I want to figure out how to set up Windows 10 and Windows 11 machines so that employees can log in to any device using their fingerprints (biometric login). Originally the idea was to use USB drives as USB keys to log in to any of the computers here, but after some discussions employees were thinking USB keys may be a hassle. Using your fingerprint is much easier as you won't have to carry any special equipment then.
The office where this will be set up does have a locked-up central server running on Windows 10 which is used to manage other deployments as well such as ESET.
Currently, many of the computers just have a shared login, that is employees know the same secret password that lets them into any machine in the office that is shared. This has worked well for our situation because employees tend to move around quite a bit throughout the office, they are never really tied down to a single machine. We are wanting to change things so that instead a unique login is tied to an employee who is able to authenticate into any of these machines with their unique fingerprint. Further, if possible, some of the machines might only let a specific group of authorized employees log in with their fingerprints whereas the remaining employees would be denied access.
I would hate to set up all of these employees for each and every device in the office, preferably I do this once via a central server and utilize some sort of network login which simply looks at an employee's fingerprint to be able to log in to the machine. If this sort of scenario can work we will purchase fingerprint scanners for each computer.
So with that said, how can I set up a Windows Network Login across all of our Windows Machines that simply uses the employee's fingerprints to log in? Currently, this should support both Windows 10 and Windows 11 as some of the Windows 10 devices are not eligible to be upgraded to Windows 11 due to hardware requirements.
0It's doable but in a way probably different than what you were expecting. — Mark Bowker
0Can you clarify that there is no domain in this environment and all computers are in the same workgroup? The Windows 10 "Server" (which really isn't a server - sorry but it isn't and never will be), in addition to ESET and other deployments, is it also used for File Sharing, or do you use a third-party file sharing service like Dropbox, Box, One Drive, etc? Do you currently use MS 365 for email and or MS APP deployment (Word, Outlook, Excel, PowerPoint, etc.) Are there any applications that some users should have access to on a computer, but others shouldn't, for example - HR Software, or Adobe design software? Are the computers laptops, or desktops? Brand? Are fingerprint readers built into some or none? — Mark Bowker
0Correct, there is no domain setup, all computers are in the same workgroup; however, we are willing to set up a domain if needed). I will respectfully disagree with you regarding the central server not really being a server (see definition); while it may not be an official advanced Windows Server product line, it still functions and behaves as a server in the sense for how we are utilizing it in that it connects to numerous client machines and other devices throughout the office to perform jobs, all managed in this central area (ESET remote administrator, Honeywell door system, camera systems, Ubiquiti UniFi Controllers for Wifi, and more). It is not used for file sharing, anything regarding file sharing is not needed for the office. We do not use MS 364 for email, word, outlook, excel, PowerPoint, etc. These are not factors. There are no restricted applications other than either being allowed on the machine or not. Mostly Dell computers, but a few laptops. Currently, most do not have fingerprint readers built into the devices; for those, we will purchase a separate USB fingerprint device. Our workstations where this question applies are fairly simple, they are needed for printing documents and accessing the web. The majority of our applications reside outside of the office either in the cloud, via Google Suite, or other Software as a Service (SaaS). As such, all of this is out-of-scope for this question. — Brian Wozeniak
1I had to think about this before answering. While, as noted, I will never consider a Windows 10 device as a "Server" per se, you can install ADUC (Active Directory Users and Computers) using RSAT via the instructions in the following link. *note - you have to be using Windows 10 Professional or Enterprise. Installing ADUC will allow you to join all computers to the domain, set up user accounts to login to any computer on the domain, however, I still haven't figured out how you can tie the fingerprint login to it yet. Still thinking on that one. https://www.technipages.com/windows-install-active-directory-users-and-computers Adding another note is if any of the computers are running Windows 10 or 11 home, they can't be joined to a domain. Has to be Professional or Enterprise. — Mark Bowker