PIN’s used to work in Windows 10 with no changes to GPO’s but at some point in recent Win 10 ADMX templates, Microsoft added an odd setting. They turned off PIN’s by default and you have to turn them on in via GPO if you want to use them on a domain connected user account.
This means that there is not a GPO that is blocking your use of PINs and the message “THIS SETTING IS MANAGED BY YOUR ORGANIZATION” is very misleading.
The solution to using PIN’s on a domain is quite easy:
- Open Group Policy Editor and either create a new policy or edit an existing one
- Expand Computer Configuration > Administrative Templates > System > Logon
- Double click on Turn on convenience PIN sign-in
- Select ENABLED
- Wait for your PC to sync with the domain or run a GPUPDATE /FORCE
- Have a nice day
This makes WINDOWS HELLO PINS optional, if you want to require a PIN go to USER > Administrative Templates > Windows Component, and select Windows Hello for Business
Also note that if you are a local administrator (i.e. on your corporate PC), you can also make this change in the LOCAL GROUP POLICY EDITOR by clicking START, typing GPEDIT.MSC .
This has been a up my butt for months now. I could not find the GPO that was blocking the use of PIN’s no matter how many GPRESULT -R’s I ran, so I hope this helps your frustration level.