This article explains enabling or disabling domain users from using Windows Hello Biometrics to log on to Windows 11.
Windows 11 has a Windows Hello feature that provides a more personal and secure way to sign into Windows. With Windows Hello, one can use a PIN, facial recognition, or fingerprint to sign into their devices securely.
Most new Windows devices you purchase today will come with biometric features. In addition, windows will prompt you to use one biometric feature to protect your device and enhance your data security.
However, Windows Hello Biometrics may not be compatible with a domain environment where user management is centralized.
Here’s how to allow or disallow domain users from using Windows Hello Biometrics to log on to Windows 11.
Turn on or off the use of Windows Hello Biometrics for domain users via the Local Group Policy Editor
As described above, Windows Hello Biometrics features to enhance security and data protection. However, not in all cases can users use Windows biometrics features.
Here’s how to enable or disable it.
First, open the Local Group Policy Editor.
Then expand the following folders Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics.
Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics
Next, click on the Biometrics folder on the left panel, and double-click the setting on the right called “Allow domain users to log on using biometrics” to open.
When the setting window opens, select one of the options:
- Not Configured – Same as enabled. The Biometrics service is available.
- Enabled – Windows Hello Biometrics service is available to use.
- Disabled – Windows Hello Biometrics service is unavailable, and users can use Biometrics.

Save your settings and restart your computer for the changes to apply.
Enable or disable domain users to Windows Hello Biometrics via Windows Registry Editor
Yet another way to turn on or off Windows Hello Biometrics in Windows is to use the Windows Registry Editor.
If you can’t open the Local Group Policy Editor, use the Windows Registry editor instead.
Open the Windows Registry, and navigate to the folder key path below.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
If you don’t see the Biometrics folder key, right-click on the Microsoft key, then create the subkey (Biometrics) folders.

Right-click the Biometrics folder key’s right pane and select New -> DWORD (32-bit) Value. Type a new key named Enabled.
Double-click the new key item name (Enabled) and make sure the Base option is Decimal, and then update the Value data, making sure you keep your existing value:
- To turn this feature on. Type 1.
- To turn this feature off. Type 0.

Save your changes and restart your computer.
That should do it!
Conclusion:
This post showed you how to enable or disable Windows Hello Biometrics by domain users in Windows 11. If you find any error above or have something to add, please use the comment form below.