How to Enable or Disable Domain Users to Sign in with PIN to Windows 10


Windows Hello in Windows 10 enables users to sign in to their device using a PIN (Personal Identification Number). You can use this PIN to sign in to Windows, apps, and services.

One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!

Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.

For more details, see:

By default, PCs joined to a domain cannot sign in using a PIN unless enabled via policy.

This tutorial will show you how to enable or disable allowing domain users to set up and sign in to Windows 10 using a PIN.

You must be signed in as an administrator to enable or disable PIN for domain users.



Contents

  • Option One: To Enable or Disable Domain Users Sign-in using PIN in Group Policy
  • Option Two: To Enable or Disable Domain Users Sign-in using PIN using a REG file






OPTION ONE

To Enable or Disable Domain Users Sign-in using PIN in Group Policy


Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.

All editions can use Option TWO below.


1 Open the Local Group Policy Editor.

2 In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)

Computer Configuration\Administrative Templates\System\Logon

Enable or Disable Domain Users to Sign in with PIN  to Windows 10-allow_pin_for_domain_users_gpedit-1.jpg

3 In the right pane of Logon in Local Group Policy Editor, double click/tap on the Turn on convenience PIN sign-in policy to edit it. (see screenshot above)

4 Do step 5 (enable) or step 6 (disable) below for what you would like to do.


5 To Enable Domain Users Sign-in using PIN

A) Select (dot) Enabled, click/tap on OK, and go to step 7 below. (see screenshot below)


6 To Disable Domain Users Sign-in using PIN

A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see screenshot below)

Not Configured is the default setting.

Enable or Disable Domain Users to Sign in with PIN  to Windows 10-allow_pin_for_domain_users_gpedit-2.png

7 When finished, you can close the Local Group Policy Editor, and restart the computer to apply.





OPTION TWO

To Enable or Disable Domain Users Sign-in using PIN using a REG file


The downloadable .reg files below will add and modify the DWORD value in the registry key below.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System

AllowDomainPINLogon DWORD

0 or (delete) = Disable
1 = Enable


1 Do step 2 (enable) or step 3 (disable) below for what you would like to do.


2 To Enable Domain Users Sign-in using PIN

A) Click/tap on the Download button below to download the file below, and go to step 4 below.

Enable_Domain_users_PIN_Sign-in.reg

Download


3 To Disable Domain Users Sign-in using PIN

This is the default setting.

A) Click/tap on the Download button below to download the file below, and go to step 4 below.

Disable_Domain_users_PIN_Sign-in.reg

Download


4 Save the .reg file to your desktop.

5 Double click/tap on the downloaded .reg file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 Restart the computer to apply.

8 If you like, you can now delete the downloaded .reg file.


That's it,
Shawn