How to enable PIN login for domain-joined Windows 10 Pro via Group Policy

group-policy windows-10 windows-server-2016
39,174

Solution 1

Just installed a new Windows 10 Enterprise 1809 Feb 2019 update machine from ISO.

All Hello buttons and options were grayed out. I thrashed around for a while. Most web sites only address the various group policy changes that are required for Biometrics and Windows Hello.

In addition to the various Biometrics and Windows Hello GPO, we found it was also necessary to create a single registry key.

We created a User Configuration (rather than a Computer Configuration, which didn't work for us) GPO that set the following registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"AllowDomainPINLogon"=dword:00000001

Here's a thread with more info: https://social.technet.microsoft.com/Forums/en-US/84a0bd50-1360-4a94-bfb3-b049ecace521/pin-and-fingerprint-signin-options-unavailable-greyed-out-in-windows-10-1607-enterprise?forum=win10itprogeneral

Solution 2

I got PIN working. I went through and removed any domain GPO I had created relating to this issue.

I manually ran gpedit.msc and set anything under Windows Hello for Business to not configured, I then went to system/Logon and set 'use convenience pin' to enabled. I swear I did this earlier and it didn't work, but this time, my PIN button became available once I did so (no reboot/log required). While PIN is working, the machine does still tell me that Windows Hello isn't available (even though I have used the facial recognition login on this very machine in the past).

Solution 3

Starting with build 1607, Windows 10 does not allow the "convenience pin" for domain-joined logons by default, out-of-the box. Users who are running Windows 10 Version 1511 or earlier can do so without issue. Note that if you had Windows 10 configured to use a pin or fingerprint sign-in prior to installing the 1607 build, that convenience sign-in method will continue to work after the update is installed. This has the effect of obfuscating the issue, and frustrated my efforts to find the resolution.

Thankfully, it's easy to enable the "convenience pin" functionality, which as a side-effect also enables Windows Hello Fingerprint sign-in and Windows Hello Face sign-in.

Using the Group Policy Editor for the entire domain will allow this setting to automatically be applied to future installations of Windows 10, however you don't necessarily need to enable this at the domain level. Simply run the gpedit.msc utility on the Workstation where you want to enable pin or fingerprint sign-in.

The group policy setting you need to change can be found in the following folder:

Computer Configuration\Administrative Templates\System\Logon

The setting you need to enable is:

Turn on convenience PIN sign-in

Once you enable the setting, run gpupdate.exe from the command-line to refresh your the policy, then log out, and back in, and you should be able to configure a sign-in Pin or fingerprint via Windows Hello.

The Group Policy Editor included in Windows 10 Professional version 2004 includes this in the description for the above policy:

This policy setting allows you to control whether a domain user can sign 
in using a convenience PIN.

If you enable this policy setting, a domain user can set up and sign in with a 
convenience PIN.

If you disable or don't configure this policy setting, a domain user can't set 
up and use a convenience PIN.

Note: The user's domain password will be cached in the system vault when using 
this feature.

To configure Windows Hello for Business, use the Administrative Template policies 
under Windows Hello for Business.

Microsoft Docs has a good article on the issue here.

Share:
39,174

Related videos on Youtube

Schneider
Author by

Schneider

Updated on September 18, 2022

Comments

  • Schneider
    Schneider over 1 year

    First I tried enabling PIN using Computer Configuration/Administrative Templates/System/Logon/Turn on convenience PIN sign-in.

    This did allow me to set a PIN on the client PC (previously this option was greyed out). But after logging off, and even restarting, it kept asking for a password not PIN.

    So, following the help provided on that setting:

    "In Windows 10, convenience PIN was replaced with Windows Hello PIN, which has stronger security properties. To configure Windows Hello for Business, use the policies under Computer configuration\Administrative Templates\Windows Components\Windows Hello for Business.

    If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. "

    So I went ahead and enabled Windows Hello for Business as well. After restarting client I still was not able to login with PIN, and on top of that the PIN setting within Settings was now greyed out. Under the Windows Hello section it states

    "Windows Hello isn't available on this device"

    This same device was connected at one point to Azure AD and it worked fine with a PIN so it seems the hardware is perfectly capable of using the PIN.

    But I am now stuck as to what settings I need to change to enable to PIN for this local domain-joined device.

    Using: Windows 10 Pro 14393.726 and Server 2016 14393.693

  • Schneider
    Schneider about 7 years
    But the PIN works just fine when it was Azure AD joined...
  • music2myear
    music2myear about 7 years
    This is for the end-user version of Windows Hello. Windows Hello for Business is a (very) different beast. Also, the requirements for face and finger print sign in are different from the requirements for PIN sign in.
  • Schneider
    Schneider almost 7 years
    With "convenience PIN : enabled" and "Use Windows Hello for Business: enabled" I still am not able to setup a PIN even with Creators update :-/
  • AcePL
    AcePL about 6 years
    Just to confirm this is working. I had set up fingerprint on my 7677 for local account no problem, but domain login refused to budge. So as above - set all Windows Hello for Business to not configured and System -> Logon -> "use convenience pin" to enabled. It works now. Fun Fact - this login is set up to middle finger... In all honesty - I was thinking about Microsoft when did it, but clearly it was my subconsciousness which drew correct conclusions.
  • bers
    bers over 2 years
    This is what the OP refers to in the first sentence of the question, right? The one that starts "First I tried ..."
  • Admin
    Admin about 2 years
    Additionally, to reduce the Minimum Length, add/set a DWORD value called MinimumPINLength to: HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexi‌​ty and set it to 4 or more. See this article.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Configuring domain Group Policy for Windows 10 lock screen
Using environment variable for public desktop path in Windows 10 GPO
Ignoring Self-Signed Certificates from Powershell Invoke-RestMethod doesn't work (it's changed again...)
Export/Import Group Policies and Services Windows 10
Windows 10 keeps changing default browser to Edge at reboot
win 10 Pro: How to avoid change of screen resolution?
Windows 10 Hello on domain-joined computer - Credentials could not be verified
How to remove configured Windows 10 update policies
Stop Feature upgrades and properly manage them via WSUS
Allow enhanced PINs for startup with Bitlocker