Windows Hello PIN/Fingerprint "This option is currently unavailable"

I am having trouble trying to use Windows Hello. I cannot enable any of its features (Image)

My computer (Windows 10 1903 18362.239) is connected to a domain hosted on my local network. (Server 2016) I have not modified any group policy settings to mess with login options (Image)

I have tried many options on the internet like enabling "Windows Hello for Business" in GP and the settings in "Biometrics" in GP and even adding a registry key to enable it but NOTHING has worked! I also have tried using a non-admin account but still no success.

I can use fingerprint and pin on a local account but not a domain account.

I want to give up on this but I have decided to see if any of you know...


Solution 1:

I had the same problem, here is what worked for me:

Found a solution finally at the following location:

https://social.technet.microsoft.com/Forums/en-US/84a0bd50-1360-4a94-bfb3-b049ecace521/pin-and-fingerprint-signin-options-unavailable-greyed-out-in-windows-10-1607-enterprise?forum=win10itprogeneral

  1. "Turn on Convenience PIN sign-in" policy (as above) must be enabled

  2. All 3 Policies under Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business\ must be in the state "Not configured". This was the piece that was missing, and not documented properly on Technet.

After the policy changes and a restart, PIN and fingerprint options were available.

Source: Windows 10 Fingerprint - "Some settings are managed by your organization"

Solution 2:

Starting with build 1607, a fresh Windows 10 installation does not allow the "convenience pin" for domain-joined logons by default, out-of-the box. Users who are running Windows 10 Version 1511 or earlier can do so without issue. Note that if you had Windows 10 configured to use a pin or fingerprint sign-in prior to installing the 1607 build, that convenience sign-in method will continue to work after the update is installed. This had the effect of obfuscating the issue, and frustrated my efforts to find the resolution.

Thankfully, it's easy to enable the "convenience pin" functionality, which as a side-effect also enables Windows Hello Fingerprint sign-in and Windows Hello Face sign-in.

Using the Group Policy Editor for the entire domain will allow this setting to automatically be applied to future installations of Windows 10, however you don't necessarily need to enable this at the domain level. Simply run the gpedit.msc utility on the Workstation where you want to enable pin or fingerprint sign-in.

The group policy setting you need to change can be found in the following folder:

Computer Configuration\Administrative Templates\System\Logon

The setting you need to enable is:

Turn on convenience PIN sign-in

Once you enable the setting, run gpupdate.exe from the command-line to refresh your the policy, then log out, and back in, and you should be able to configure a sign-in Pin or fingerprint via Windows Hello.

The Group Policy Editor included in Windows 10 Professional version 2004 includes this in the description for the above policy:

This policy setting allows you to control whether a domain user can sign 
in using a convenience PIN.

If you enable this policy setting, a domain user can set up and sign in with a 
convenience PIN.

If you disable or don't configure this policy setting, a domain user can't set 
up and use a convenience PIN.

Note: The user's domain password will be cached in the system vault when using 
this feature.

To configure Windows Hello for Business, use the Administrative Template policies 
under Windows Hello for Business.

Microsoft Docs has a good article on the issue here.