0

I have 2 user accounts on my windows 10 machine, an admin one, and a regular one. The admin account is not allowed to login by policy, but it can be used for runas. I want to set up windows hello for the admin, so that I can use a fingerprint, or my face, when the UAC prompts for a user name and password.

The problem is that I don't know how to add a fingerprint to a user that is not logged in to the windows UI.

I tried running ms-settings: as a different user (admin), but logged on with regular account or even C:\Windows\ImmersiveControlPanel\SystemSettings.exe. Apparently you can't do this with UWP apps, which Settings (windows 10 control panel) is.

Any idea on how to add a windows fingerprint to a user, without being logged on to the UI of windows 10?

PS: For some reason this question is marked as a duplicate of another question I also started. I don't know how to explain how they are different, since I don't see how they are seen as the same. They are completely different questions.

Leonardo Alves Machado
  • 340
  • 3
  • 14
Andrei
  • 293
  • 3
  • 16
  • Possible duplicate of [How to choose user account when multiple user accounts are used by the same person, so the same biometrics (fingerprint, face)?](https://superuser.com/questions/1417376/how-to-choose-user-account-when-multiple-user-accounts-are-used-by-the-same-pers) – Ramhound Mar 25 '19 at 16:53
  • Is there a reason you could not get an exception to the policy for the purpose of adding these credentials, and then re-apply the policy? Or is this a company-owned computer? If it is company-owned, have you spoken with your IT about this? – music2myear Mar 25 '19 at 16:58
  • @music2myear I can probably get a temporary exception for the policy, but that would take quite some time, and I prefer to be self-reliant. I would also learn something new by figuring this one out. My thinking is that I have administrative rights on the machine so there is probably a clean, technical way to do it. – Andrei Mar 25 '19 at 17:04
  • 1
    If you have administrative rights, the way to do this would be to remove the policy briefly, apply the change, and then apply the policy. Unfortunately, this is not your computer and so you should not do this. Be self-sufficient on the computers that you own. It is not a good idea being self-sufficient to this level on a computer that does not belong to you. – music2myear Mar 25 '19 at 17:05
  • UWP applications permissions cannot be elevated, which is the reason you cannot run the Settings UWP application, as another user in order to accomplish that. – Ramhound Mar 25 '19 at 17:09
  • It's not against any corporate policy, so I don't see the issue, and I guess that when you say administrative rights you mean on the domain, which I don't have, I only have local admin rights. If I would be convinced that this is the only technical way that doesn't break any policy, then I would do it this way, but I am not convinced that it is, hence the question. You're not supporting very much your statement that it is not a good idea being self-sufficient to this level on a computer owned by the company, so it feels like a personal emotional opinion. – Andrei Mar 25 '19 at 17:11
  • Local admin rights are all that you need to clear specific pieces of domain-applied policy briefly. I am a long-time IT professional and sysadmin. I support lots of people, and a very small number of these have had local admin rights, and this was only done in cases where this was the last possible solution to the specific problem, or they owned the company and got to make that decision for themselves, and yet I still confirmed they were aware they needed to use those rights sparingly and only in appropriate situations because they were the biggest security hole in the network. – music2myear Mar 25 '19 at 17:46
  • It is not an emotional opinion, it is one based on history and fact and industry best practices. – music2myear Mar 25 '19 at 17:47
  • Really, if it is, as you insist, not against corporate policy, all you need to do is walk up to one of your IT staff and tell them what you want to do, and to look over your shoulder as you log in with your admin account, add the biometric credentials, and then log out. It's a very simple process, but a human one, not a technical one. – music2myear Mar 25 '19 at 17:48
  • @music2myear I can make an appointment with a person from IT and they will come to me sometime in the next 2 weeks, I don't even know where are they, or if they are in the same city. They are obviously busy, and prefer not to be bothered by questions that can be solved by employees, although they would gladly help even in these instances. According to corporate policy, I am even free to wipe the machine and install my own OS, so setting up a fingerprint to a local user is not a problem. The policies at your previous company are not universal. – Andrei Mar 25 '19 at 17:57
  • @music2myear I completely agree that humans are the biggest security threat, and that changing policies should be the last resort. That is exactly why I am asking whether there are any other solutions that don't require me to change policies, even temporary, and actually log into windows with the admin account. It seems that you know quite a few things. Would you say that the solution you provided (temporary changing log in policy) is the only possible one? – Andrei Mar 25 '19 at 18:01
  • @music2myear I don't understand why are you saying that local admin rights are enough. I thought local policies are applied first, meaning all the upper level policies override any local policies. With local admin rights I could technically block group policies all together, but that seems like a really bad idea, lower on the list of ideas than waiting 2 weeks for the same policy to be temporarily disabled in AD for 5 minutes. So how would you go about stopping this specific policy, with local admin rights, without registry edits and changing ownerships which shouldn't be changed? – Andrei Mar 25 '19 at 18:22
  • GPs are applied every 90 minutes and on login in a default configuration. This means you can temporarily suspend policies as required and they will reapply at the next default application time. Some policies set a default setting, while others prevent changing the setting in the config UI. Depending on the setting used, you may need to find the policy in the registry and remove it there, or you if possible, just flip the appropriate switch in the UI. – music2myear Mar 25 '19 at 18:47

0 Answers0