RE: [NTSysADM] Biometrics on Windows 10 1607

[Kish N Kepi]

This was useful - thanks. I added Convenience PIN setting for now, while I
get to work on Hello for Business.
 
KnK
 
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]
On Behalf Of Joseph L. Casale
Sent: Tuesday, August 30, 2016 3:26 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Biometrics on Windows 10 1607
 
I am in a similar situation and just working through it. They have made some
changes in sign in and lock security.
 
For example, disabling the lock screen password request seems to only be
partially available through GPOs, the same "Some settings are managed by
your organization" gets an additional "Authentication is not required when
this PC wakes from sleep. Sign in as an administrator to change this
setting." Which of course works but is hardly scalable. Other pressing
issues are on the plate so I have not finished this, but it looks like a
combination of GPO policy and GPO reg entries are required for that one.
 
I have found a few articles indicating changes such as
https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pi
n-and-thus-windows-hello-behaviour-in-windows-10-version-1607/ where the
policies now depend on additional criteria.
 
jlc
 
From: listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com>
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kish N Kepi
Sent: Tuesday, August 30, 2016 3:12 AM
To: ntsysadm@lists.myitforum.com <mailto:ntsysadm@lists.myitforum.com> 
Subject: [NTSysADM] Biometrics on Windows 10 1607
 
Fresh install of Windows 10 build 14393. Domain-joined. Windows Hello, PIN
and Fingerprint are all greyed out
 
Default Domain Policy includes all 3 Biometrics lines:
                Allow domain users to log on using biometrics: Enabled  
Allow the use of biometrics: Enabled  
Allow users to log on using biometrics: Enabled
With no WMI Filtering
I ran gpedit.msc locally on his laptop, and it shows the same 3 lines
configured as enabled.
After googling, I added this registry entry:
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\Credential
Provider]
"Domain Accounts"=dword:00000001
 
On my laptop, the fingerprint works fine, but on the COO's, Windows Hello is
greyed out and at the top it says: some settings are managed by your
organization. But as I said, my organization allows it and it works for me
and several other Win 10 laptops. 
COO will not accept his new laptop without a fingerprint. I tried logging in
with a different domain user on that laptop and it is grey there too.
However, a non-domain, local account has access to Hello/Pin/Finger
 
Any ideas?
 
Kish