There has been various blogs, MSDN pages, posts, etc. about Windows 7 and Windows 2008 R2 supporting biometric authentication built-in (or so it seems). (http://technet.microsoft.com/en-us/library/dd759228.aspx) In Windows 7 and Windows 2008 R2 it includs some group policy settings for it also.
Anyone know how to enable it to work with Active Directory? So that it shows up on the logon screen or UAC prompt?
Windows 7 provides a device abstraction layer such that, assuming your fingerprinter reader's manufacturer has written the appropriate driver software, the reader itself will "just work" with Windows. Microsoft's goal in doing this was to provide a consistent user experience re: enrolling biometric data. (The "provider" functionality in Windows 7 supports only fingerprints. The framework is extensible, by Microsoft, to support other types of biometric data, but only fingerprint UI has been added in Windows 7. No retinal scanners for you... >smile<)
From the scant articles that I'm finding, it appears that the biometric-based logon becomes available after at least one user has "enrolled" their fingerprints, and will work for both local user accounts and domain user accounts.
It's unclear to me where Microsoft is actually storing the biometric data and the user's password. Since it has to be accessible prior to logon, my guess is that they're encrypting it with some machine-specific key and packing it away in the computer's registry somewhere. (Yeah-- per this article that appears to be what's happening...)
It certainly looks like Microsoft hasn't thought at all about how to deploy this functionality across groups of computers. I see no method for "pre-loading" biometric data into groups of machines. My guess is that if, for example, you wanted "enterprise-wide" biometric logon capability you'd need each employee to "enroll" their fingerprints on each computer they were going to logon to.
If, indeed, centralized biometric credential distribution (which, arguably, presents a lot of fun security challenges) isn't a part of the biometric authentication functionality in Windows 7 then, arguably, it's of little use.
You can allow domain credential logon with Biometrics in win7/server2K8R2+ with a group policy setting. Those credentials will require enrollment, but they should roam from workstation to workstation. As far as programmatic enrollment goes...obviously you would need the fingerprint data to start with...It's something that I'm researching at the moment.
The post above is incorrect about how biometric data is stored, and the need to enroll on each workstation that will be used. Since this question was answered the WBF has been completely documented.
It does NOT "pack the data away in the registry".
Active Directory is the mechanism that's used for Enterprise Wide solutions. It's enabled with a GPO. I also works for UAC elevation. I've been using this with Windows 8 and it's really nice.
These links might help:
http://technet.microsoft.com/en-us/library/dd759228.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/dd401509%28v=vs.85%29.aspx
The API is really very easy to understand and very well documented with source code that builds easily.
EDIT: The fingerprint data does NOT roam. That was a side effect of my lab being very well used. :)
It may be easier to come at this from the opposite direction. Find a device that fits your needs and ask them about their level of support for AD and group policy. Something like this randomly selected search result.