This Setting Is Managed By Your Domain Administrator.

PIN’s used to work in Windows 10 with no changes to GPO’s but at some point in recent Win 10 ADMX templates, Microsoft added an odd setting. They turned off PIN’s by default and you have to turn them on in via GPO if you want to use them on a domain connected user account.

  1. Windows Update Managed By Administrator
  2. Some Settings Are Managed By System Admin
ControlledManaged

Settings managed by your domain host When you sign a domain up for your Google service, Google hosts and manages the services you use with your domain, such as Gmail, Google Calendar, and Google Drive (if you use Google Workspace).

This means that there is not a GPO that is blocking your use of PINs and the message “THIS SETTING IS MANAGED BY YOUR ORGANIZATION” is very misleading.

Windows Update Managed By Administrator

The solution to using PIN’s on a domain is quite easy:

  • I've removed a computer from our domain and placed it in a workgroup. Some settings, like Windows Update are still showing as 'managed by your system administrator'. Any idea how to clear this out? I intend for this to be a truly stand-alone system.
  • Computer Configuration Windows Settings Security Settings Local Policies User Rights Assignment. By default, members of the Administrators and Local Service groups have this right on workstations and servers. Members of the Administrators, Server Operators, and Local Service groups have this right on domain controllers.
  • Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment. By default, members of the Administrators and Local Service groups have this right on workstations and servers. Members of the Administrators, Server Operators, and Local Service groups have this right on domain controllers.
  • Window defender: This setting is managed by your administrator. (32 or 64 bit), yes, your personal files, apps and settings will be preserved.
  1. Open Group Policy Editor and either create a new policy or edit an existing one
  2. Expand Computer Configuration > Administrative Templates > System > Logon
  3. Double click on Turn on convenience PIN sign-in
  4. Select ENABLED
  5. Wait for your PC to sync with the domain or run a GPUPDATE /FORCE
  6. Have a nice day

This makes WINDOWS HELLO PINS optional, if you want to require a PIN go to USER > Administrative Templates > Windows Component, and select Windows Hello for Business

Also note that if you are a local administrator (i.e. on your corporate PC), you can also make this change in the LOCAL GROUP POLICY EDITOR by clicking START, typing GPEDIT.MSC .

Some Settings Are Managed By System Admin

This has been a up my butt for months now. I could not find the GPO that was blocking the use of PIN’s no matter how many GPRESULT -R’s I ran, so I hope this helps your frustration level.