I did a clean install of Windows 10 Anniversary Edition. Now I can't enable Windows Hello with my domain joined Surface Pro 4, logged in as an AD user. When I log in with my Msft account, I can turn Windows Hello on, though.
I tried "Some settings are managed by your organization" while not on domain? (increasing telemetry via settings app) and also this: resetting telemetry via gp.
This shows that this problem is different than the others here. This is also in fact domain joined, not like the most other questions here.
This is what the settings look like;
With the old version of Windows 10 the same device could enable Windows Hello while domain joined with the domain user. That's why I rule out GPO as the source of the problem. GPO even explicitly allows Biometrics for domain users. What can I do?
Windows 10 Professional, Cortana is enabled. No Insiders Edition. I have administrative access to the domain.
Answer
I found the solution. The reason is that Windows Hello is managed differently on domain joined computers, starting with the anniversary update.
To get it to work you have to follow these steps:
1) Setup a Group Policy Central Store (you should already have that)
2) Get Windows 10 Anniversary Update Group Policy Templates. You can do so by copying your files from PolicyDefinitions (in windir on a Win10 Anniversary Update machine) into the PolicyDefinitions of the central store. You might copy those files first to a file share, because of permissions your regular user should not have on the central store.
3) Setup a new GPO or add to an existing the following settings to enable Windows Hello:
- Computer Configuration/Policies/Administrative Templates
.../Windows Components/Windows Hello For Business/ Use biometrics => Enabled
.../Windows Components/Windows Hello for Business/ Use a hardware security device => Enabled (if you want to use TPM instead of key or certificate based activation for Windows Hello). Note that in general all business computers should have TPM
.../System/Logon/ Turn on convenience PIN sign-in => Enabled (This is the key. This enables PIN sign-in which in turn will enable Hello, together with the other settings.)
.../Windows Components/Biometrics/ Allow domain users to log on using biometrics => Enabled (I think this is enabled by default, but being explicit makes GP management a lot easier.)
You will find more optional configuration possibilities in System/Logon and Windows Components/Biometrics and Windows Components/Windows Hello for Business.
You will find more background here:
https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/
and here
Most important excerpt:
Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a
convenience PIN for Windows 10, version 1607, enable the Group Policy
setting Turn on convenience PIN sign-in. Use Windows Hello for
Business policy settings to manage PINs for Windows Hello for
Business.
If you want to use key or certificate based Windows Hello you can follow the guides in the links. Don't get confused though. You can still use regular TPM for normal Windows Hello.
No comments:
Post a Comment