none
Cant enable windows hello with fresh install of anniversity upgrade on domain account

    Question

  • Hello,

    as the title said.

    it was working fine with earlier version of windows 10, but with the new upgrade its not possible.

    local account working fine.

    what i tested:

    copied new admx from the win 10 anniversitey upgrade install to gpo policy store.

    enabled the following gpos for my computer + user account:


    Policy Setting Comment
    Allow users to select when a password is required when resuming from connected standby Disabled
    Show first sign-in animation Disabled
    Turn off picture password sign-in Enabled
    Turn on convenience PIN sign-in Enabled
    Windows Components/Biometricshide
    Policy Setting Comment
    Allow domain users to log on using biometrics Enabled
    Allow the use of biometrics Enabled
    Allow users to log on using biometrics Enabled
    Windows Components/Windows Hello for Businesshide
    Policy Setting Comment
    Use a hardware security device Enabled
    Use biometrics Enabled
    Use Windows Hello for Business Enabled

    but still, its like the gpo doesn1T even applied, picture login enabled, rest is disabled. 

    I'm missing something ? or there is an issue with the admx file ?

    Thanks

    Thursday, August 04, 2016 11:35 AM

Answers

  • I reported the problem for at least 5 Insider releases on Pro and Enterprise...

    It seems that using PIN Logon for a Domain User is back to the way it was in Windows 8 which requires to be authorized or you can't use it.

    On our Surface Pro 4, I can enable it by inserting this key in the registry:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    On my Dell M4700, it doesn't work.
    Look like Microsoft is not testing Insider releases joined to a domain.

    Gerald



    Thursday, August 04, 2016 11:41 AM

All replies

  • I reported the problem for at least 5 Insider releases on Pro and Enterprise...

    It seems that using PIN Logon for a Domain User is back to the way it was in Windows 8 which requires to be authorized or you can't use it.

    On our Surface Pro 4, I can enable it by inserting this key in the registry:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    On my Dell M4700, it doesn't work.
    Look like Microsoft is not testing Insider releases joined to a domain.

    Gerald



    Thursday, August 04, 2016 11:41 AM
  • perfect, thats actually fixed it for me. 

    It seems, the group policy doesn't apply for some reason. (rest of the setting inside is ok though, but for example i disabled picture login, but the option is still there.)

    thanks

    Thursday, August 04, 2016 12:16 PM
  • 

    This isn't, and still wasn't working without editing registry. (if i remember right, for windows hello you need pin, and pin was greyed out, even though enabled here)

    Friday, August 05, 2016 7:33 AM
  • All alternative logon needs the PIN as a fallback (fingerprint, face recognition, ...).
    The screen I posted shows the corresponding GPO for the missing registry entry that seems to be required in 1607. It was not in 1507 and 1511 and is probably not created because the GPO setting is restricted to Windows 8 systems.

    For your GPO, the corresponding registry entry is:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinBio\Credential Provider]
    "Domain Accounts"=dword:00000001
    
    

    Gérald

    • Proposed as answer by MurrayW1 Friday, March 17, 2017 1:05 AM
    Friday, August 05, 2016 8:08 AM
  • This registry setting "AllowDomainPINLogon" turned the PIN option back on for me on my Lenovo Yoga 260. And I was then subsequently able to setup the fingerprint login as before. So much for backwards compatibility...

    Thanks Gerald.

    • Edited by Todd Walker Saturday, August 06, 2016 8:16 PM
    Saturday, August 06, 2016 8:13 PM
  • Hi,

    unfortunately even enabling both registry-options AllowDomainPINLogon and "Domain Accounts" didn't solve the problem on my Build 14393.10 (Pro in Win 2012 Domain).

    It neither works for my domain user nor for a local user, just both PIN and fingerprint is greyed out :-(

    BR
    Johannes

    Monday, August 08, 2016 7:59 PM
  • You probably need to configure more GPO settings...

    As I've said in my first post, I'm able to configure it on my client's SP4 in his Active Directory.

