I am in a similar situation and just working through it. They have made some changes in sign in and lock security.
For example, disabling the lock screen password request seems to only be partially available through GPOs, the same "Some settings are managed by your organization" gets an additional "Authentication is not required when this PC wakes from sleep. Sign in as an administrator to change this setting." Which of course works but is hardly scalable. Other pressing issues are on the plate so I have not finished this, but it looks like a combination of GPO policy and GPO reg entries are required for that one. I have found a few articles indicating changes such as https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/ where the policies now depend on additional criteria... jlc From: [email protected] [mailto:[email protected]] On Behalf Of Kish N Kepi Sent: Tuesday, August 30, 2016 3:12 AM To: [email protected] Subject: [NTSysADM] Biometrics on Windows 10 1607 Fresh install of Windows 10 build 14393. Domain-joined. Windows Hello, PIN and Fingerprint are all greyed out Default Domain Policy includes all 3 Biometrics lines: Allow domain users to log on using biometrics: Enabled Allow the use of biometrics: Enabled Allow users to log on using biometrics: Enabled With no WMI Filtering I ran gpedit.msc locally on his laptop, and it shows the same 3 lines configured as enabled. After googling, I added this registry entry: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider] "Domain Accounts"=dword:00000001 On my laptop, the fingerprint works fine, but on the COO's, Windows Hello is greyed out and at the top it says: some settings are managed by your organization. But as I said, my organization allows it and it works for me and several other Win 10 laptops. COO will not accept his new laptop without a fingerprint. I tried logging in with a different domain user on that laptop and it is grey there too. However, a non-domain, local account has access to Hello/Pin/Finger Any ideas? Kish
