PIN’s used to work in Windows 10 with no changes to GPO’s but at some point in recent Win 10 ADMX templates, Microsoft added an odd setting. They turned off PIN’s by default and you have to turn them on in via GPO if you want to use them on a domain connected user account.
This means that there is not a GPO that is blocking your use of PINs and the message “THIS SETTING IS MANAGED BY YOUR ORGANIZATION” is very misleading.
The solution to using PIN’s on a domain is quite easy:
- Open Group Policy Editor and either create a new policy or edit an existing one
- Expand Computer Configuration > Administrative Templates > System > Logon
- Double click on Turn on convenience PIN sign-in
- Select ENABLED
- Wait for your PC to sync with the domain or run a GPUPDATE /FORCE
- Have a nice day
Notice in the Settings app you’re experiencing this issue, that “Some settings are managed by your organization.” If your Windows 10 PC belongs only to you. Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment. By default, members of the Administrators and Local Service groups have this right on workstations and servers. Members of the Administrators, Server Operators, and Local Service groups have this right on domain controllers. I've removed a computer from our domain and placed it in a workgroup. Some settings, like Windows Update are still showing as 'managed by your system administrator'. Any idea how to clear this out? I intend for this to be a truly stand-alone system. Computer Configuration Windows Settings Security Settings Local Policies User Rights Assignment. By default, members of the Administrators and Local Service groups have this right on workstations and servers. Members of the Administrators, Server Operators, and Local Service groups have this right on domain controllers.
This makes WINDOWS HELLO PINS optional, if you want to require a PIN go to USER > Administrative Templates > Windows Component, and select Windows Hello for Business
Also note that if you are a local administrator (i.e. on your corporate PC), you can also make this change in the LOCAL GROUP POLICY EDITOR by clicking START, typing GPEDIT.MSC .
Some Settings Are Managed By Administrator
This has been a up my butt for months now. I could not find the GPO that was blocking the use of PIN’s no matter how many GPRESULT -R’s I ran, so I hope this helps your frustration level.