    On my Dell, joined to my own company's AD, it still doesn't work.
    Trying to find what I'm missing actually. Will post the solution when I found it ^^

    Gerald

    Monday, August 08, 2016 8:07 PM
  • Hi,

    well I found the problem in my case. You must not set Use Windows Hello for business if you have a Win 2012 Domain server. When activating that option it is required to use certificates, only when setting it to non-configured you can use "local" settings,

    BR
    Johannes

    Monday, August 08, 2016 8:25 PM
  • I believe I saw the same thing when configuring the local policies. If you enabled any of the Windows Hello for Business policies, then AllowDomainPINLogon seemed to be ignored.
    Monday, August 08, 2016 8:36 PM
  • This worked for me on a Surface Pro 4 running Windows 10 Ent 1607.  I was not able to use biometrics with my domain account until I set this registry key.  Note that a Microsoft account logon on the same machine had full access to Windows Hello biometrics. 

    The odd thing is that a colleague running Win10 PRO 1607 did not have this problem with his domain account, so I wonder if it's an Enterprise SKU issue?

    Tuesday, August 09, 2016 3:46 PM
  • This was very helpful. Our Domain Server is on 2008 R2, but I had configured the Windows Hello for Business prior to learning about the AllowforDomainPin registry entry. Once I set the GP to not configured, everything worked. Thanks again.
    Tuesday, August 09, 2016 6:34 PM
  • Thanks Gerald, I've been looking for a solution to this. It is so much handier to use a PIN on my Surface Pro 4.

    My situation was the same. Same machine on version 1511 allowed me use a PIN and Hello features, but after a fresh install of version 1607 on the same machine, part of the same domain, with the same GPOs, PIN sign-in and subsequent biometric features were all locked out. I was hoping either the new GP Administrative Templates for 1607, or the cumulative update that was out this week would resolve it, but neither did.

    Hopefully Microsoft will address this soon with a GPO update, but at least your registry entry allows it to function again for domain accounts. Thanks for sharing.

    Aaron

    Thursday, August 11, 2016 6:01 PM
  • Thank you for the solution I've working on this since I upgraded my work laptop to 1607 from 1511 yesterday afternoon.  After adding the key I can now add a PIN and register finger prints for biometric logon.

    Local policy changes had no affect on the machine.


    Frank Miranda Florida Hospital MIS

    Thursday, August 11, 2016 7:20 PM
  • Hello I have the same Problems as the fellas above.

    Unfortunatly did the registry setting not solve my problem with the fingerprint it just only activated the PIN function..

    What can I do more?

    Has anybody an idea?


    • Edited by dezyre13 Tuesday, August 16, 2016 9:16 AM
    Tuesday, August 16, 2016 9:08 AM
  • Drivers not properly installed was the problem for me, now everything works fine..
    Friday, August 19, 2016 11:51 AM
  • Hi,

    well I found the problem in my case. You must not set Use Windows Hello for business if you have a Win 2012 Domain server. When activating that option it is required to use certificates, only when setting it to non-configured you can use "local" settings,

    BR
    Johannes

    How do you turn off Windows Hello for Business?
    Friday, September 02, 2016 7:37 PM
  • Policy Setting Comment
    Allow users to select when a password is required when resuming from connected standby Disabled
    Show first sign-in animation Disabled
    Turn off picture password sign-in Enabled
    Turn on convenience PIN sign-in Enabled

    Windows Components/Biometricshide
    Policy Setting Comment
    Allow domain users to log on using biometrics Enabled
    Allow the use of biometrics Enabled
    Allow users to log on using biometrics Enabled

    Windows Components/Windows Hello for Businesshide
    Policy Setting Comment
    Use a hardware security device Enabled -> Not Configured
    ~~~~~~~~~~~~~~~~~~~~
    Use biometrics Enabled -> Not Configured
    ~~~~~~~~~~~~~~~~~~~~
    Use Windows Hello for Business Enabled -> Not Configured
    ~~~~~~~~~~~~~~~~~~~~
    Thursday, November 10, 2016 5:30 AM
  • Hi,

    I just made a clean Win10 install and faced this same situation; see below my solution (actually, a summary of what was already stated above).

    Anyway, now I have a PIN code that is undesired; how to get rid of it? I don't know...


