Can't enable Windows Hello - Some settings are managed by your organization
up vote
14
down vote
favorite
I did a clean install of Windows 10 Anniversary Edition. Now I can't enable Windows Hello with my domain joined Surface Pro 4, logged in as an AD user. When I log in with my Msft account, I can turn Windows Hello on, though.
I tried "Some settings are managed by your organization" while not on domain? (increasing telemetry via settings app) and also this: resetting telemetry via gp.
This shows that this problem is different than the others here. This is also in fact domain joined, not like the most other questions here.
This is what the settings look like;
With the old version of Windows 10 the same device could enable Windows Hello while domain joined with the domain user. That's why I rule out GPO as the source of the problem. GPO even explicitly allows Biometrics for domain users. What can I do?
Windows 10 Professional, Cortana is enabled. No Insiders Edition. I have administrative access to the domain.
windows-10 windows-hello
edited Mar 20 '17 at 10:17
Community♦
1
asked Aug 15 '16 at 8:15
zuckerthoben
3461212
add a comment |
up vote
14
down vote
favorite
I did a clean install of Windows 10 Anniversary Edition. Now I can't enable Windows Hello with my domain joined Surface Pro 4, logged in as an AD user. When I log in with my Msft account, I can turn Windows Hello on, though.
I tried "Some settings are managed by your organization" while not on domain? (increasing telemetry via settings app) and also this: resetting telemetry via gp.
This shows that this problem is different than the others here. This is also in fact domain joined, not like the most other questions here.
This is what the settings look like;
With the old version of Windows 10 the same device could enable Windows Hello while domain joined with the domain user. That's why I rule out GPO as the source of the problem. GPO even explicitly allows Biometrics for domain users. What can I do?
Windows 10 Professional, Cortana is enabled. No Insiders Edition. I have administrative access to the domain.
windows-10 windows-hello
edited Mar 20 '17 at 10:17
Community♦
1
asked Aug 15 '16 at 8:15
zuckerthoben
3461212
Did you ever find a solution? I have same problem :(
– MojoDK
Oct 4 '16 at 8:05
yes I did! I will write the answer now @MojoDK :)
– zuckerthoben
Oct 5 '16 at 6:22
add a comment |
up vote
14
down vote
favorite
up vote
14
down vote
favorite
I did a clean install of Windows 10 Anniversary Edition. Now I can't enable Windows Hello with my domain joined Surface Pro 4, logged in as an AD user. When I log in with my Msft account, I can turn Windows Hello on, though.
I tried "Some settings are managed by your organization" while not on domain? (increasing telemetry via settings app) and also this: resetting telemetry via gp.
This shows that this problem is different than the others here. This is also in fact domain joined, not like the most other questions here.
This is what the settings look like;
With the old version of Windows 10 the same device could enable Windows Hello while domain joined with the domain user. That's why I rule out GPO as the source of the problem. GPO even explicitly allows Biometrics for domain users. What can I do?
Windows 10 Professional, Cortana is enabled. No Insiders Edition. I have administrative access to the domain.
windows-10 windows-hello
edited Mar 20 '17 at 10:17
Community♦
1
asked Aug 15 '16 at 8:15
zuckerthoben
3461212
I did a clean install of Windows 10 Anniversary Edition. Now I can't enable Windows Hello with my domain joined Surface Pro 4, logged in as an AD user. When I log in with my Msft account, I can turn Windows Hello on, though.
I tried "Some settings are managed by your organization" while not on domain? (increasing telemetry via settings app) and also this: resetting telemetry via gp.
This shows that this problem is different than the others here. This is also in fact domain joined, not like the most other questions here.
This is what the settings look like;
With the old version of Windows 10 the same device could enable Windows Hello while domain joined with the domain user. That's why I rule out GPO as the source of the problem. GPO even explicitly allows Biometrics for domain users. What can I do?
Windows 10 Professional, Cortana is enabled. No Insiders Edition. I have administrative access to the domain.
windows-10 windows-hello
windows-10 windows-hello
edited Mar 20 '17 at 10:17
Community♦
1
asked Aug 15 '16 at 8:15
zuckerthoben
3461212
edited Mar 20 '17 at 10:17
Community♦
1
asked Aug 15 '16 at 8:15
zuckerthoben
3461212
edited Mar 20 '17 at 10:17
Community♦
1
edited Mar 20 '17 at 10:17
Community♦
1
edited Mar 20 '17 at 10:17
Community♦
1
1
asked Aug 15 '16 at 8:15
zuckerthoben
3461212
asked Aug 15 '16 at 8:15
zuckerthoben
3461212
asked Aug 15 '16 at 8:15
zuckerthoben
3461212
3461212
Did you ever find a solution? I have same problem :(
– MojoDK
Oct 4 '16 at 8:05
yes I did! I will write the answer now @MojoDK :)
– zuckerthoben
Oct 5 '16 at 6:22
add a comment |
Did you ever find a solution? I have same problem :(
– MojoDK
Oct 4 '16 at 8:05
yes I did! I will write the answer now @MojoDK :)
– zuckerthoben
Oct 5 '16 at 6:22
Did you ever find a solution? I have same problem :(
– MojoDK
Oct 4 '16 at 8:05
Did you ever find a solution? I have same problem :(
– MojoDK
Oct 4 '16 at 8:05
yes I did! I will write the answer now @MojoDK :)
– zuckerthoben
Oct 5 '16 at 6:22
yes I did! I will write the answer now @MojoDK :)
– zuckerthoben
Oct 5 '16 at 6:22
add a comment |
6 Answers
6
active
oldest
votes
up vote
17
down vote
accepted
I found the solution. The reason is that Windows Hello is managed differently on domain joined computers, starting with the anniversary update.
