I recently joined my Microsoft Surface Pro to our corporate domain and couldn’t setup Windows Hello as it stated Some settings are managed by your organisation:


There are several ways to get around this centrally using GPO or by a local policy amendment.

Open gpedit.msc and amend:

Local Computer Policy > Computer Configuration > Administrative Templates > System > Logon > Turn on convenience PIN sign-in > ENABLED.

As i mentioned this is really just a work around as I am a local admin on my Surface.  This can also be managed centrally using domain Group Policies.