Forum Discussion

sistoiv's avatar
sistoiv
Copper Contributor
Oct 31, 2024

Enable domain users sign in to Windows client using biometrics

Hi everyone.

I've read some post on this topic like this

https://www.makeuseof.com/allow-block-biometrics-windows-11/

I selected (via gpedit) domain users sign feature in one client machine but its fingerprint remains stile disabled.

So I guess that it's necessary to operate on AD (server). Can you explain to me how to do?

Many thanks.

 

 

  • Open Group Policy Management on the domain controller.
    Create a new Group Policy Object (GPO) or edit an existing GPO that targets the organizational units (OUs) containing the Windows clients.
    Computer Configuration -> Administrative Templates -> Windows Components -> Windows Hello for Business

    Following policies need to enable:
    Use Windows Hello for Business: Set this to Enabled.
    Use biometrics: Ensure this is set to Enabled.

    -----------------------------------
    On client machine:
    Open Local Group Policy Editor (gpedit.msc)
    then go to: Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics
    Allow the use of biometrics: Set to Enabled.
    Allow users to log on using biometrics: Set to Enabled.

    Note: Ensure fingerprint sensor driver is properly installed and working.

    Enable Credential Provider for Biometrics
     (gpedit.msc) on the client 

    Computer Configuration -> Administrative Templates -> System -> Logon
    Enable "Turn on convenience PIN sign-in"

    ----------------------------------
    Open Active Directory Users and Computers
    Find the user account that you want to enable biometrics for and double-click it.
    Go to the Account tab.
    Ensure that there are no restrictions on the account that might prevent Windows Hello from working (e.g., "Smart card is required for interactive logon" should not be checked)

    Please ensure client machine can communicate with the domain controller
    Also make sure that Windows Hello for Business and related services are allowed through the firewall on both the client and the server

    After above configuration please restart both the domain controller (if possible) and the client machine.

    Now try login as a domain user on the client machine and navigate to Settings -> Accounts -> Sign-in options.
    You should now see the option to Set up fingerprint or Windows Hello PIN



  • Mks_1973's avatar
    Mks_1973
    Iron Contributor

    Open Group Policy Management on the domain controller.
    Create a new Group Policy Object (GPO) or edit an existing GPO that targets the organizational units (OUs) containing the Windows clients.
    Computer Configuration -> Administrative Templates -> Windows Components -> Windows Hello for Business

    Following policies need to enable:
    Use Windows Hello for Business: Set this to Enabled.
    Use biometrics: Ensure this is set to Enabled.

    -----------------------------------
    On client machine:
    Open Local Group Policy Editor (gpedit.msc)
    then go to: Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics
    Allow the use of biometrics: Set to Enabled.
    Allow users to log on using biometrics: Set to Enabled.

    Note: Ensure fingerprint sensor driver is properly installed and working.

    Enable Credential Provider for Biometrics
     (gpedit.msc) on the client 

    Computer Configuration -> Administrative Templates -> System -> Logon
    Enable "Turn on convenience PIN sign-in"

    ----------------------------------
    Open Active Directory Users and Computers
    Find the user account that you want to enable biometrics for and double-click it.
    Go to the Account tab.
    Ensure that there are no restrictions on the account that might prevent Windows Hello from working (e.g., "Smart card is required for interactive logon" should not be checked)

    Please ensure client machine can communicate with the domain controller
    Also make sure that Windows Hello for Business and related services are allowed through the firewall on both the client and the server

    After above configuration please restart both the domain controller (if possible) and the client machine.

    Now try login as a domain user on the client machine and navigate to Settings -> Accounts -> Sign-in options.
    You should now see the option to Set up fingerprint or Windows Hello PIN



  • sistoiv's avatar
    sistoiv
    Copper Contributor

    Many thanks, that's effective correct setup.
    But, in my system probably there is something (what?, firewall is correct) that blocks yet client's biometric under Windows Hello settings.
    I am going to open a ticket to my service support. 

Resources