To get it to work you have to follow these steps:
1) Setup a Group Policy Central Store (you should already have that)
2) Get Windows 10 Anniversary Update Group Policy Templates. You can do so by copying your files from PolicyDefinitions (in windir on a Win10 Anniversary Update machine) into the PolicyDefinitions of the central store. You might copy those files first to a file share, because of permissions your regular user should not have on the central store.
3) Setup a new GPO or add to an existing the following settings to enable Windows Hello:
- Computer Configuration/Policies/Administrative Templates
.../Windows Components/Windows Hello For Business/ Use biometrics => Enabled
.../Windows Components/Windows Hello for Business/ Use a hardware security device => Enabled (if you want to use TPM instead of key or certificate based activation for Windows Hello). Note that in general all business computers should have TPM
.../System/Logon/ Turn on convenience PIN sign-in => Enabled (This is the key. This enables PIN sign-in which in turn will enable Hello, together with the other settings.)
.../Windows Components/Biometrics/ Allow domain users to log on using biometrics => Enabled (I think this is enabled by default, but being explicit makes GP management a lot easier.)
You will find more optional configuration possibilities in System/Logon and Windows Components/Biometrics and Windows Components/Windows Hello for Business.
You will find more background here:
https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/
and here
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/implement-microsoft-passport-in-your-organization
Most important excerpt:
Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a
convenience PIN for Windows 10, version 1607, enable the Group Policy
setting Turn on convenience PIN sign-in. Use Windows Hello for
Business policy settings to manage PINs for Windows Hello for
Business.
If you want to use key or certificate based Windows Hello you can follow the guides in the links. Don't get confused though. You can still use regular TPM for normal Windows Hello.
answered Oct 5 '16 at 6:44
zuckerthoben
3461212
1
It is important to note that according to the link you cite, "Turn on convenience PIN sign-in" is NOT required to use Windows Hello. The convenience PIN is the old-style PIN which is not as secure as the Windows Hello PIN. ("if you are looking to deploy Windows Hello for Business ... then this might be the perfect opportunity to move to that more secure credential and not ... convenience PIN sign in.") Actually configuring Windows Hello for Business involves more than just GPO - see docs.microsoft.com/en-us/azure/active-directory/…
– Speedbird186
Apr 7 '17 at 21:21
Good catch, but SCCM can not be the only solution to enable Windows Hello on domain joined devices. There has to be another way that is secure.
– zuckerthoben
Apr 10 '17 at 9:18
Just wanted to point out that I was able to simply edit the local policy (Run > GPedit.msc) on a domain joined laptop to get this working. Good info, thanks.
– SamAndrew81
Feb 26 at 18:46
Sadly all of this didn't help for me :/ I can login with a local account but Windows Hello is still greyed out for my AD Account.
– Dominik
Aug 9 at 8:32
add a comment |
up vote
4
down vote
Setting the following registry key works for me:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
Reference: https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup
answered Jan 19 '17 at 0:04
Stephen Quan
1964
My PC is joined to a domain, but I do not have admin access to it. This solution solved the problem for me.
– Nikola Malešević
Mar 6 '17 at 14:57
This allowed me (as the end user) to enable Windows Hello on my Surface Book without needing to involve corporate IT.
– Holistic Developer
Apr 19 '17 at 6:41
This doesn't work with me
– Ahmed Hamdy
Jun 18 '17 at 12:51
I'm running Windows Server 2016 Build 1607 as a Member Server in an existing domain and this registry key is already set but I cannot use Windows Hello.
– Dai
Jul 11 '17 at 17:09
add a comment |
up vote
4
down vote
All I had to do is:
Windows KEY + R to open Run- Enter:
gpedit.msc
- [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [Logon] > [Turn on convenience PIN sign-in] : ENABLED
This enabled Windows Hello on Surface Pro 4 with Windows 10 Pro.
answered Feb 21 '17 at 9:04
juFo
16431020
Yes, that is pretty much equivalent to my answer, but for a single local user. A domain approach is better for enterprise use cases.
– zuckerthoben
Feb 21 '17 at 11:44
1
I don't know what "Group Policy Central Store" and you don't say where you apply the policy. On a central AD server or on the local pc...
– juFo
Feb 21 '17 at 13:09
1
From the context you can safely assume that I am creating a group policy on AD. Explaining how to setup a Group Policy central store is far beyond the scope of my answer. Guides and explanations can be found all over the web.
