Share via

Why Are PIN and Face ID Setup Options Unavailable After Manually Joining a Domain in Windows 11?

Dhruvkumar Patel 0 Reputation points
2025-01-16T14:01:17.16+00:00

We previously used Windows Autopilot for device setup in Windows 10, but since transitioning to Windows 11, the old Autopilot setup no longer works for us. As a workaround, we reset the PCs, log in as a test user, and then manually join the devices to our domain.

While this method allows us to successfully join the domain and use the system, we encounter an issue when trying to set up Windows Hello features like PIN or Face ID for unlocking the device. The system shows the error message, “The option is currently unavailable,” and we are unable to proceed with the setup. We did push the gp update on company network or with

We are looking for guidance on resolving this issue so that PIN and Face ID setup works seamlessly after a device is manually joined to a domain. Any assistance or recommendations would be greatly appreciated.

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
494 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
10,648 questions
Microsoft Intune Grouping
Microsoft Intune Grouping
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Grouping: The arrangement or formation of people or things in a group or groups.
66 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 51,701 Reputation points Microsoft Vendor
    2025-01-20T06:09:18.4733333+00:00

    @Dhruvkumar Patel, This issue can occur when the device is not able to communicate with the on-premises Active Directory Domain Services (AD DS) to verify the user's PIN. To resolve this issue, you can try the following steps:

    1. Verify that the device is able to communicate with the on-premises AD DS. You can check this by running the following command in PowerShell: Test-ComputerSecureChannel -Verbose. The output should show that the secure channel is established.
    2. Verify that the device is able to communicate with the domain controller that holds the Primary Domain Controller (PDC) emulator role. You can check this by running the following command in PowerShell: nltest /dsgetdc:<domainname> /pdc. Replace <domainname> with the name of your domain.

    If all of the above steps are successful, you can try resetting the Windows Hello for Business PIN on the affected device. You can do this by following these steps:

    1. Open the Settings app on the affected device.
    2. Click on "Accounts" and then click on "Sign-in options".
    3. Under "Windows Hello PIN", click on "I forgot my PIN".
    4. Follow the prompts to reset your PIN.

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.