Can't enable Windows Hello - Some settings are managed by your organization
I found the solution. The reason is that Windows Hello is managed differently on domain joined computers, starting with the anniversary update. To get it to work you have to follow these steps:
1) Setup a Group Policy Central Store (you should already have that)
2) Get Windows 10 Anniversary Update Group Policy Templates. You can do so by copying your files from PolicyDefinitions (in windir on a Win10 Anniversary Update machine) into the PolicyDefinitions of the central store. You might copy those files first to a file share, because of permissions your regular user should not have on the central store.
3) Setup a new GPO or add to an existing the following settings to enable Windows Hello:
- Computer Configuration/Policies/Administrative Templates
.../Windows Components/Windows Hello For Business/ Use biometrics => Enabled
.../Windows Components/Windows Hello for Business/ Use a hardware security device => Enabled (if you want to use TPM instead of key or certificate based activation for Windows Hello). Note that in general all business computers should have TPM
.../System/Logon/ Turn on convenience PIN sign-in => Enabled (This is the key. This enables PIN sign-in which in turn will enable Hello, together with the other settings.)
.../Windows Components/Biometrics/ Allow domain users to log on using biometrics => Enabled (I think this is enabled by default, but being explicit makes GP management a lot easier.)
You will find more optional configuration possibilities in System/Logon and Windows Components/Biometrics and Windows Components/Windows Hello for Business.
You will find more background here: https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/
and here
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/implement-microsoft-passport-in-your-organization
Most important excerpt:
Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting Turn on convenience PIN sign-in. Use Windows Hello for Business policy settings to manage PINs for Windows Hello for Business.
If you want to use key or certificate based Windows Hello you can follow the guides in the links. Don't get confused though. You can still use regular TPM for normal Windows Hello.
Setting the following registry key works for me:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"AllowDomainPINLogon"=dword:00000001
Reference: https://social.technet.microsoft.com/Forums/en-US/b975932a-b50b-4759-b43a-c94854c6da83/cant-enable-windows-hello-with-fresh-install-of-anniversity-upgrade-on-domain-account?forum=win10itprosetup
I've been fighting this for a looong time. I've tried all these group policy settings: turn on convenience PIN login, enable windows hello for business, enable biometrics, etc. etc. etc. I finally found the solution.
The PCs in my company are Windows 10 build 1809. Mostly Lenovo X1 Yogas and P330s and some Surface Pros. They are domain-joined to a 2012 R2 domain and they are subscribed to Office 365 for email and Office Pro Plus. We have an E3 license in Office 365. When a user registers the Office apps using their own O365 license, it connects Windows to their work account. Disconnecting that allowed me to setup PIN and Fingerprint. Here's how to do it:
Go to Windows Settings -> Accounts -> Access Work or School. The key setting is the "Work or School Account" with the colorful windows logo by it. Disconnect that. Don't touch the "Connected to whatever domain" setting.
Then click on "Sign-in Options". Fingerprint and PIN are no longer greyed out. If it's still greyed out, then make sure "convenience PIN sign-in" is enabled.
Add the PIN, then the Fingerprint.
Go back to "Access Work or School" in Settings -> Accounts.
Click Connect and Enter the user's email address and password.
The only group policy currently in effect is the "Turn on Convenience PIN sign-in" setting under Policies, Administrative Templates, System, Logon. Note that this is NOT Windows Hello for Business. This is still just password stuffing. Some day, convenience PIN sign-in will be depracated and we'll have to do it the secure way.