This article covers how to enable Windows Hello mechanisms so that users get prompted to set them up in Windows Hello when enrolling in Okta Verify.

• Okta Identity Engine (OIE)
• WIndows Operating Systems: 10, 11
• Okta Verify

• The question of how to enable Windows Hello has come up in regards to User Verification (UV) being disabled.
• When disabled, the mechanism for Windows to implement UV solutions (PIN, Biometrics) is Windows Hello, and some admins ask how to "turn it on" or "Enable" it, effectively making it so Windows does prompt. as the mechanism to provide UV is OS-specific, this is more of a question about how to manage Windows 10 and 11 Operating systems.

• There is an Okta Solution for enabling User Verification globally.
• Also, there is a Microsoft Solution. It should be consulted with Microsoft before implementation, admin assumes all responsibility for vetting the following information before implementation for specific functionality in their OS.
• The OS options include Group Policy Modification or a Registry modification, as per Microsoft Answers question on the subject.

Method 1: Using Group policy settings

If using Windows 10 Pro edition, it is possible to change the group policy settings to enable the PIN sign-in option for all users.

1. Open the Run dialog box by pressing the Windows key and the R key together.
2. Type GPEDIT.MSC and hit the Enter key.
3. Go to Computer Configuration > Administrative Templates > System > Logon.
4. On the right side, double-click on Turn on convenience PIN sign-in and select Enabled.

5. Similarly, enable the other Windows Hello options, if any.
6. Exit the Group Policy Editor and reboot the computer.

If Biometrics are NOT available on the system, enabling them will also effectively "enable" the Windows Hello Prompt on OV enrollment.

1. Open the Run dialog box by pressing the Windows key and the R key together.
2. Type GPEDIT.MSC and hit the Enter key.
3. Go to Computer Configuration > Administrative Templates > Windows Components > Biometrics.
4. On the right side, double-click on Allow the use of Biometrics and select Enabled.

​​​​​​​​​​​​​​ 

5. Similarly, enable any other Windows Hello options.
6. Exit the Group policy editor and reboot the computer.

Method 2: Enabling Windows Hello in Registry

If setting Group policy does not work, sign-in options can be enabled, which should activate Windows Hello options for all user accounts.

Disclaimer: The registry is a database in Windows that contains important information about system hardware, installed programs and settings, and the profiles of each user account on the computer. Windows often reads and updates the information in the registry.

Normally, software programs make registry changes automatically. Unnecessary changes to the registry should be avoided. Changing registry files incorrectly can cause Windows to stop working or make Windows report the wrong information.

Please take a backup of the registry. Follow the steps given in the link below:

How to back up and restore the registry in Windows:

1. Open the Run dialog box by pressing the Windows key and the R key together.
2. Type Regedit and hit the Enter key.
3. When the Registry Editor opens, navigate to the following location:
   • KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions.
4. In the right pane, double-click on the DWORD entry named value and set it to 1. The above method will enable Windows Hello for all user accounts.

NOTE: To disable it, change the DWORD entry value back to 0

Related References

• Disabling Windows Hello Setup Prompt when Registering Okta Verify
• Microsoft Answers question on the subject
• How to back up and restore the registry in Windows