Enable Windows Hello Feature


If you are trying to use Windows Hello to use your face to login to a domain connected device (like a Surface Pro 4 for example) then you may find that the option to set it up is greyed out and not available to you.

This seems to be some sort of Microsoft bug and we have never found any definitive reason for why this happens, but we have found the fix for it.

You need to make a small registry edit on your device. You can do this manually, download and run a .reg file from us or you can always use Group Policy.

Method 1 – Edit the registry manually

So, you go into regedit by clicking the Start button and typing regedit and press the Enter key. Then browse to the following location:


You then need to create a DWORD with the following values:

  • DWORD Name = AllowDomainPINLogon
  • Value = 1

Reboot your device and you should notice that you can now set your Windows Hello feature up.

Method 2 – Download a reg file

You can download a .reg file from us using the button below:

Download Windows Hello Registry Fix

Then, just unzip the package and double click the .reg file. Allow it to make the change to your device and reboot. Again, you should now see that this Windows Hello feature is now available for you.

Method 3 – Group Policy

If your device is on a domain then you can create a Group Policy to apply this fix to multiple devices. Open up Group Policy and create a new Group Policy Object (or edit an existing one if you wish).

Then, go to the following location in the GPO:

Computer configuration > Administrative templates > Windows Components > Biometric

Then set the following  settings:

  • Allow domain users to log on using biometrics: Enabled

Then browse to this location in the GPO:

Computer configuration > Administrative templates > Windows Components > Windows Hello for Business

You should check that none of the settings are amended in this part of the GPO and all are set to Not configured:

Deploy the GPO to where you need to and this should enable Windows Hello.


If you have any questions or feedback on this guide, please feel free to leave us a message below.

You might also like...

3 Responses

  1. There is also the regkey way of doing it – method 1 in our guide above. Should be able to use Group Policy Preferences to push/update the regkey then.

  2. You should be able to download a Group Policy template (admx) for it. I’ve had this working on a Windows 2008 domain so it can be done. You could install RSAT tools for Windows 10 and then run the Group Policy console from a Windows 10 machine and find it in there.

  3. Jay says:

    Hi I’m running Windows Server 2008r2 Domain Level 2008r2, we dont have the “Windows Hello for Business” option in the GPo, i’m guessing we have to upgrade out domain level? is there a way to do this by Regkey?

Leave us a message...

This site uses Akismet to reduce spam. Learn how your comment data is processed.