    My situation:

    Windows 10 Pro, 1607 version, build 14393.479

    Windows Server 2012 r2

    Steps to make fingerprint available (with admin account):

    1. Windows Registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System "AllowDomainPINLogon"=dword:00000001

    (I created it manually)

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinBio\Credential Provider
    "Domain Accounts"=dword:00000001

    (in my case it already existed)

    2. Control Panel -> Goup Policy

    Computer configuration > Adm templates > Windows Components > Biometric

    Allow domain logon: Enabled

    Computer configuration > Adm templates > Windows Components > Windows Hello

    (all three options: not configurated)

    3. Windows Server

    (no changes made)

    4. Reboot and start using.

    Regards


    • Edited by Fabr83 Saturday, December 10, 2016 9:40 PM Mistyping
    • Proposed as answer by DJOFSV Thursday, January 12, 2017 7:38 PM
    Saturday, December 10, 2016 9:39 PM
  • Perfect, thank you Gerald for the registry solution.  It worked perfectly on our Surface 4 Pros running 1607.

    Wednesday, January 11, 2017 2:18 PM
  • Fabr83, after struggling to find the way to make this work, your solution was the fix for my Domain computer. Thank you so much!

    Doug

    Thursday, January 12, 2017 7:40 PM
  • Hi,

    I just made a clean Win10 install and faced this same situation; see below my solution (actually, a summary of what was already stated above).

    Anyway, now I have a PIN code that is undesired; how to get rid of it? I don't know...


    My situation:

    Windows 10 Pro, 1607 version, build 14393.479

    Windows Server 2012 r2

    Steps to make fingerprint available (with admin account):

    1. Windows Registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System "AllowDomainPINLogon"=dword:00000001

    (I created it manually)

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinBio\Credential Provider
    "Domain Accounts"=dword:00000001

    (in my case it already existed)

    2. Control Panel -> Goup Policy

    Computer configuration > Adm templates > Windows Components > Biometric

    Allow domain logon: Enabled

    Computer configuration > Adm templates > Windows Components > Windows Hello

    (all three options: not configurated)

    3. Windows Server

    (no changes made)

    4. Reboot and start using.

    Regards


    Doesn't work for me.
    Wednesday, February 08, 2017 5:06 AM
  • Thanks for this. It worked on my W10 and a Verifi 5100 desktop fingerprint reader.
    Saturday, February 25, 2017 1:35 AM
  • I reported the problem for at least 5 Insider releases on Pro and Enterprise...

    It seems that using PIN Logon for a Domain User is back to the way it was in Windows 8 which requires to be authorized or you can't use it.

    On our Surface Pro 4, I can enable it by inserting this key in the registry:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    On my Dell M4700, it doesn't work.
    Look like Microsoft is not testing Insider releases joined to a domain.

    Gerald



    Hi Gerald,

    I have had an issue on my second Surface Pro 4 for weeks and couldn't use HELLO. Thanks to your comment I can now use as intended. Thank you

    Tuesday, February 28, 2017 10:49 AM
  • I reported the problem for at least 5 Insider releases on Pro and Enterprise...

    It seems that using PIN Logon for a Domain User is back to the way it was in Windows 8 which requires to be authorized or you can't use it.

    On our Surface Pro 4, I can enable it by inserting this key in the registry:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    On my Dell M4700, it doesn't work.
    Look like Microsoft is not testing Insider releases joined to a domain.

    Gerald



    This work for me in a Lenovo T460 with Windows 10 enterprise
    Friday, March 10, 2017 11:38 PM
  • I reported the problem for at least 5 Insider releases on Pro and Enterprise...

    It seems that using PIN Logon for a Domain User is back to the way it was in Windows 8 which requires to be authorized or you can't use it.

    On our Surface Pro 4, I can enable it by inserting this key in the registry:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "AllowDomainPINLogon"=dword:00000001

    On my Dell M4700, it doesn't work.
    Look like Microsoft is not testing Insider releases joined to a domain.

    Gerald



    it works for me too on windows 10 1703 enterprise x64

    and i had to set a 6 digit PIN comapre to the 4 digit PIN in the previous build.

    Do you think it wiil be fixed soon ?

    Monday, May 08, 2017 9:30 AM
  • Is there anyway to reduce the PIN from 6 digits down to 4 digits as we have in previous builds?
    Thursday, July 06, 2017 3:56 AM
  • none of this solutions does not work for me, when I set gpo in registry I had that key. I cannot stil pin enabled, only shows me red text "Something went wrong. Try again later"

    When I have not domain account all worked fine, when I added notebook to domain all was disabled. 

    Sync not working
    Fngerprint not working
    PIN not working
    Hello not working

    I have Lenovo l460, windows 10 1703 Enterprise and DC is w2012r2


    Martin Hubka nework admin

    Wednesday, July 12, 2017 12:35 PM