Can't enable Windows Hello - Some settings are managed by your organization

I did a clean install of Windows 10 Anniversary Edition. Now I can't enable Windows Hello with my domain joined Surface Pro 4, logged in as an AD user. When I log in with my Msft account, I can turn Windows Hello on, though.

I tried "Some settings are managed by your organization" while not on domain? (increasing telemetry via settings app) and also this: resetting telemetry via gp.

This shows that this problem is different than the others here. This is also in fact domain joined, not like the most other questions here.

This is what the settings look like;

With the old version of Windows 10 the same device could enable Windows Hello while domain joined with the domain user. That's why I rule out GPO as the source of the problem. GPO even explicitly allows Biometrics for domain users. What can I do?

Windows 10 Professional, Cortana is enabled. No Insiders Edition. I have administrative access to the domain.

zuckerthoben

Posted 2016-08-15T08:15:59.887

Reputation: 601

Did you ever find a solution? I have same problem :( – MojoDK – 2016-10-04T08:05:03.967

yes I did! I will write the answer now @MojoDK :) – zuckerthoben – 2016-10-05T06:22:33.317

Answers

I found the solution. The reason is that Windows Hello is managed differently on domain joined computers, starting with the anniversary update. To get it to work you have to follow these steps:

1) Setup a Group Policy Central Store (you should already have that)

2) Get Windows 10 Anniversary Update Group Policy Templates. You can do so by copying your files from PolicyDefinitions (in windir on a Win10 Anniversary Update machine) into the PolicyDefinitions of the central store. You might copy those files first to a file share, because of permissions your regular user should not have on the central store.

3) Setup a new GPO or add to an existing the following settings to enable Windows Hello:

Computer Configuration/Policies/Administrative Templates

.../Windows Components/Windows Hello For Business/ Use biometrics => Enabled

.../Windows Components/Windows Hello for Business/ Use a hardware security device => Enabled (if you want to use TPM instead of key or certificate based activation for Windows Hello). Note that in general all business computers should have TPM

.../System/Logon/ Turn on convenience PIN sign-in => Enabled (This is the key. This enables PIN sign-in which in turn will enable Hello, together with the other settings.)

.../Windows Components/Biometrics/ Allow domain users to log on using biometrics => Enabled (I think this is enabled by default, but being explicit makes GP management a lot easier.)

You will find more optional configuration possibilities in System/Logon and Windows Components/Biometrics and Windows Components/Windows Hello for Business.

You will find more background here: https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/

and here

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/implement-microsoft-passport-in-your-organization

Most important excerpt:

Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting Turn on convenience PIN sign-in. Use Windows Hello for Business policy settings to manage PINs for Windows Hello for Business.

If you want to use key or certificate based Windows Hello you can follow the guides in the links. Don't get confused though. You can still use regular TPM for normal Windows Hello.

zuckerthoben

Posted 2016-08-15T08:15:59.887

Reputation: 601

It is important to note that according to the link you cite, "Turn on convenience PIN sign-in" is NOT required to use Windows Hello. The convenience PIN is the old-style PIN which is not as secure as the Windows Hello PIN. ("if you are looking to deploy Windows Hello for Business ... then this might be the perfect opportunity to move to that more secure credential and not ... convenience PIN sign in.") Actually configuring Windows Hello for Business involves more than just GPO - see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-passport-deployment

– Speedbird186 – 2017-04-07T21:21:42.467

Good catch, but SCCM can not be the only solution to enable Windows Hello on domain joined devices. There has to be another way that is secure. – zuckerthoben – 2017-04-10T09:18:46.050

1Just wanted to point out that I was able to simply edit the local policy (Run > GPedit.msc) on a domain joined laptop to get this working. Good info, thanks. – SamAndrew81 – 2018-02-26T18:46:35.520

Sadly all of this didn't help for me :/ I can login with a local account but Windows Hello is still greyed out for my AD Account. – Dominik – 2018-08-09T08:32:19.603

I don't understand the first step "1) Setup a Group Policy Central Store (you should already have that)". I have local admin rights to my domain-joined business computer, but no network admin rights. Could you please (or someone else) give step-by-step sub-steps for this first point, and also for the second point? The other points are clear, but without the first two, I can't really try this solution. – Ochado – 2019-09-27T10:04:31.597

I just ignored step 1) and 2) @Ochado and went straight to running gpedit.msc as SamAndrew81 did. That allowed me to register my fingerprints. – Mark Booth – 2020-01-20T14:22:47.843

Setting the following registry key works for me:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"AllowDomainPINLogon"=dword:00000001

Reference: https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup

Stephen Quan

Posted 2016-08-15T08:15:59.887

Reputation: 226

My PC is joined to a domain, but I do not have admin access to it. This solution solved the problem for me. – Nikola Malešević – 2017-03-06T14:57:44.490

This allowed me (as the end user) to enable Windows Hello on my Surface Book without needing to involve corporate IT. – Holistic Developer – 2017-04-19T06:41:34.003

