What's new

Windows Hello on corporate Domain

sepf42

New Member
I have a Surface Laptop 2 but thought this probably belongs in the general discussion as i believe it to not be hardware specific.

I cannot get Windows hello, fingerprint, or PIN logon authentication to function at all once the laptop is added to the domain. It did work fine prior to joining the domain. The message I get from the "Sign-in Options" for each of those is "Something went wrong. Try again later." I've been able to get it working at a previous organization via some registry manipulation that allowed these greyed out options to function. And looking those up again I've made some of those changes, this time those did not work out. This is the favorite one.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"AllowDomainPINLogon"=dword:00000001


I do have the authority to make Active Directory and GPO changes, so I could fix this if I knew what needed to be set. Is there an official list of settings/requirements that need to be set in order for this to function? I cannot find it anywhere. And I think even google is getting frustrated with me at this point.

Computer is running windows 10 version 1903 with an enterprise license.

Also a side note, to whom ever runs this site: "Thank you for running the site, great service, it is however 2019, and I recommend buying a certificate"
 
Last edited:

jnjroach

Administrator
Staff member
I have a Surface Laptop 2 but thought this probably belongs in the general discussion as i believe it to not be hardware specific.

I cannot get Windows hello, fingerprint, or PIN logon authentication to function at all once the laptop is added to the domain. It did work fine prior to joining the domain. The message I get from the "Sign-in Options" for each of those is "Something went wrong. Try again later." I've been able to get it working at a previous organization via some registry manipulation that allowed these greyed out options to function. And looking those up again I've made some of those changes, this time those did not work out. This is the favorite one.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"AllowDomainPINLogon"=dword:00000001


I do have the authority to make Active Directory and GPO changes, so I could fix this if I knew what needed to be set. Is there an official list of settings/requirements that need to be set in order for this to function? I cannot find it anywhere. And I think even google is getting frustrated with me at this point.

Computer is running windows 10 version 1903 with an enterprise license.

Also a side note, to whom ever runs this site: "Thank you for running the site, great service, it is however 2019, and I recommend buying a certificate"
Have you configured Windows Hello for Business? There was a fundamental change in Windows 10 starting with 1607. This article should help: https://support.microsoft.com/en-us/help/3201940/can-t-configure-a-pin-when-convenience-pin-and-hello-for-business-poli
 
Top