– zuckerthoben
Feb 21 '17 at 15:27
I have 10 pro but I don't see these options
– Crash893
Aug 1 '17 at 2:07
add a comment |
up vote
0
down vote
There is one thing you must not configure unless you have the valid certificates (this is on server 2016).
Make sure "Computer conf/policies/Admin temp/Windows comp/Windows Hello for Business/Use Windows Hello for Business" is set to NOT CONFIGURED.
This was the one thing I had set (from another blog) and it had prevented windows hello from working, windows hello wouldn't even start. But as long as it's not configured it should be ok.
answered Oct 15 '17 at 20:47
user780692
1
Read over "Why do I need 50 reputation to comment" to ensure you understand how you can start commenting.
– Pimp Juice IT
Oct 15 '17 at 23:06
add a comment |
up vote
0
down vote
Setting the following registry
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
then enable UAC and restart PC.
edited Jan 18 at 8:17
mtak
10.9k23153
answered Jan 18 at 7:14
user863516
1
add a comment |
up vote
-2
down vote
I am on a domain joined Dell 7280. Adding the registry key below along with rebooting has allowed me to add a 6 digit pin.
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
answered May 23 at 0:38
joe
1
add a comment |
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
17
down vote
accepted
I found the solution. The reason is that Windows Hello is managed differently on domain joined computers, starting with the anniversary update.
To get it to work you have to follow these steps:
1) Setup a Group Policy Central Store (you should already have that)
2) Get Windows 10 Anniversary Update Group Policy Templates. You can do so by copying your files from PolicyDefinitions (in windir on a Win10 Anniversary Update machine) into the PolicyDefinitions of the central store. You might copy those files first to a file share, because of permissions your regular user should not have on the central store.
3) Setup a new GPO or add to an existing the following settings to enable Windows Hello:
- Computer Configuration/Policies/Administrative Templates
.../Windows Components/Windows Hello For Business/ Use biometrics => Enabled
.../Windows Components/Windows Hello for Business/ Use a hardware security device => Enabled (if you want to use TPM instead of key or certificate based activation for Windows Hello). Note that in general all business computers should have TPM
.../System/Logon/ Turn on convenience PIN sign-in => Enabled (This is the key. This enables PIN sign-in which in turn will enable Hello, together with the other settings.)
.../Windows Components/Biometrics/ Allow domain users to log on using biometrics => Enabled (I think this is enabled by default, but being explicit makes GP management a lot easier.)
You will find more optional configuration possibilities in System/Logon and Windows Components/Biometrics and Windows Components/Windows Hello for Business.
You will find more background here:
https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/
and here
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/implement-microsoft-passport-in-your-organization
Most important excerpt:
Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a
convenience PIN for Windows 10, version 1607, enable the Group Policy
setting Turn on convenience PIN sign-in. Use Windows Hello for
Business policy settings to manage PINs for Windows Hello for
Business.
If you want to use key or certificate based Windows Hello you can follow the guides in the links. Don't get confused though. You can still use regular TPM for normal Windows Hello.
answered Oct 5 '16 at 6:44
zuckerthoben
3461212
1
It is important to note that according to the link you cite, "Turn on convenience PIN sign-in" is NOT required to use Windows Hello. The convenience PIN is the old-style PIN which is not as secure as the Windows Hello PIN. ("if you are looking to deploy Windows Hello for Business ... then this might be the perfect opportunity to move to that more secure credential and not ... convenience PIN sign in.") Actually configuring Windows Hello for Business involves more than just GPO - see docs.microsoft.com/en-us/azure/active-directory/…
– Speedbird186
Apr 7 '17 at 21:21
Good catch, but SCCM can not be the only solution to enable Windows Hello on domain joined devices. There has to be another way that is secure.
– zuckerthoben
Apr 10 '17 at 9:18
Just wanted to point out that I was able to simply edit the local policy (Run > GPedit.msc) on a domain joined laptop to get this working. Good info, thanks.
– SamAndrew81
Feb 26 at 18:46
Sadly all of this didn't help for me :/ I can login with a local account but Windows Hello is still greyed out for my AD Account.
– Dominik
Aug 9 at 8:32
add a comment |
up vote
17
down vote
accepted
I found the solution. The reason is that Windows Hello is managed differently on domain joined computers, starting with the anniversary update.
To get it to work you have to follow these steps:
1) Setup a Group Policy Central Store (you should already have that)
2) Get Windows 10 Anniversary Update Group Policy Templates. You can do so by copying your files from PolicyDefinitions (in windir on a Win10 Anniversary Update machine) into the PolicyDefinitions of the central store. You might copy those files first to a file share, because of permissions your regular user should not have on the central store.
3) Setup a new GPO or add to an existing the following settings to enable Windows Hello:
- Computer Configuration/Policies/Administrative Templates
.../Windows Components/Windows Hello For Business/ Use biometrics => Enabled
.../Windows Components/Windows Hello for Business/ Use a hardware security device => Enabled (if you want to use TPM instead of key or certificate based activation for Windows Hello). Note that in general all business computers should have TPM
.../System/Logon/ Turn on convenience PIN sign-in => Enabled (This is the key. This enables PIN sign-in which in turn will enable Hello, together with the other settings.)
