I ran into an interesting issue this week where I could not set a PIN for accessing Windows 10 domain-joined devices. The setup with interesting, so I thought I would document it. First, domain bound devices, by default, cannot be accessed using a PIN. You must allow your users to set one. Doing this is not straightforward.
Registry Value
You must a set a registry value. This can be using Group Policy preferences. The key you need to define is:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
AllowDomainPINLogon=dword:00000001
GPO registry item:
This can also be item-level targeted at just Windows 10 devices if you like. That’s it – that’s all you need to do to enable PIN sign in for domain-bound devices.
This is the same registry value set by the GPO setting “Turn on convenience PIN sign-in” located at Computer Configuration > Administrative Templates> System > Logon. This GPO setting, however, will not apply to a Windows 10 or Server 2016 system. If you open the setting, you’ll notice that it will only run on Windows 8/8.1 or Server 2012/2012 R2. Therefore we must apply the registry value that this setting configures.
Considerations
There are a few other considerations, however. First, the setting controlling Windows Hello for Business must be left as “Not Configured”. Enabling or disabling this setting makes PIN inaccessible again. This is the policy setting that should remain not configured:
For the record, this setting is at Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business.
The second thing to know is that the PIN complexity settings within this same Windows Hello for Business (WHfB) policy set still function. You can still use all of the complexity settings, such as minimum length, upper and lower case characters, digits, history, etc.
Finally, some people may want to disable the biometric function of WHfB. This will disable fingerprint readers and facial recognition. The setting “Use biometrics” that is in the screenshot above will not do this. In order to disable biometrics, set the policy “Allow the use of biometrics” setting located at Computer Configuration > Administrative Templates > Windows Components > Biometrics to disabled.
Disclaimer
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.
