Return to site
Return to site

Active Directory Pin Login

broken image


Active Directory and domain controller configuration. Required: Active Directory must have the third-party issuing CA in the NTAuth store to authenticate users to active directory. Required: Domain controllers must be configured with a domain controller certificate to authenticate smartcard users. Deploying Duo Authentication for Windows Logon to clients using Active Directory. Duo Authentication for Windows Logon may be deployed via a Group Policy software installation package. Use the MSI installers included in the zip file you downloaded earlier. We provide both 32-bit and 64-bit MSI files. Do not rename the MSI install files!

-->
Audit active directory logins

This article provides a resolution to make sure you can configure a PIN when Convenience PIN and Hello for Business policies are enabled in Windows 10.

Original product version: Windows 10 - all editions
Original KB number: 3201940

Symptoms

Users who are running Windows 10 Version 1607 or later version of Windows 10 and who are joined to an Active Directory domain cannot create a convenience PIN. Whereas users who are running Windows 10 Version 1511 or earlier can do so without a problem.

Azure Active Directory Pin Login

When users navigate to Settings > Accounts > Sign-in options, the option to set a PIN is unavailable (appears dimmed), and therefore it can't be configured.

Additionally, if a user has already configured a convenience PIN in an earlier version of Windows 10 and then upgrades to Windows 10 Version 1607 or later, the PIN works until the user navigates to Settings > Accounts > Sign-in options > I forgot my PIN. In this situation, the option to create a PIN is unavailable (appears dimmed). This issue also does not affect Windows 10 Version 1511 and earlier.

Cause

Windows 10 Version 1607 and later includes new functionality that differentiates Windows Hello for Business from a convenience sign-in PIN.

Windows Hello for Business has strong user authentication properties that are frequently and mistakenly assumed to be functioning when the Windows Hello for Business infrastructure is not in place and when a user is using a convenience PIN. This change prevents the creation of a PIN in Windows 10 and later version without Windows Hello for Business.

Additionally, a user cannot create a convenience PIN in Windows 10 Version 1607 and later version when the Use Convenience PIN and Use Windows Hello for Business policies are both enabled unless the device is joined to Azure Active Directory in some way (for example, it is either Azure AD-joined or has the Computer ConfigurationAdministrative TemplatesWindows Componentsdevice registrationRegister domain joined computers as devices policy enabled).

To allow convenience PINs to be created on devices that are not joined to Azure AD, make sure that the following conditions are true:

  • The Use Windows Hello for Business policy is not enabled.
  • The Turn on convenience PIN sign-in policy is enabled.

Resolution

To use a convenience PIN in Windows 10 Version 1607 or later, the following Group Policy setting must be configured:

  • Policy: Turn on convenience PIN sign-in
  • Category: Path Computer ConfigurationAdministrative TemplatesSystemLogon

Note

  • The GPO specifies Windows Server 2012, Windows 8, Windows RT, Windows Server 2012 R2, Windows 8.1, and Windows RT 8.1 only. This is incorrect and will be updated at a later date. This policy does apply to Windows 10 and lets the user set a convenience PIN.
  • Enabling a PIN in this manner does not provide the same level of security as using a PIN with the Windows Hello for Business infrastructure configured.

PIN complexity: Manage PIN complexity in the standard way by using policies that are found in the following location:

Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Hello for Business PIN Complexity

Do not configure settings other than PIN complexity if you want to use a convenience PIN. Having Windows Hello for Business and Turn on convenience PIN sign-in enabled prevents you from setting a PIN.

Active Directory Pin Login Page

Active directory enable pin login

This article provides a resolution to make sure you can configure a PIN when Convenience PIN and Hello for Business policies are enabled in Windows 10.

Original product version: Windows 10 - all editions
Original KB number: 3201940

Symptoms

Users who are running Windows 10 Version 1607 or later version of Windows 10 and who are joined to an Active Directory domain cannot create a convenience PIN. Whereas users who are running Windows 10 Version 1511 or earlier can do so without a problem.

Azure Active Directory Pin Login

When users navigate to Settings > Accounts > Sign-in options, the option to set a PIN is unavailable (appears dimmed), and therefore it can't be configured.

Additionally, if a user has already configured a convenience PIN in an earlier version of Windows 10 and then upgrades to Windows 10 Version 1607 or later, the PIN works until the user navigates to Settings > Accounts > Sign-in options > I forgot my PIN. In this situation, the option to create a PIN is unavailable (appears dimmed). This issue also does not affect Windows 10 Version 1511 and earlier.

Cause

Windows 10 Version 1607 and later includes new functionality that differentiates Windows Hello for Business from a convenience sign-in PIN.

Windows Hello for Business has strong user authentication properties that are frequently and mistakenly assumed to be functioning when the Windows Hello for Business infrastructure is not in place and when a user is using a convenience PIN. This change prevents the creation of a PIN in Windows 10 and later version without Windows Hello for Business.

Additionally, a user cannot create a convenience PIN in Windows 10 Version 1607 and later version when the Use Convenience PIN and Use Windows Hello for Business policies are both enabled unless the device is joined to Azure Active Directory in some way (for example, it is either Azure AD-joined or has the Computer ConfigurationAdministrative TemplatesWindows Componentsdevice registrationRegister domain joined computers as devices policy enabled).

To allow convenience PINs to be created on devices that are not joined to Azure AD, make sure that the following conditions are true:

  • The Use Windows Hello for Business policy is not enabled.
  • The Turn on convenience PIN sign-in policy is enabled.

Resolution

To use a convenience PIN in Windows 10 Version 1607 or later, the following Group Policy setting must be configured:

  • Policy: Turn on convenience PIN sign-in
  • Category: Path Computer ConfigurationAdministrative TemplatesSystemLogon

Note

  • The GPO specifies Windows Server 2012, Windows 8, Windows RT, Windows Server 2012 R2, Windows 8.1, and Windows RT 8.1 only. This is incorrect and will be updated at a later date. This policy does apply to Windows 10 and lets the user set a convenience PIN.
  • Enabling a PIN in this manner does not provide the same level of security as using a PIN with the Windows Hello for Business infrastructure configured.

PIN complexity: Manage PIN complexity in the standard way by using policies that are found in the following location:

Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Hello for Business PIN Complexity

Do not configure settings other than PIN complexity if you want to use a convenience PIN. Having Windows Hello for Business and Turn on convenience PIN sign-in enabled prevents you from setting a PIN.

Active Directory Pin Login Page

View Active Directory Logins

More information

When Windows Hello for Business is not in place and a user has a convenience PIN configured, the user is using a password stuffer, which does not have any of the security qualities of Windows Hello for Business. Microsoft visio 32 bit. Password stuffers are convenience sign-in PINs and are controlled by the Turn on convenience PIN sign-in Group Policy setting.

Active Directory Pin Login Inbox

Microsoft made this default behavior since Windows 10 Version 1607. The security offered by this default behavior can be decreased at the user's own discretion by enabling a convenience PIN.

Active Directory Logon Log

For more information, see Windows Hello for Business.





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save