3

I want to enable fingerprint login with GPO. I installed the Windows 10 1703 (Creators) ADMX files.

First, I read that "Turn on convenience PIN sign-in" from "Computer/policies/admin templates/system/logon" is REQUIRED... Is this true? If so, this seems ridiculous... I understand the user's domain password would have to be encrypted locally for a fingerprint to be translated to the password, however, I don't want to allow pins for login. If a user's fingerprint login doesn't work, I'd prefer to revert to password login rather than a very hackable pin.

Second, I read that some users are suggesting setting pin complexity requirements very high to remediate the idiocy of 4 or 6 digit pin access. These settings used to exist under "Computer/policies/admin templates/windows components/Windows Hello for Business" but Windows 10 Creators ADMX files have this option removed??!?!?!

enter image description here

Update: It looks like "Pin Complexity" was moved under System... Still, why MUST pin be enabled for biometrics to work, when hand typing one's password is ALWAYS available?

Novox
  • 504
  • 1
  • 9
  • 25

1 Answers1

0

I got this working by changing the following in GPO:

  1. I enabled "Turn on convenience PIN sign-in"
  2. I set ridiculous complexity requirements for pins

enter image description here

  1. I randomly generated a 20 character PIN for each fingerprint user and had them set the PIN to that, immediately forgetting the PIN and not distributing it.

I still don't understand why any PIN is necessary because even in the above scenario, where Microsoft indicates PIN is required in case one's finger becomes damaged... YOU CAN STILL TYPE IN YOUR PASSWORD...

This continues to seem like a major security hole, requiring a PIN front door/back door ONLY to use biometrics...

Novox
  • 504
  • 1
  • 9
  • 25