2This doesn't work with me – Ahmed Hamdy – 2017-06-18T12:51:30.823

I'm running Windows Server 2016 Build 1607 as a Member Server in an existing domain and this registry key is already set but I cannot use Windows Hello. – Dai – 2017-07-11T17:09:59.693

All I had to do is:

Windows KEY + R to open Run
Enter:
```
gpedit.msc
```
[Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [Logon] > [Turn on convenience PIN sign-in] : ENABLED

This enabled Windows Hello on Surface Pro 4 with Windows 10 Pro.

juFo

Posted 2016-08-15T08:15:59.887

Reputation: 318

Yes, that is pretty much equivalent to my answer, but for a single local user. A domain approach is better for enterprise use cases. – zuckerthoben – 2017-02-21T11:44:33.777

2I don't know what "Group Policy Central Store" and you don't say where you apply the policy. On a central AD server or on the local pc... – juFo – 2017-02-21T13:09:22.390

1From the context you can safely assume that I am creating a group policy on AD. Explaining how to setup a Group Policy central store is far beyond the scope of my answer. Guides and explanations can be found all over the web. – zuckerthoben – 2017-02-21T15:27:27.817

I have 10 pro but I don't see these options – Crash893 – 2017-08-01T02:07:52.380

there is an issue in the description. For a 4 digit PIN you need to set Minimum ping length to Enabled with value 4 – sofsntp – 2019-01-03T16:41:02.443

I've been fighting this for a looong time. I've tried all these group policy settings: turn on convenience PIN login, enable windows hello for business, enable biometrics, etc. etc. etc. I finally found the solution.

The PCs in my company are Windows 10 build 1809. Mostly Lenovo X1 Yogas and P330s and some Surface Pros. They are domain-joined to a 2012 R2 domain and they are subscribed to Office 365 for email and Office Pro Plus. We have an E3 license in Office 365. When a user registers the Office apps using their own O365 license, it connects Windows to their work account. Disconnecting that allowed me to setup PIN and Fingerprint. Here's how to do it:

Go to Windows Settings -> Accounts -> Access Work or School. The key setting is the "Work or School Account" with the colorful windows logo by it. Disconnect that. Don't touch the "Connected to whatever domain" setting.
Then click on "Sign-in Options". Fingerprint and PIN are no longer greyed out. If it's still greyed out, then make sure "convenience PIN sign-in" is enabled.
Add the PIN, then the Fingerprint.
Go back to "Access Work or School" in Settings -> Accounts.
Click Connect and Enter the user's email address and password.

The only group policy currently in effect is the "Turn on Convenience PIN sign-in" setting under Policies, Administrative Templates, System, Logon. Note that this is NOT Windows Hello for Business. This is still just password stuffing. Some day, convenience PIN sign-in will be depracated and we'll have to do it the secure way.

CParker

Posted 2016-08-15T08:15:59.887

Reputation: 41

There is one thing you must not configure unless you have the valid certificates (this is on server 2016).

Make sure "Computer conf/policies/Admin temp/Windows comp/Windows Hello for Business/Use Windows Hello for Business" is set to NOT CONFIGURED.

This was the one thing I had set (from another blog) and it had prevented windows hello from working, windows hello wouldn't even start. But as long as it's not configured it should be ok.

user780692

Posted 2016-08-15T08:15:59.887

Reputation: 1

Read over "Why do I need 50 reputation to comment" to ensure you understand how you can start commenting.

– Pimp Juice IT – 2017-10-15T23:06:20.750

Setting the following registry

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"AllowDomainPINLogon"=dword:00000001

then enable UAC and restart PC.

user863516

Posted 2016-08-15T08:15:59.887

Reputation: 1

-1

After trying so many things (including all the other answers here to date), I finally fixed the problem for myself with a workaround. Note that this is workaround, not a real solution:

To recap, the problem is that something in my organization's domain account disabled the option to enter fingerprints. In my case, even my IT group in my local office branch couldn't figure out what was blocking it.

So I ended up creating a new local user account on my work computer with full local administrative rights. For that new account, I used my personal Microsoft account to connect (though I probably could have used a local account). When I logged in to the new account, there was no problem with fingerprints and I could easily configure the fingerprints.

Potential downsides to this workaround:

Since it is a new user account, it might require reinstalling and reconfiguring many computer programs and settings. It is basically like setting up a brand new Windows computer. In my case, I did this when I got a new work computer, so I had to do the reconfiguration anyway.
In som organizational setups, non-domain accounts might not have proper access to some organizational resources. This was not a problem in my case. If it is a problem with you, perhaps you could connect with the organizational VPN to access these special resources, perhaps even permanently on this workaround account.

These workarounds might not be worth it for you just to get fingerprint sign-in, but they work excellent in my organizational context.

Ochado

Posted 2016-08-15T08:15:59.887

Reputation: 522

-2

I am on a domain joined Dell 7280. Adding the registry key below along with rebooting has allowed me to add a 6 digit pin.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "AllowDomainPINLogon"=dword:00000001

joe

Posted 2016-08-15T08:15:59.887

Reputation: 1