Allow UAC require fingerprint but disable it on login

TheWinAdmin 96 Reputation points
2021-10-29T10:50:43.46+00:00

Is there a way to disable a fingerprint login for the administrator but leave this possibility enabled in an UAC prompt in Windows 10? After reading this topic, I've set a value of 1 in the appropriate registry entry, so now it always requires a fingerprint or a PIN/password in the UAC prompt.

However, I don't want to allow the fingerprint login, but using gpedit

Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics -> Allow users to log on using biometrics  

disables it everywhere, including the UAC prompt.

Is it possible to disable fingerprint only on login?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,418 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,728 questions
0 comments No comments
{count} votes

Accepted answer
  1. TheWinAdmin 96 Reputation points
    2021-10-30T10:08:53.54+00:00

    Since there is only one account on my computer, I used an option of changing the GPO "Allow users to log on using biometrics" on logon and logoff. This flag can be found in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider.

    To enable biometrics on log I've created a .reg file with the following code:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider]
    "Enabled"=dword:00000001
    

    Also, I've created a .bat file with a script:

    @echo off
    
    regedit /s C:\<Path>\<name>.reg
    

    To disable biometrics I've created similar files with DWORD value of 0. Finally, I've used gpedit.msc and Task Manager to assign .bat scripts to logon and logoff. That worked perfectly fine! Now, I can't sign-in using fingerprint, but I can't do it in UAC windows.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Limitless Technology 39,301 Reputation points
    2021-10-29T16:41:32.147+00:00

    Hello @TheWinAdmin ,

    Thank you for your question and reaching out.

    1. From the Command Prompt execute the following command to get your user account's SID: wmic user account get name, Sid
    2. Navigate to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserTile
    3. Find your current account's SID on the right pane, and double-click on it to modify.
    4. Type {D6886603-9D2F-4EB2-B667-1971041FA96B} in the Value data field and click OK.
    5. Reboot your computer and it will display PIN as your default sign-in option on the logon screen.

    GUID for each sign-in option:

    PIN: {D6886603-9D2F-4EB2-B667-1971041FA96B}
    Picture Logon: {2135F72A-90B5-4ED3-A7F1-8BB705AC276A}
    Password: {60B78E88-EAD8-445C-9CFD-0B87F74EA6CD}
    Fingerprint Logon: {BEC09223-B018-416D-A0AC-523971B639F5}

    Note : You might need to create a .bat script to make this registry changes, schedule the script to run every time you log on to Windows.

    -----

    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.