Enable Windows Hello Feature


If you are trying to use Windows Hello to use your face to login to a domain connected device (like a Surface Pro 4 for example) then you may find that the option to set it up is greyed out and not available to you.

This seems to be some sort of Microsoft bug and we have never found any definitive reason for why this happens, but we have found the fix for it.

You need to make a small registry edit on your device. You can do this manually, download and run a .reg file from us or you can always use Group Policy.

Method 1 – Edit the registry manually

So, you go into regedit by clicking the Start button and typing regedit and press the Enter key. Then browse to the following location:

You then need to create a DWORD with the following values:

  • DWORD Name = AllowDomainPINLogon
  • Value = 1

Reboot your device and you should notice that you can now set your Windows Hello feature up.

Method 2 – Download a reg file

You can download a .reg file from us using the button below:

Download Windows Hello Registry Fix

Then, just unzip the package and double click the .reg file. Allow it to make the change to your device and reboot. Again, you should now see that this Windows Hello feature is now available for you.

Method 3 – Group Policy

If your device is on a domain then you can create a Group Policy to apply this fix to multiple devices. Open up Group Policy and create a new Group Policy Object (or edit an existing one if you wish).

Then, go to the following location in the GPO:

Then set the following  settings:

  • Allow domain users to log on using biometrics: Enabled

Then browse to this location in the GPO:

You should check that none of the settings are amended in this part of the GPO and all are set to Not configured:

Deploy the GPO to where you need to and this should enable Windows Hello.


If you have any questions or feedback on this guide, please feel free to leave us a message below.

Leave us a message...