.../Windows Components/Biometrics/ Allow domain users to log on using biometrics => Enabled (I think this is enabled by default, but being explicit makes GP management a lot easier.)
You will find more optional configuration possibilities in System/Logon and Windows Components/Biometrics and Windows Components/Windows Hello for Business.
You will find more background here:
https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/
and here
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/implement-microsoft-passport-in-your-organization
Most important excerpt:
Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a
convenience PIN for Windows 10, version 1607, enable the Group Policy
setting Turn on convenience PIN sign-in. Use Windows Hello for
Business policy settings to manage PINs for Windows Hello for
Business.
If you want to use key or certificate based Windows Hello you can follow the guides in the links. Don't get confused though. You can still use regular TPM for normal Windows Hello.
answered Oct 5 '16 at 6:44
zuckerthoben
3461212
1
It is important to note that according to the link you cite, "Turn on convenience PIN sign-in" is NOT required to use Windows Hello. The convenience PIN is the old-style PIN which is not as secure as the Windows Hello PIN. ("if you are looking to deploy Windows Hello for Business ... then this might be the perfect opportunity to move to that more secure credential and not ... convenience PIN sign in.") Actually configuring Windows Hello for Business involves more than just GPO - see docs.microsoft.com/en-us/azure/active-directory/…
– Speedbird186
Apr 7 '17 at 21:21
Good catch, but SCCM can not be the only solution to enable Windows Hello on domain joined devices. There has to be another way that is secure.
– zuckerthoben
Apr 10 '17 at 9:18
Just wanted to point out that I was able to simply edit the local policy (Run > GPedit.msc) on a domain joined laptop to get this working. Good info, thanks.
– SamAndrew81
Feb 26 at 18:46
Sadly all of this didn't help for me :/ I can login with a local account but Windows Hello is still greyed out for my AD Account.
– Dominik
Aug 9 at 8:32
add a comment |
up vote
17
down vote
accepted
up vote
17
down vote
accepted
I found the solution. The reason is that Windows Hello is managed differently on domain joined computers, starting with the anniversary update.
To get it to work you have to follow these steps:
1) Setup a Group Policy Central Store (you should already have that)
2) Get Windows 10 Anniversary Update Group Policy Templates. You can do so by copying your files from PolicyDefinitions (in windir on a Win10 Anniversary Update machine) into the PolicyDefinitions of the central store. You might copy those files first to a file share, because of permissions your regular user should not have on the central store.
3) Setup a new GPO or add to an existing the following settings to enable Windows Hello:
- Computer Configuration/Policies/Administrative Templates
.../Windows Components/Windows Hello For Business/ Use biometrics => Enabled
.../Windows Components/Windows Hello for Business/ Use a hardware security device => Enabled (if you want to use TPM instead of key or certificate based activation for Windows Hello). Note that in general all business computers should have TPM
.../System/Logon/ Turn on convenience PIN sign-in => Enabled (This is the key. This enables PIN sign-in which in turn will enable Hello, together with the other settings.)
.../Windows Components/Biometrics/ Allow domain users to log on using biometrics => Enabled (I think this is enabled by default, but being explicit makes GP management a lot easier.)
You will find more optional configuration possibilities in System/Logon and Windows Components/Biometrics and Windows Components/Windows Hello for Business.
You will find more background here:
https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/
and here
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/implement-microsoft-passport-in-your-organization
Most important excerpt:
Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a
convenience PIN for Windows 10, version 1607, enable the Group Policy
setting Turn on convenience PIN sign-in. Use Windows Hello for
Business policy settings to manage PINs for Windows Hello for
Business.
If you want to use key or certificate based Windows Hello you can follow the guides in the links. Don't get confused though. You can still use regular TPM for normal Windows Hello.
answered Oct 5 '16 at 6:44
zuckerthoben
3461212
I found the solution. The reason is that Windows Hello is managed differently on domain joined computers, starting with the anniversary update.
To get it to work you have to follow these steps:
1) Setup a Group Policy Central Store (you should already have that)
2) Get Windows 10 Anniversary Update Group Policy Templates. You can do so by copying your files from PolicyDefinitions (in windir on a Win10 Anniversary Update machine) into the PolicyDefinitions of the central store. You might copy those files first to a file share, because of permissions your regular user should not have on the central store.
3) Setup a new GPO or add to an existing the following settings to enable Windows Hello:
- Computer Configuration/Policies/Administrative Templates
.../Windows Components/Windows Hello For Business/ Use biometrics => Enabled
.../Windows Components/Windows Hello for Business/ Use a hardware security device => Enabled (if you want to use TPM instead of key or certificate based activation for Windows Hello). Note that in general all business computers should have TPM
.../System/Logon/ Turn on convenience PIN sign-in => Enabled (This is the key. This enables PIN sign-in which in turn will enable Hello, together with the other settings.)
.../Windows Components/Biometrics/ Allow domain users to log on using biometrics => Enabled (I think this is enabled by default, but being explicit makes GP management a lot easier.)
You will find more optional configuration possibilities in System/Logon and Windows Components/Biometrics and Windows Components/Windows Hello for Business.
