Home / server / Questions / 830772
In Process
Schneider
Asked: 2017-02-06 16:24:59 +0800 CST

How to enable PIN login for domain-joined Windows 10 Pro via Group Policy

  • 772

First I tried enabling PIN using Computer Configuration/Administrative Templates/System/Logon/Turn on convenience PIN sign-in.

This did allow me to set a PIN on the client PC (previously this option was greyed out). But after logging off, and even restarting, it kept asking for a password not PIN.

So, following the help provided on that setting:

"In Windows 10, convenience PIN was replaced with Windows Hello PIN, which has stronger security properties. To configure Windows Hello for Business, use the policies under Computer configuration\Administrative Templates\Windows Components\Windows Hello for Business.

If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. "

So I went ahead and enabled Windows Hello for Business as well. After restarting client I still was not able to login with PIN, and on top of that the PIN setting within Settings was now greyed out. Under the Windows Hello section it states

"Windows Hello isn't available on this device"

This same device was connected at one point to Azure AD and it worked fine with a PIN so it seems the hardware is perfectly capable of using the PIN.

But I am now stuck as to what settings I need to change to enable to PIN for this local domain-joined device.

Using: Windows 10 Pro 14393.726 and Server 2016 14393.693

group-policy windows-10 windows-server-2016

5 Answers

  1. Just installed a new Windows 10 Enterprise 1809 Feb 2019 update machine from ISO.

    All Hello buttons and options were grayed out. I thrashed around for a while. Most web sites only address the various group policy changes that are required for Biometrics and Windows Hello.

    In addition to the various Biometrics and Windows Hello GPO, we found it was also necessary to create a single registry key.

    We created a User Configuration (rather than a Computer Configuration, which didn't work for us) GPO that set the following registry entry:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"AllowDomainPINLogon"=dword:00000001

    Here's a thread with more info: https://social.technet.microsoft.com/Forums/en-US/84a0bd50-1360-4a94-bfb3-b049ecace521/pin-and-fingerprint-signin-options-unavailable-greyed-out-in-windows-10-1607-enterprise?forum=win10itprogeneral

    • 3

  2. I got PIN working. I went through and removed any domain GPO I had created relating to this issue.

    I manually ran gpedit.msc and set anything under Windows Hello for Business to not configured, I then went to system/Logon and set 'use convenience pin' to enabled. I swear I did this earlier and it didn't work, but this time, my PIN button became available once I did so (no reboot/log required). While PIN is working, the machine does still tell me that Windows Hello isn't available (even though I have used the facial recognition login on this very machine in the past).

    • 2

  3. Starting with build 1607, Windows 10 does not allow the "convenience pin" for domain-joined logons by default, out-of-the box. Users who are running Windows 10 Version 1511 or earlier can do so without issue. Note that if you had Windows 10 configured to use a pin or fingerprint sign-in prior to installing the 1607 build, that convenience sign-in method will continue to work after the update is installed. This has the effect of obfuscating the issue, and frustrated my efforts to find the resolution.

    Thankfully, it's easy to enable the "convenience pin" functionality, which as a side-effect also enables Windows Hello Fingerprint sign-in and Windows Hello Face sign-in.

    Using the Group Policy Editor for the entire domain will allow this setting to automatically be applied to future installations of Windows 10, however you don't necessarily need to enable this at the domain level. Simply run the gpedit.msc utility on the Workstation where you want to enable pin or fingerprint sign-in.

    The group policy setting you need to change can be found in the following folder:

    Computer Configuration\Administrative Templates\System\Logon

    The setting you need to enable is:

    Turn on convenience PIN sign-in

    Once you enable the setting, run gpupdate.exe from the command-line to refresh your the policy, then log out, and back in, and you should be able to configure a sign-in Pin or fingerprint via Windows Hello.

    The Group Policy Editor included in Windows 10 Professional version 2004 includes this in the description for the above policy:

    This policy setting allows you to control whether a domain user can sign 
in using a convenience PIN.

If you enable this policy setting, a domain user can set up and sign in with a 
convenience PIN.

If you disable or don't configure this policy setting, a domain user can't set 
up and use a convenience PIN.

Note: The user's domain password will be cached in the system vault when using 
this feature.

To configure Windows Hello for Business, use the Administrative Template policies 
under Windows Hello for Business.

    Microsoft Docs has a good article on the issue here.

    • 1

  4. It seems this feature may have become available in Windows 10 "Creators Update":

    Windows Hello for Active Directory: Organizations that use an on-premises Active Directory will now be able to use Windows Hello to unlock their PCs, if they like.

    See: https://www.howtogeek.com/278132/whats-new-in-windows-10s-creators-update/

    • 0

  5. It looks like your windows device isn't Windows Hello capable. Check: http://www.windowscentral.com/complete-list-laptops-support-windows-hello

    • -1