32

I did a clean install of Windows 10 Anniversary Edition. Now I can't enable Windows Hello with my domain joined Surface Pro 4, logged in as an AD user. When I log in with my Msft account, I can turn Windows Hello on, though.

I tried "Some settings are managed by your organization" while not on domain? (increasing telemetry via settings app) and also this: resetting telemetry via gp.

This shows that this problem is different than the others here. This is also in fact domain joined, not like the most other questions here.

This is what the settings look like; enter image description here

With the old version of Windows 10 the same device could enable Windows Hello while domain joined with the domain user. That's why I rule out GPO as the source of the problem. GPO even explicitly allows Biometrics for domain users. What can I do?

Windows 10 Professional, Cortana is enabled. No Insiders Edition. I have administrative access to the domain.

Community
  • 1
zuckerthoben
  • 801

9 Answers9

38

I found the solution. The reason is that Windows Hello is managed differently on domain joined computers, starting with the anniversary update. To get it to work you have to follow these steps:

1) Setup a Group Policy Central Store (you should already have that)

2) Get Windows 10 Anniversary Update Group Policy Templates. You can do so by copying your files from PolicyDefinitions (in windir on a Win10 Anniversary Update machine) into the PolicyDefinitions of the central store. You might copy those files first to a file share, because of permissions your regular user should not have on the central store.

3) Setup a new GPO or add to an existing the following settings to enable Windows Hello:

  • Computer Configuration/Policies/Administrative Templates

.../Windows Components/Windows Hello For Business/ Use biometrics => Enabled

.../Windows Components/Windows Hello for Business/ Use a hardware security device => Enabled (if you want to use TPM instead of key or certificate based activation for Windows Hello). Note that in general all business computers should have TPM

.../System/Logon/ Turn on convenience PIN sign-in => Enabled (This is the key. This enables PIN sign-in which in turn will enable Hello, together with the other settings.)

.../Windows Components/Biometrics/ Allow domain users to log on using biometrics => Enabled (I think this is enabled by default, but being explicit makes GP management a lot easier.)

You will find more optional configuration possibilities in System/Logon and Windows Components/Biometrics and Windows Components/Windows Hello for Business.

You will find more background here: https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/

and here

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/implement-microsoft-passport-in-your-organization

Most important excerpt:

Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting Turn on convenience PIN sign-in. Use Windows Hello for Business policy settings to manage PINs for Windows Hello for Business.

If you want to use key or certificate based Windows Hello you can follow the guides in the links. Don't get confused though. You can still use regular TPM for normal Windows Hello.

zuckerthoben
  • 801
8

I've been fighting this for a looong time. I've tried all these group policy settings: turn on convenience PIN login, enable windows hello for business, enable biometrics, etc. etc. etc. I finally found the solution.

The PCs in my company are Windows 10 build 1809. Mostly Lenovo X1 Yogas and P330s and some Surface Pros. They are domain-joined to a 2012 R2 domain and they are subscribed to Office 365 for email and Office Pro Plus. We have an E3 license in Office 365. When a user registers the Office apps using their own O365 license, it connects Windows to their work account. Disconnecting that allowed me to setup PIN and Fingerprint. Here's how to do it:

  1. Go to Windows Settings -> Accounts -> Access Work or School. The key setting is the "Work or School Account" with the colorful windows logo by it. Disconnect that. Don't touch the "Connected to whatever domain" setting.

  2. Then click on "Sign-in Options". Fingerprint and PIN are no longer greyed out. If it's still greyed out, then make sure "convenience PIN sign-in" is enabled.

  3. Add the PIN, then the Fingerprint.

  4. Go back to "Access Work or School" in Settings -> Accounts.

  5. Click Connect and Enter the user's email address and password.

The only group policy currently in effect is the "Turn on Convenience PIN sign-in" setting under Policies, Administrative Templates, System, Logon. Note that this is NOT Windows Hello for Business. This is still just password stuffing. Some day, convenience PIN sign-in will be depracated and we'll have to do it the secure way.

CParker
  • 81
7

Setting the following registry key works for me:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"AllowDomainPINLogon"=dword:00000001

Reference: https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup

Stephen Quan
  • 746
7

All I had to do is:

  1. Windows KEY + R to open Run
  2. Enter: 
    gpedit.msc
  3. [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [Logon] > [Turn on convenience PIN sign-in] : ENABLED

This enabled Windows Hello on Surface Pro 4 with Windows 10 Pro.

juFo
  • 400
0

There is one thing you must not configure unless you have the valid certificates (this is on server 2016).

Make sure "Computer conf/policies/Admin temp/Windows comp/Windows Hello for Business/Use Windows Hello for Business" is set to NOT CONFIGURED.

This was the one thing I had set (from another blog) and it had prevented windows hello from working, windows hello wouldn't even start. But as long as it's not configured it should be ok.

user780692
  • 1
0

Setting the following registry

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"AllowDomainPINLogon"=dword:00000001

then enable UAC and restart PC.

mtak
  • 17,262
user863516
  • 1
0

This worked for me:

Go to the path in registry editor

"Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System"

Add a new registry if it does not exist

Type: DWORD(32 bit)

Name: AllowDomainPINLogon

Value: 1

And then restart your machine.

Shane Madigan
  • 1
-1

After trying so many things (including all the other answers here to date), I finally fixed the problem for myself with a workaround. Note that this is workaround, not a real solution:

To recap, the problem is that something in my organization's domain account disabled the option to enter fingerprints. In my case, even my IT group in my local office branch couldn't figure out what was blocking it.

So I ended up creating a new local user account on my work computer with full local administrative rights. For that new account, I used my personal Microsoft account to connect (though I probably could have used a local account). When I logged in to the new account, there was no problem with fingerprints and I could easily configure the fingerprints.

Potential downsides to this workaround:

  • Since it is a new user account, it might require reinstalling and reconfiguring many computer programs and settings. It is basically like setting up a brand new Windows computer. In my case, I did this when I got a new work computer, so I had to do the reconfiguration anyway.
  • In som organizational setups, non-domain accounts might not have proper access to some organizational resources. This was not a problem in my case. If it is a problem with you, perhaps you could connect with the organizational VPN to access these special resources, perhaps even permanently on this workaround account.

These workarounds might not be worth it for you just to get fingerprint sign-in, but they work excellent in my organizational context.

Tripartio
  • 650
-2

I am on a domain joined Dell 7280. Adding the registry key below along with rebooting has allowed me to add a 6 digit pin.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "AllowDomainPINLogon"=dword:00000001

joe
  • 1