You will find more background here:
https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/
and here
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/implement-microsoft-passport-in-your-organization
Most important excerpt:
Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a
convenience PIN for Windows 10, version 1607, enable the Group Policy
setting Turn on convenience PIN sign-in. Use Windows Hello for
Business policy settings to manage PINs for Windows Hello for
Business.
If you want to use key or certificate based Windows Hello you can follow the guides in the links. Don't get confused though. You can still use regular TPM for normal Windows Hello.
answered Oct 5 '16 at 6:44
zuckerthoben
3461212
answered Oct 5 '16 at 6:44
zuckerthoben
3461212
answered Oct 5 '16 at 6:44
zuckerthoben
3461212
answered Oct 5 '16 at 6:44
zuckerthoben
3461212
3461212
1
It is important to note that according to the link you cite, "Turn on convenience PIN sign-in" is NOT required to use Windows Hello. The convenience PIN is the old-style PIN which is not as secure as the Windows Hello PIN. ("if you are looking to deploy Windows Hello for Business ... then this might be the perfect opportunity to move to that more secure credential and not ... convenience PIN sign in.") Actually configuring Windows Hello for Business involves more than just GPO - see docs.microsoft.com/en-us/azure/active-directory/…
– Speedbird186
Apr 7 '17 at 21:21
Good catch, but SCCM can not be the only solution to enable Windows Hello on domain joined devices. There has to be another way that is secure.
– zuckerthoben
Apr 10 '17 at 9:18
Just wanted to point out that I was able to simply edit the local policy (Run > GPedit.msc) on a domain joined laptop to get this working. Good info, thanks.
– SamAndrew81
Feb 26 at 18:46
Sadly all of this didn't help for me :/ I can login with a local account but Windows Hello is still greyed out for my AD Account.
– Dominik
Aug 9 at 8:32
add a comment |
1
It is important to note that according to the link you cite, "Turn on convenience PIN sign-in" is NOT required to use Windows Hello. The convenience PIN is the old-style PIN which is not as secure as the Windows Hello PIN. ("if you are looking to deploy Windows Hello for Business ... then this might be the perfect opportunity to move to that more secure credential and not ... convenience PIN sign in.") Actually configuring Windows Hello for Business involves more than just GPO - see docs.microsoft.com/en-us/azure/active-directory/…
– Speedbird186
Apr 7 '17 at 21:21
Good catch, but SCCM can not be the only solution to enable Windows Hello on domain joined devices. There has to be another way that is secure.
– zuckerthoben
Apr 10 '17 at 9:18
Just wanted to point out that I was able to simply edit the local policy (Run > GPedit.msc) on a domain joined laptop to get this working. Good info, thanks.
– SamAndrew81
Feb 26 at 18:46
Sadly all of this didn't help for me :/ I can login with a local account but Windows Hello is still greyed out for my AD Account.
– Dominik
Aug 9 at 8:32
1
1
It is important to note that according to the link you cite, "Turn on convenience PIN sign-in" is NOT required to use Windows Hello. The convenience PIN is the old-style PIN which is not as secure as the Windows Hello PIN. ("if you are looking to deploy Windows Hello for Business ... then this might be the perfect opportunity to move to that more secure credential and not ... convenience PIN sign in.") Actually configuring Windows Hello for Business involves more than just GPO - see docs.microsoft.com/en-us/azure/active-directory/…
– Speedbird186
Apr 7 '17 at 21:21
It is important to note that according to the link you cite, "Turn on convenience PIN sign-in" is NOT required to use Windows Hello. The convenience PIN is the old-style PIN which is not as secure as the Windows Hello PIN. ("if you are looking to deploy Windows Hello for Business ... then this might be the perfect opportunity to move to that more secure credential and not ... convenience PIN sign in.") Actually configuring Windows Hello for Business involves more than just GPO - see docs.microsoft.com/en-us/azure/active-directory/…
– Speedbird186
Apr 7 '17 at 21:21
Good catch, but SCCM can not be the only solution to enable Windows Hello on domain joined devices. There has to be another way that is secure.
– zuckerthoben
Apr 10 '17 at 9:18
Good catch, but SCCM can not be the only solution to enable Windows Hello on domain joined devices. There has to be another way that is secure.
– zuckerthoben
Apr 10 '17 at 9:18
Just wanted to point out that I was able to simply edit the local policy (Run > GPedit.msc) on a domain joined laptop to get this working. Good info, thanks.
– SamAndrew81
Feb 26 at 18:46
Just wanted to point out that I was able to simply edit the local policy (Run > GPedit.msc) on a domain joined laptop to get this working. Good info, thanks.
– SamAndrew81
Feb 26 at 18:46
Sadly all of this didn't help for me :/ I can login with a local account but Windows Hello is still greyed out for my AD Account.
– Dominik
Aug 9 at 8:32
Sadly all of this didn't help for me :/ I can login with a local account but Windows Hello is still greyed out for my AD Account.
– Dominik
Aug 9 at 8:32
add a comment |
up vote
4
down vote
Setting the following registry key works for me:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
Reference: https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup
answered Jan 19 '17 at 0:04
Stephen Quan
1964
My PC is joined to a domain, but I do not have admin access to it. This solution solved the problem for me.
