I'm trying to help someone with a Surface Pro running v1909. It's joined to a local AD domain at his office. He's logging in with a domain user account but he would like to also setup a PIN. There are no group policies setup to have anything to do with PINs and I'm not even sure that it could be done. Other domain joined computers have a PIN set so I'm sure it's just something with this Surface.

The problem is that when he goes to Settings > Accounts > Sign-in options and clicks on Windows Hello PIN to expand that section, instead of seeing a Change button or I forgot my PIN link, there is a message that says "This option is currently unavailable-click to learn more" and "Sorry, this PIN isn't working for your organization's resources. Tap or click here to fix it."

It doesn't matter what he clicks on, it doesn't help. I've tried deleting the NGC folder and having him reboot but the same messages appear in the Windows Hello PIN section. So far I haven't found anything else to do. I'm hoping someone here can help.