Swedish but I still think you can understand,

    Monday, December 26, 2016 9:03 AM

All replies

  • Hi,
    Have you tried to check if the GPO is applied to machines successfully? You could run gpresult /h command to view the details.
    In addition, please confirm that the following registry is located correctly on the surface machine:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001
    If not, please have a try to add it and then see if it works.
    In addition, please make sure to back up the registry before you modify it and know how to restore the registry if a problem occurs.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, December 27, 2016 2:43 AM
    Moderator
  • Yes, I can see that the GPO is applied with GPRESULT /R /SCOPE:COMPUTER and with no errors

    I also see that AllowDomainPINLogin is set to 1

    Tuesday, December 27, 2016 7:17 AM
  • Hi,

    Please check if “Interactive logon: Do not display last user name” policy is enabled under Computer Configuration / Local Policies / Security Options. If yes, please disable it and try again to see if it helps, please see: https://support.microsoft.com/en-us/kb/3169080

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 29, 2016 7:18 AM
    Moderator
  • yes I will try this but are running the latest release of windows 10, I will get back to you
    Thursday, December 29, 2016 7:54 AM
  • Still nothing

    anymore suggestions?

    Thursday, December 29, 2016 1:04 PM
  • Hi,
    Do you have another machine which has a different OS version? You could test if same configuration is working on that machine.
    For me, group policy seems to be working, but it just did not work the machine, so it will figure out if the problem is related to OS version.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 02, 2017 2:14 AM
    Moderator
  • No I haven't all our 4 Surface Pro 4 machines are running Windows 10.0.14393, and we don't have anything else that has the supported hardware for face recognition.
    Monday, January 02, 2017 8:24 AM
  • Hi,

    Here is a thread which discussed a similar question, you could refer to it and check if the solution suggested by others would fix for you:

    https://social.technet.microsoft.com/Forums/windows/en-US/84a0bd50-1360-4a94-bfb3-b049ecace521/pin-and-fingerprint-signin-options-unavailable-greyed-out-in-windows-10-1607-enterprise?forum=win10itprogeneral

    If it doesn’t help, due to the lack of test machine regarding this issue, I would suggest you open up a case with Microsoft Technical Support: https://support.microsoft.com/en-us/contactus/?ws=support

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 04, 2017 8:50 AM
    Moderator
  • no luck, I posted on that tread to see if I get any other suggestions, probable need to open a case with MS
    Wednesday, January 04, 2017 1:54 PM
  • Is all settings below configured ? 

    Success!  What I did to get this to work is ensure that NONE of the following policies are enabled via local or domain GPO:

    Computer>Administrative Templates>System>Logon>Turn on convenience PIN sign-in

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Biometrics

    Computer>Administrative Templates>Windows Components>Windows Hello for Business>Use Windows Hello for Business

    THEN, add the reg key mentioned above manually:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    This unlocked the option for me on my Surface Book.  

    Cred to William Bracken

    URL


    Please Mark This As Answer if it solved your issue Please Vote This As Helpful if it helps to solve your issue /Sebastian Norén

    Wednesday, January 04, 2017 2:02 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, January 10, 2017 7:57 AM
    Moderator
  • no didn't got it working, I will try again but do you need the local policys settings on the machine and not only GP?
    Tuesday, January 10, 2017 9:58 AM
  • still haven't got it working
    Tuesday, January 10, 2017 9:59 AM
  • Have you tried imported the ADMX files for Windows 10?

    https://www.microsoft.com/en-us/download/details.aspx?id=48257

    After adding the ADMX files from Windows 10 I changed the following to Enabled.
    Computer\Policies\Administrative Templates\System\Logon\Turn on convenience PIN sign-in
    This resolved the issue of the PIN being greyed out.


    Please Mark This As Answer if it solved your issue Please Vote This As Helpful if it helps to solve your issue /Sebastian Norén


    Tuesday, January 10, 2017 10:46 AM
  • yes I'm using them already. Thanks for the tips anyway
    Tuesday, January 10, 2017 12:18 PM
  • Has there been an update to this? I just ran into the problem and have not found any solutions either.
    Tuesday, September 26, 2017 7:00 PM
  • This method mentioned by Sebastian Noren works for my new surface pro. many many thanks!!!
    Thursday, March 01, 2018 3:49 PM