– Nikola Malešević
Mar 6 '17 at 14:57
This allowed me (as the end user) to enable Windows Hello on my Surface Book without needing to involve corporate IT.
– Holistic Developer
Apr 19 '17 at 6:41
This doesn't work with me
– Ahmed Hamdy
Jun 18 '17 at 12:51
I'm running Windows Server 2016 Build 1607 as a Member Server in an existing domain and this registry key is already set but I cannot use Windows Hello.
– Dai
Jul 11 '17 at 17:09
add a comment |
up vote
4
down vote
Setting the following registry key works for me:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
Reference: https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup
answered Jan 19 '17 at 0:04
Stephen Quan
1964
My PC is joined to a domain, but I do not have admin access to it. This solution solved the problem for me.
– Nikola Malešević
Mar 6 '17 at 14:57
This allowed me (as the end user) to enable Windows Hello on my Surface Book without needing to involve corporate IT.
– Holistic Developer
Apr 19 '17 at 6:41
This doesn't work with me
– Ahmed Hamdy
Jun 18 '17 at 12:51
I'm running Windows Server 2016 Build 1607 as a Member Server in an existing domain and this registry key is already set but I cannot use Windows Hello.
– Dai
Jul 11 '17 at 17:09
add a comment |
up vote
4
down vote
up vote
4
down vote
Setting the following registry key works for me:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
Reference: https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup
answered Jan 19 '17 at 0:04
Stephen Quan
1964
Setting the following registry key works for me:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
Reference: https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup
answered Jan 19 '17 at 0:04
Stephen Quan
1964
edited Jan 19 '17 at 0:10
answered Jan 19 '17 at 0:04
Stephen Quan
1964
answered Jan 19 '17 at 0:04
Stephen Quan
1964
answered Jan 19 '17 at 0:04
Stephen Quan
1964
1964
My PC is joined to a domain, but I do not have admin access to it. This solution solved the problem for me.
– Nikola Malešević
Mar 6 '17 at 14:57
This allowed me (as the end user) to enable Windows Hello on my Surface Book without needing to involve corporate IT.
– Holistic Developer
Apr 19 '17 at 6:41
This doesn't work with me
– Ahmed Hamdy
Jun 18 '17 at 12:51
I'm running Windows Server 2016 Build 1607 as a Member Server in an existing domain and this registry key is already set but I cannot use Windows Hello.
– Dai
Jul 11 '17 at 17:09
add a comment |
My PC is joined to a domain, but I do not have admin access to it. This solution solved the problem for me.
– Nikola Malešević
Mar 6 '17 at 14:57
This allowed me (as the end user) to enable Windows Hello on my Surface Book without needing to involve corporate IT.
– Holistic Developer
Apr 19 '17 at 6:41
This doesn't work with me
– Ahmed Hamdy
Jun 18 '17 at 12:51
I'm running Windows Server 2016 Build 1607 as a Member Server in an existing domain and this registry key is already set but I cannot use Windows Hello.
– Dai
Jul 11 '17 at 17:09
My PC is joined to a domain, but I do not have admin access to it. This solution solved the problem for me.
– Nikola Malešević
Mar 6 '17 at 14:57
My PC is joined to a domain, but I do not have admin access to it. This solution solved the problem for me.
– Nikola Malešević
Mar 6 '17 at 14:57
This allowed me (as the end user) to enable Windows Hello on my Surface Book without needing to involve corporate IT.
– Holistic Developer
Apr 19 '17 at 6:41
This allowed me (as the end user) to enable Windows Hello on my Surface Book without needing to involve corporate IT.
– Holistic Developer
Apr 19 '17 at 6:41
This doesn't work with me
– Ahmed Hamdy
Jun 18 '17 at 12:51
This doesn't work with me
– Ahmed Hamdy
Jun 18 '17 at 12:51
I'm running Windows Server 2016 Build 1607 as a Member Server in an existing domain and this registry key is already set but I cannot use Windows Hello.
– Dai
Jul 11 '17 at 17:09
I'm running Windows Server 2016 Build 1607 as a Member Server in an existing domain and this registry key is already set but I cannot use Windows Hello.
– Dai
Jul 11 '17 at 17:09
add a comment |
up vote
4
down vote
All I had to do is:
Windows KEY + R to open Run- Enter:
gpedit.msc
- [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [Logon] > [Turn on convenience PIN sign-in] : ENABLED
This enabled Windows Hello on Surface Pro 4 with Windows 10 Pro.
answered Feb 21 '17 at 9:04
juFo
16431020
Yes, that is pretty much equivalent to my answer, but for a single local user. A domain approach is better for enterprise use cases.
– zuckerthoben
Feb 21 '17 at 11:44
1
I don't know what "Group Policy Central Store" and you don't say where you apply the policy. On a central AD server or on the local pc...
– juFo
Feb 21 '17 at 13:09
1
From the context you can safely assume that I am creating a group policy on AD. Explaining how to setup a Group Policy central store is far beyond the scope of my answer. Guides and explanations can be found all over the web.
