How to enable PIN login for domain-joined Windows 10 Pro via Group Policy
Solution 1:
Just installed a new Windows 10 Enterprise 1809 Feb 2019 update machine from ISO.
All Hello buttons and options were grayed out. I thrashed around for a while. Most web sites only address the various group policy changes that are required for Biometrics and Windows Hello.
In addition to the various Biometrics and Windows Hello GPO, we found it was also necessary to create a single registry key.
We created a User Configuration (rather than a Computer Configuration, which didn't work for us) GPO that set the following registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"AllowDomainPINLogon"=dword:00000001
Here's a thread with more info: https://social.technet.microsoft.com/Forums/en-US/84a0bd50-1360-4a94-bfb3-b049ecace521/pin-and-fingerprint-signin-options-unavailable-greyed-out-in-windows-10-1607-enterprise?forum=win10itprogeneral
Solution 2:
I got PIN working. I went through and removed any domain GPO I had created relating to this issue.
I manually ran gpedit.msc and set anything under Windows Hello for Business to not configured, I then went to system/Logon and set 'use convenience pin' to enabled. I swear I did this earlier and it didn't work, but this time, my PIN button became available once I did so (no reboot/log required). While PIN is working, the machine does still tell me that Windows Hello isn't available (even though I have used the facial recognition login on this very machine in the past).
Solution 3:
Starting with build 1607, Windows 10 does not allow the "convenience pin" for domain-joined logons by default, out-of-the box. Users who are running Windows 10 Version 1511 or earlier can do so without issue. Note that if you had Windows 10 configured to use a pin or fingerprint sign-in prior to installing the 1607 build, that convenience sign-in method will continue to work after the update is installed. This has the effect of obfuscating the issue, and frustrated my efforts to find the resolution.
Thankfully, it's easy to enable the "convenience pin" functionality, which as a side-effect also enables Windows Hello Fingerprint sign-in and Windows Hello Face sign-in.
Using the Group Policy Editor for the entire domain will allow this setting to automatically be applied to future installations of Windows 10, however you don't necessarily need to enable this at the domain level. Simply run the gpedit.msc utility on the Workstation where you want to enable pin or fingerprint sign-in.
The group policy setting you need to change can be found in the following folder:
Computer Configuration\Administrative Templates\System\Logon
The setting you need to enable is:
Turn on convenience PIN sign-in
Once you enable the setting, run gpupdate.exe from the command-line to refresh your the policy, then log out, and back in, and you should be able to configure a sign-in Pin or fingerprint via Windows Hello.
The Group Policy Editor included in Windows 10 Professional version 2004 includes this in the description for the above policy:
This policy setting allows you to control whether a domain user can sign in using a convenience PIN. If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. Note: The user's domain password will be cached in the system vault when using this feature. To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
Microsoft Docs has a good article on the issue here.