All of our users are in an on-premise AD account, which syncs with Azure Active Directory Connect using password hash authentication (hybrid setup).
I want users to be able to use a PIN to signin to their machines. I setup a GPO to enable PIN authentication and that has been working fine. I realized though as soon as users sign into their office account using their azure user account, Windows Hello Pin sometimes becomes unavailable. I've been able to help those users set pins by disconnecting their work account from the control panel, setting a pin, then resigning into office.
Last week I rolled out single sign on for office so now it auto authenticates their work account upon signin. This has stopped my trick of signing out to set a pin from working (even if I sign out of office it doesn't let me set it).
Current Group Policy
I believe for the users that do have pins its a convivence pin and not windows hello for business (though on my account I was able to setup a pin and it says "Windows Hello PIN". My only GPO settings for enabling the pin are to set the registry AllowDomainPinLogin and PIN Complexity set to 4.
I've looked through the documentation for Windows hello and it honestly looks overwhelming to setup. I've started to play with it but haven't had much success as theres a lot of documentation to read through. I'm not really sure why my pin works when not signed into office, but then signing in to office disables it. Is there some setting in Azure that is changing it from convince to windows hello pin?
I do want to eventually figure out windows hello, but for the time being I've got people asking me to set a pin so convivence pins are the way to go for now as it sometimes works.