– zuckerthoben
Feb 21 '17 at 15:27
I have 10 pro but I don't see these options
– Crash893
Aug 1 '17 at 2:07
add a comment |
up vote
4
down vote
All I had to do is:
Windows KEY + R to open Run- Enter:
gpedit.msc
- [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [Logon] > [Turn on convenience PIN sign-in] : ENABLED
This enabled Windows Hello on Surface Pro 4 with Windows 10 Pro.
answered Feb 21 '17 at 9:04
juFo
16431020
Yes, that is pretty much equivalent to my answer, but for a single local user. A domain approach is better for enterprise use cases.
– zuckerthoben
Feb 21 '17 at 11:44
1
I don't know what "Group Policy Central Store" and you don't say where you apply the policy. On a central AD server or on the local pc...
– juFo
Feb 21 '17 at 13:09
1
From the context you can safely assume that I am creating a group policy on AD. Explaining how to setup a Group Policy central store is far beyond the scope of my answer. Guides and explanations can be found all over the web.
– zuckerthoben
Feb 21 '17 at 15:27
I have 10 pro but I don't see these options
– Crash893
Aug 1 '17 at 2:07
add a comment |
up vote
4
down vote
up vote
4
down vote
All I had to do is:
Windows KEY + R to open Run- Enter:
gpedit.msc
- [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [Logon] > [Turn on convenience PIN sign-in] : ENABLED
This enabled Windows Hello on Surface Pro 4 with Windows 10 Pro.
answered Feb 21 '17 at 9:04
juFo
16431020
All I had to do is:
Windows KEY + R to open Run- Enter:
gpedit.msc
- [Local Computer Policy] > [Computer Configuration] > [Administrative Templates] > [System] > [Logon] > [Turn on convenience PIN sign-in] : ENABLED
This enabled Windows Hello on Surface Pro 4 with Windows 10 Pro.
answered Feb 21 '17 at 9:04
juFo
16431020
answered Feb 21 '17 at 9:04
juFo
16431020
answered Feb 21 '17 at 9:04
juFo
16431020
answered Feb 21 '17 at 9:04
juFo
16431020
16431020
Yes, that is pretty much equivalent to my answer, but for a single local user. A domain approach is better for enterprise use cases.
– zuckerthoben
Feb 21 '17 at 11:44
1
I don't know what "Group Policy Central Store" and you don't say where you apply the policy. On a central AD server or on the local pc...
– juFo
Feb 21 '17 at 13:09
1
From the context you can safely assume that I am creating a group policy on AD. Explaining how to setup a Group Policy central store is far beyond the scope of my answer. Guides and explanations can be found all over the web.
– zuckerthoben
Feb 21 '17 at 15:27
I have 10 pro but I don't see these options
– Crash893
Aug 1 '17 at 2:07
add a comment |
Yes, that is pretty much equivalent to my answer, but for a single local user. A domain approach is better for enterprise use cases.
– zuckerthoben
Feb 21 '17 at 11:44
1
I don't know what "Group Policy Central Store" and you don't say where you apply the policy. On a central AD server or on the local pc...
– juFo
Feb 21 '17 at 13:09
1
From the context you can safely assume that I am creating a group policy on AD. Explaining how to setup a Group Policy central store is far beyond the scope of my answer. Guides and explanations can be found all over the web.
– zuckerthoben
Feb 21 '17 at 15:27
I have 10 pro but I don't see these options
– Crash893
Aug 1 '17 at 2:07
Yes, that is pretty much equivalent to my answer, but for a single local user. A domain approach is better for enterprise use cases.
– zuckerthoben
Feb 21 '17 at 11:44
Yes, that is pretty much equivalent to my answer, but for a single local user. A domain approach is better for enterprise use cases.
– zuckerthoben
Feb 21 '17 at 11:44
1
1
I don't know what "Group Policy Central Store" and you don't say where you apply the policy. On a central AD server or on the local pc...
– juFo
Feb 21 '17 at 13:09
I don't know what "Group Policy Central Store" and you don't say where you apply the policy. On a central AD server or on the local pc...
– juFo
Feb 21 '17 at 13:09
1
1
From the context you can safely assume that I am creating a group policy on AD. Explaining how to setup a Group Policy central store is far beyond the scope of my answer. Guides and explanations can be found all over the web.
– zuckerthoben
Feb 21 '17 at 15:27
From the context you can safely assume that I am creating a group policy on AD. Explaining how to setup a Group Policy central store is far beyond the scope of my answer. Guides and explanations can be found all over the web.
– zuckerthoben
Feb 21 '17 at 15:27
I have 10 pro but I don't see these options
– Crash893
Aug 1 '17 at 2:07
I have 10 pro but I don't see these options
– Crash893
Aug 1 '17 at 2:07
add a comment |
up vote
0
down vote
There is one thing you must not configure unless you have the valid certificates (this is on server 2016).
Make sure "Computer conf/policies/Admin temp/Windows comp/Windows Hello for Business/Use Windows Hello for Business" is set to NOT CONFIGURED.
