How to Enable or Disable Domain Users to Sign in to Windows 10 using Biometrics
Windows Hello biometrics lets you sign in to your devices, apps, online services, and networks using your face, iris, or fingerprint.
For more information about Windows Hello, see:
- Windows Hello and privacy | Microsoft privacy
- Windows Hello | Microsoft Docs
- Windows Hello biometric requirements | Microsoft Docs
- Windows Hello - UWP app developer | Microsoft Docs
- Making Windows 10 More Personal and More Secure with Windows Hello - Windows Experience Blog
- Windows Hello biometrics in the enterprise (Windows 10) | Microsoft Docs
By default, users with a domain account can sign in to Windows 10 and elevate UAC permissions using biometrics unless disabled via policy.
This tutorial will show you how to enable or disable allowing domain users to sign in to Windows 10 using biometrics.
This policy will not effect local users to sign in using biometrics.
You must be signed in as an administrator to enable or disable allowing domain users to sign in using biometrics.
- Option One: Enable or Disable Domain Users to Sign in to Windows 10 using Biometrics in Local Group Policy Editor
- Option Two: Enable or Disable Domain Users to Sign in to Windows 10 using Biometrics using a REG file
The Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.
All editions can use Option Two below.
1. Open the Local Group Policy Editor.
2. In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)
Computer Configuration\Administrative Templates\Windows Components\Biometrics
3. In the right pane of Biometrics in Local Group Policy Editor, double click/tap on the Allow domain users to log on using biometrics policy to edit it. (see screenshot above)
4. Do step 5 (enable) or step 6 (disable) below for what you would like to do.
A) Select (dot) Not Configured or Enabled, click/tap on OK, and go to step 7 below. (see screenshot below)
Not Configured is the default setting.
7. When finished, you can close the Local Group Policy Editor.
The downloadable .reg files below will add and modify the DWORD value in the registry key below.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider
Domain Accounts DWORD
0 = Disable
1 = Enable
1. Do step 2 (enable) or step 3 (disable) below for what you would like to do.
This is the default setting.
A) Click/tap on the Download button below to download the file below, and go to step 4 below.
Enable_domain_users_to_sign_in_using_biometrics.reg
Download
A) Click/tap on the Download button below to download the file below, and go to step 4 below.
Disable_domain_users_to_sign_in_using_biometrics.reg
Download
4. Save the .reg file to your desktop.
5. Double click/tap on the downloaded .reg file to merge it.
6. When prompted, click/tap on Run, OK (UAC), Yes, and OK to approve the merge.
That's it,
Shawn
Related Tutorials
- How to Enable or Disable Windows Hello Biometrics in Windows 10
- How to Enable or Disable Users to Sign in to Windows 10 using Biometrics
- How to Join a Windows 10 PC to a Local Active Directory Domain
- How to Remove a Windows 10 PC from a Local Active Directory Domain
- How to Enable or Disable Domain Users to Sign in with PIN to Windows 10
- How to Enable or Disable Domain Users to Sign in with Picture Password to Windows 10
- How to Enable or Disable Users to use Companion Device to Sign in to Windows 10
- How to Add or Remove a Fingerprint for your Account in Windows 10
- How to Set Up Windows Hello Face Recognition in Windows 10
- Enable Enhanced Anti-Spoofing for Windows Hello Face Authentification in Windows 10
- How to Remove Your Face from Windows Hello in Windows 10
- How to Improve Windows Hello Face Recognition in Windows 10
- How to Turn On or Off Automatically Dismiss Lock Screen for Windows Hello Face in Windows 10
- How to Enable or Disable Show Local Users on Sign-in Screen on Domain Joined Windows 10 PC