question

TheWinAdmin-7938 avatar image
0 Votes"
TheWinAdmin-7938 asked TheWinAdmin-7938 answered

Allow UAC require fingerprint but disable it on login

Is there a way to disable a fingerprint login for the administrator but leave this possibility enabled in an UAC prompt in Windows 10? After reading this topic, I've set a value of 1 in the appropriate registry entry, so now it always requires a fingerprint or a PIN/password in the UAC prompt.

However, I don't want to allow the fingerprint login, but using gpedit

 Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics -> Allow users to log on using biometrics

disables it everywhere, including the UAC prompt.

Is it possible to disable fingerprint only on login?


windows-10-generalwindows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TheWinAdmin-7938 avatar image
0 Votes"
TheWinAdmin-7938 answered

Since there is only one account on my computer, I used an option of changing the GPO "Allow users to log on using biometrics" on logon and logoff. This flag can be found in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider.

To enable biometrics on log I've created a .reg file with the following code:

 Windows Registry Editor Version 5.00
    
 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider]
 "Enabled"=dword:00000001

Also, I've created a .bat file with a script:

 @echo off
    
 regedit /s C:\<Path>\<name>.reg

To disable biometrics I've created similar files with DWORD value of 0. Finally, I've used gpedit.msc and Task Manager to assign .bat scripts to logon and logoff. That worked perfectly fine! Now, I can't sign-in using fingerprint, but I can't do it in UAC windows.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered TheWinAdmin-7938 commented

Hello @TheWinAdmin-7938,

Thank you for your question and reaching out.

  1. From the Command Prompt execute the following command to get your user account's SID: wmic user account get name, Sid

  2. Navigate to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserTile

  3. Find your current account's SID on the right pane, and double-click on it to modify.

  4. Type {D6886603-9D2F-4EB2-B667-1971041FA96B} in the Value data field and click OK.

  5. Reboot your computer and it will display PIN as your default sign-in option on the logon screen.

GUID for each sign-in option:

PIN: {D6886603-9D2F-4EB2-B667-1971041FA96B}
Picture Logon: {2135F72A-90B5-4ED3-A7F1-8BB705AC276A}
Password: {60B78E88-EAD8-445C-9CFD-0B87F74EA6CD}
Fingerprint Logon: {BEC09223-B018-416D-A0AC-523971B639F5}

Note : You might need to create a .bat script to make this registry changes, schedule the script to run every time you log on to Windows.





--If the reply is helpful, please Upvote and Accept as answer--

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @LimitlessTechnology-2700,

Thank you very much for your answer!

Unfortunately, it seems that the solution you proposed doesn't take all factors into accounts. It definitely changes the default sign-in option, however, a user still can change the sign-in option on the lock screen and log on using fingerprint. Nevertheless, your answer prompted me to a solution that I described below.

0 Votes 0 ·