This was the one thing I had set (from another blog) and it had prevented windows hello from working, windows hello wouldn't even start. But as long as it's not configured it should be ok.
answered Oct 15 '17 at 20:47
user780692
1
Read over "Why do I need 50 reputation to comment" to ensure you understand how you can start commenting.
– Pimp Juice IT
Oct 15 '17 at 23:06
add a comment |
up vote
0
down vote
There is one thing you must not configure unless you have the valid certificates (this is on server 2016).
Make sure "Computer conf/policies/Admin temp/Windows comp/Windows Hello for Business/Use Windows Hello for Business" is set to NOT CONFIGURED.
This was the one thing I had set (from another blog) and it had prevented windows hello from working, windows hello wouldn't even start. But as long as it's not configured it should be ok.
answered Oct 15 '17 at 20:47
user780692
1
Read over "Why do I need 50 reputation to comment" to ensure you understand how you can start commenting.
– Pimp Juice IT
Oct 15 '17 at 23:06
add a comment |
up vote
0
down vote
up vote
0
down vote
There is one thing you must not configure unless you have the valid certificates (this is on server 2016).
Make sure "Computer conf/policies/Admin temp/Windows comp/Windows Hello for Business/Use Windows Hello for Business" is set to NOT CONFIGURED.
This was the one thing I had set (from another blog) and it had prevented windows hello from working, windows hello wouldn't even start. But as long as it's not configured it should be ok.
answered Oct 15 '17 at 20:47
user780692
1
There is one thing you must not configure unless you have the valid certificates (this is on server 2016).
Make sure "Computer conf/policies/Admin temp/Windows comp/Windows Hello for Business/Use Windows Hello for Business" is set to NOT CONFIGURED.
This was the one thing I had set (from another blog) and it had prevented windows hello from working, windows hello wouldn't even start. But as long as it's not configured it should be ok.
answered Oct 15 '17 at 20:47
user780692
1
answered Oct 15 '17 at 20:47
user780692
1
answered Oct 15 '17 at 20:47
user780692
1
answered Oct 15 '17 at 20:47
user780692
1
1
Read over "Why do I need 50 reputation to comment" to ensure you understand how you can start commenting.
– Pimp Juice IT
Oct 15 '17 at 23:06
add a comment |
Read over "Why do I need 50 reputation to comment" to ensure you understand how you can start commenting.
– Pimp Juice IT
Oct 15 '17 at 23:06
Read over "Why do I need 50 reputation to comment" to ensure you understand how you can start commenting.
– Pimp Juice IT
Oct 15 '17 at 23:06
Read over "Why do I need 50 reputation to comment" to ensure you understand how you can start commenting.
– Pimp Juice IT
Oct 15 '17 at 23:06
add a comment |
up vote
0
down vote
Setting the following registry
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
then enable UAC and restart PC.
edited Jan 18 at 8:17
mtak
10.9k23153
answered Jan 18 at 7:14
user863516
1
add a comment |
up vote
0
down vote
Setting the following registry
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
then enable UAC and restart PC.
edited Jan 18 at 8:17
mtak
10.9k23153
answered Jan 18 at 7:14
user863516
1
add a comment |
up vote
0
down vote
up vote
0
down vote
Setting the following registry
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
then enable UAC and restart PC.
edited Jan 18 at 8:17
mtak
10.9k23153
answered Jan 18 at 7:14
user863516
1
Setting the following registry
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
then enable UAC and restart PC.
edited Jan 18 at 8:17
mtak
10.9k23153
answered Jan 18 at 7:14
user863516
1
edited Jan 18 at 8:17
mtak
10.9k23153
edited Jan 18 at 8:17
mtak
10.9k23153
edited Jan 18 at 8:17
mtak
10.9k23153
10.9k23153
answered Jan 18 at 7:14
user863516
1
answered Jan 18 at 7:14
user863516
1
answered Jan 18 at 7:14
user863516
1
1
add a comment |
add a comment |
up vote
-2
down vote
I am on a domain joined Dell 7280. Adding the registry key below along with rebooting has allowed me to add a 6 digit pin.
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
answered May 23 at 0:38
joe
1
add a comment |
up vote
-2
down vote
I am on a domain joined Dell 7280. Adding the registry key below along with rebooting has allowed me to add a 6 digit pin.
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
answered May 23 at 0:38
joe
1
add a comment |
up vote
-2
down vote
up vote
-2
down vote
I am on a domain joined Dell 7280. Adding the registry key below along with rebooting has allowed me to add a 6 digit pin.
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
answered May 23 at 0:38
joe
1
I am on a domain joined Dell 7280. Adding the registry key below along with rebooting has allowed me to add a 6 digit pin.
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"AllowDomainPINLogon"=dword:00000001
answered May 23 at 0:38
joe
1
answered May 23 at 0:38
joe
1
answered May 23 at 0:38
joe
1
answered May 23 at 0:38
joe
1
1
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1113638%2fcant-enable-windows-hello-some-settings-are-managed-by-your-organization%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Did you ever find a solution? I have same problem :(
– MojoDK
Oct 4 '16 at 8:05
yes I did! I will write the answer now @MojoDK :)
– zuckerthoben
Oct 5 '16 at 6:22