How to enable fingerprint biometrics on a Windows 10 (v1709) PC on a domain? RRS feed

  • General discussion

  • Hi,

    I'm running an on-site domain (schema level 87) with two DCs (Server 2012 and Server 2016).  There is a central store of Fall Creators Update ADMX/ADML files in SYSVOL, and I have a group policy setup as follows:

    Computer Config > Policies > Administrative Templates

    System > Logon

    - Turn on convenience PIN sign-in (Enabled)

    Windows Components > Biometrics 

    - Allow domain users to log on using biometrics (Enabled)

    - Allow the use of biometrics (Enabled)

    - Allow users to log on using biometrics (Enabled)

    Windows Components > Windows Hello for Business

    - Use a hardware security device (Enabled)

    --Do not use the following security devices: TPM 1.2 (Disabled)

    - Use biometrics (Enabled)


    The device in question is a brand new Lenovo X1 Carbon (fully patched Windows Update and Lenovo drivers/firmware) with Fall Creators Update.  Even before this policy was built and deployed, no other GPOs were managing account logon as related to biometrics, but there's a notice at the top under Accounts > Sign-in options that "Some settings are hidden or managed by your organization" and Fingerprint, Password, and PIN were all disabled.

    After this GPO was enabled, PIN is enabled, but even after setting one, I still can't get fingerprint to enable.

    I *really* don't want to have to deploy Windows Hello for Business.  Is there a way to get Windows Hello working on this domain-joined laptop for fingerprint authentication to sign-on to a local profile associated with a domain account, like how Windows 7 works: just enable biometrics in the Control Panel for a domain account?

    I've also seen a number of posts regarding earlier versions of Win10, and it seems incredibly frustrating that this seems to change with every new release.  Does Microsoft have any plans to stabilize this setup process for simple usage?


    1) I removed it from the domain to see how it behaves: The fingerprint option is enabled.

    2) I re-joined to the domain, blocked all GPO inheritance, ran a gpupdate /force in command prompt, and restarted the laptop, but fingerprint is still disabled with the "Some settings are hidden or managed by your organization" despite no policies being applied!

    • Edited by RickP784 Wednesday, January 10, 2018 7:54 PM added further info
    Wednesday, January 10, 2018 5:44 PM

All replies

  • It turns out this is some kind of security block on the domain administrator account, like preventing the Edge browser from launching.  When I logged in with a different domain user, the fingerprint option was enabled.

    Thursday, January 11, 2018 2:54 PM
  • Would love to know how to get this working on a domain admin account. I have tried everything.
    Friday, February 23, 2018 9:52 PM
  • Had a same issue, for me helps to run from Administrator gpupdate /force in profile user which worked incorrect.
    Wednesday, May 23, 2018 2:47 PM
  • Go to the path in registry editor:


    Add a new registry if it does not exist:

    Type: DWORD(32 bit)

    Name: AllowDomainPINLogon

    Value: 1

    And then restart your machine.

    • Edited by Burak Yakup Thursday, October 25, 2018 1:16 PM
    Thursday, October 25, 2018 1:15 PM