Forum Discussion
Enable domain users sign in to Windows client using biometrics
Hi everyone.
I've read some post on this topic like this
https://www.makeuseof.com/allow-block-biometrics-windows-11/
I selected (via gpedit) domain users sign feature in one client machine but its fingerprint remains stile disabled.
So I guess that it's necessary to operate on AD (server). Can you explain to me how to do?
Many thanks.
Open Group Policy Management on the domain controller.
Create a new Group Policy Object (GPO) or edit an existing GPO that targets the organizational units (OUs) containing the Windows clients.
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Hello for Business
Following policies need to enable:
Use Windows Hello for Business: Set this to Enabled.
Use biometrics: Ensure this is set to Enabled.-----------------------------------
On client machine:
Open Local Group Policy Editor (gpedit.msc)
then go to: Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics
Allow the use of biometrics: Set to Enabled.
Allow users to log on using biometrics: Set to Enabled.
Note: Ensure fingerprint sensor driver is properly installed and working.
Enable Credential Provider for Biometrics
(gpedit.msc) on the client
Computer Configuration -> Administrative Templates -> System -> Logon
Enable "Turn on convenience PIN sign-in"
----------------------------------
Open Active Directory Users and Computers
Find the user account that you want to enable biometrics for and double-click it.
Go to the Account tab.
Ensure that there are no restrictions on the account that might prevent Windows Hello from working (e.g., "Smart card is required for interactive logon" should not be checked)
Please ensure client machine can communicate with the domain controller
Also make sure that Windows Hello for Business and related services are allowed through the firewall on both the client and the server
After above configuration please restart both the domain controller (if possible) and the client machine.
Now try login as a domain user on the client machine and navigate to Settings -> Accounts -> Sign-in options.
You should now see the option to Set up fingerprint or Windows Hello PIN
- Mks_1973Iron Contributor
Open Group Policy Management on the domain controller.
Create a new Group Policy Object (GPO) or edit an existing GPO that targets the organizational units (OUs) containing the Windows clients.
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Hello for Business
Following policies need to enable:
Use Windows Hello for Business: Set this to Enabled.
Use biometrics: Ensure this is set to Enabled.-----------------------------------
On client machine:
Open Local Group Policy Editor (gpedit.msc)
then go to: Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics
Allow the use of biometrics: Set to Enabled.
Allow users to log on using biometrics: Set to Enabled.
Note: Ensure fingerprint sensor driver is properly installed and working.
Enable Credential Provider for Biometrics
(gpedit.msc) on the client
Computer Configuration -> Administrative Templates -> System -> Logon
Enable "Turn on convenience PIN sign-in"
----------------------------------
Open Active Directory Users and Computers
Find the user account that you want to enable biometrics for and double-click it.
Go to the Account tab.
Ensure that there are no restrictions on the account that might prevent Windows Hello from working (e.g., "Smart card is required for interactive logon" should not be checked)
Please ensure client machine can communicate with the domain controller
Also make sure that Windows Hello for Business and related services are allowed through the firewall on both the client and the server
After above configuration please restart both the domain controller (if possible) and the client machine.
Now try login as a domain user on the client machine and navigate to Settings -> Accounts -> Sign-in options.
You should now see the option to Set up fingerprint or Windows Hello PIN - sistoivCopper Contributor
Many thanks, that's effective correct setup.
But, in my system probably there is something (what?, firewall is correct) that blocks yet client's biometric under Windows Hello settings.
I am going to open a ticket to my service support.