So your company bought brand new Surface Pro devices. Are users complaining that they can’t setup “Windows Hello” features?
This is a common issue with these new devices with biometric authentication features (or when you want a PIN login), for which the configuration panel is presented greyed out, accompanied by a status message that “Some settings are managed by your Organisation“.
Note that you need the latest Administrative Templates (.admx) for Windows 10 and Windows Server 2016 revision both on your server and client for these group policies to be available (get them from Microsot here). Do check if there’s a new revision at the time of reading, though.
There are plenty of posts on the web with tricks for this, but none actually solved the issue entirely. Here are the Group Policy Settings I have implemented to successfully on Windows Server 2012 Essentials to allow access to these features (ignore “Allow deployment operations in special profiles“):
The following registry key and GPO information settings below may be helpful/required as well; I haven’t been able to verify it is actually required or not, as it was one of the first things I tried (applicable from Windows 10 rev 1607):
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "AllowDomainPINLogon"=dword:00000001
1. “Turn on Convenience PIN sign-in” policy (as above) must be enabled
2. All 3 Policies under Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business\ must be in the state “Not configured”. This was the piece that was missing, and not documented properly on Technet.