Enable Windows Hello Biometrics for Domain Users

This article explains how to enable or disable domain users from using Windows Hello Biometrics to log on to Windows 11.

Windows 11 has a Windows Hello feature that provides a more personal and secure way to sign into Windows. With Windows Hello, one can use a PIN, facial recognition, or fingerprint to sign into their devices securely.

Most new Windows devices you purchase today will come with biometrics features. In addition, windows will prompt you to use one biometrics feature to protect your device and enhance your data security.

However, Windows Hello Biometrics may not be compatible with a domain environment where user management is centralized.

Here’s how to allow or disallow domain users from using Windows Hello Biometrics to log on to Windows 11.

Turn on or off the use of Windows Hello Biometrics for domain users via the Local Group Policy Editor

As described above, Windows Hello Biometrics features enhance security and data protection. However, not in all cases can users use Windows biometrics features.

Here’s how to enable or disable it.

First, open the Local Group Policy Editor.

Then expand the following folders Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics.

Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics

Next, click on the Biometrics folder on the left panel, and double-click the setting on the right called “Allow domain users to log on using biometrics” to open.

When the setting window opens, select one of the options:

• Not Configured – Same as enabled. The Biometrics service is available.
• Enabled – Windows Hello Biometrics service is available to use.
• Disabled – Windows Hello Biometrics service is unavailable, and users can use Biometrics.

Save your settings and restart your computer for the changes to apply.

Enable or disable domain users to Windows Hello Biometrics via Windows Registry Editor

Yet another way to turn on or off Windows Hello Biometrics in Windows is to use the Windows Registry Editor.

If you can’t open the Local Group Policy Editor, use the Windows Registry editor instead.

Open the Windows Registry, and navigate to the folder key path below.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft

If you don’t see the Biometrics folder key, right-click on the Microsoft key, then create the subkey (Biometrics) folders.

Right-click the Biometrics folder key’s right pane and select New -> DWORD (32-bit) Value. Type a new key named Enabled.

Double-click the new key item name (Enabled) and make sure the Base option is Decimal, and then update the Value data, making sure you keep your existing value:

• To turn this feature on. Type 1.
• To turn this feature off. Type 0.

Save your changes and restart your computer.

That should do it!

Conclusion:

• Enabling or disabling Windows Hello Biometrics for domain users is crucial for organizations with centralized user management.
• The process can be accomplished through the Local Group Policy Editor or the Windows Registry Editor.
• By following these steps, users can control the availability of Windows Hello Biometrics, enhancing security and data protection within their domain environment.