How to enable fingerprint sensor while in domain and linux active directory

Question

In my office we have a Linux based server (nethserver) which handles stuff like samba share, DHCP, and newly added: active directory (for our Windows clients) etc.

Now because of the lack of security I decided to use the server as AD controller to enable domain user login on the Windows clients.

So now I really want to use a fingerprint sensor for the colleges to login but it is greyed out in the account settings.

So what is working:

• Active Directory on Server
• adding windows PC to domain
• login as a domain user on windows mashine

What I need to work:

• fingerprint sensor login (windows hello maybe?)
• I think PIN login is required for fingerprint login (?)

What I have already tried:

• in GPO allowed fingerprint sensor login (computer config AND user config (just to be sure) and Windows Hello, PIN login.

I think I read somewehere that I HAVE TO use a Windows Server domain to enable Windows Hello for Business and so the PIN login or Fingerprint sensor.

Does anyone know if there is a workaround to enable fingerprint reader for Windows clients in a domain?

Answer 1

I found a solution for this. First edit Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows\System DWORD32: AllowDomainPINLogon = 1. After that, edit GPO: Computer-config -> Admin -> windows components -> biometric -> allow domain user to login via biometric (roughly translated from german, sorry for that)

Answer 2

I know I came late to this, but this solution works, even for Win11.

Open Group Policy Editor: Navigate to the following setting Computer Configuration > Administrative Templates > System > Logon. Enable the “Turn on the convenience PIN Sign-in”

Add Reg Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] – “AllowDomainPINLogon"=dword:00000001