Question:

How to fix the disappearing convenience PIN issue caused by a GPO?

We have applied a Group Policy Object (GPO) that allows users to set up a convenience PIN for authentication. However, the PIN disappears after running gpupdate or restarting the device. What could be the reason and the solution for this problem?

Answer:

A convenience PIN is a four-digit code that can be used to sign in to Windows 10 devices instead of a password. It is designed to be easier and faster to enter, especially on touch-screen devices. However, some users may encounter a problem where the convenience PIN disappears after running gpupdate or restarting the device. This means that they have to enter their password again to sign in, which defeats the purpose of having a PIN.

This issue may be caused by a Group Policy Object (GPO) that is applied to the device or the domain. A GPO is a set of rules and settings that can be used to configure and manage multiple devices and users in a network. For example, a GPO can enable or disable certain features, enforce security policies, or install software updates.

One of the settings that can be controlled by a GPO is the convenience PIN. There are two main GPOs that affect the convenience PIN: the Turn on convenience PIN sign-in policy and the Turn on PIN sign-in policy. The former is located under Computer Configuration > Administrative Templates > System > Logon, and the latter is located under Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business > PIN Complexity.

The Turn on convenience PIN sign-in policy allows users to set up and use a convenience PIN for authentication. If this policy is enabled, users can create a PIN from the Settings app or the sign-in screen. If this policy is disabled or not configured, users cannot use a convenience PIN.

The Turn on PIN sign-in policy allows users to sign in with a PIN when using a smart card. A smart card is a physical device that contains a chip and a certificate that can be used to verify the user’s identity. If this policy is enabled, users can use a PIN instead of a smart card to sign in. If this policy is disabled, users have to use a smart card to sign in.

The problem arises when the Turn on PIN sign-in policy is enabled, but the Turn on convenience PIN sign-in policy is disabled or not configured. This creates a conflict between the two policies, as the former allows PIN sign-in, but the latter does not. As a result, the convenience PIN is not recognized by the system and disappears after running gpupdate or restarting the device.

The solution is to either disable the Turn on PIN sign-in policy or enable the Turn on convenience PIN sign-in policy. This will resolve the conflict and allow the convenience PIN to work properly. To do this, follow these steps:

1. Open the Group Policy Management Console (GPMC) on the domain controller or the device that has the GPO applied.

2. Navigate to the GPO that contains the PIN policies. You can find the GPO by using the Group Policy Results wizard or the Group Policy Modeling wizard in the GPMC.

3. Right-click on the GPO and select Edit.

4. To disable the Turn on PIN sign-in policy, go to Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business > PIN Complexity and double-click on the policy. Select Disabled and click OK.

5. To enable the Turn on convenience PIN sign-in policy, go to Computer Configuration > Administrative Templates > System > Logon and double-click on the policy. Select Enabled and click OK.

6. Close the GPO editor and the GPMC.

7. Run gpupdate /force on the affected devices or restart them to apply the changes.

After doing this, the convenience PIN should be restored and function normally. Users can set up and use a convenience PIN for authentication without losing it after running gpupdate or restarting the device.

—

I hope this article helps you. Please let me know if you have any feedback or questions. 😊