This message is misleading, at least in the Windows Update dialog.
This is based on that in the privacy settings under "Settings" -> "Privacy" -> "Feedback & diagnostics" -> "Diagnostics and usage data" it is set to "Basic". Change it to "Enhanced" or higher, the message disappears.
I have a German Windows 10 Professional version, so can not say exactly whether the menu names are correct. However, this must be increased.
I found the solution. The reason is that Windows Hello is managed differently on domain joined computers, starting with the anniversary update.
To get it to work you have to follow these steps:
1) Setup a Group Policy Central Store (you should already have that)
2) Get Windows 10 Anniversary Update Group Policy Templates. You can do so by copying your files from PolicyDefinitions (in windir on a Win10 Anniversary Update machine) into the PolicyDefinitions of the central store. You might copy those files first to a file share, because of permissions your regular user should not have on the central store.
3) Setup a new GPO or add to an existing the following settings to enable Windows Hello:
- Computer Configuration/Policies/Administrative Templates
.../Windows Components/Windows Hello For Business/ Use biometrics => Enabled
.../Windows Components/Windows Hello for Business/ Use a hardware security device => Enabled (if you want to use TPM instead of key or certificate based activation for Windows Hello). Note that in general all business computers should have TPM
.../System/Logon/ Turn on convenience PIN sign-in => Enabled (This is the key. This enables PIN sign-in which in turn will enable Hello, together with the other settings.)
.../Windows Components/Biometrics/ Allow domain users to log on using biometrics => Enabled (I think this is enabled by default, but being explicit makes GP management a lot easier.)
You will find more optional configuration possibilities in System/Logon and Windows Components/Biometrics and Windows Components/Windows Hello for Business.
You will find more background here:
https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/
and here
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/implement-microsoft-passport-in-your-organization
Most important excerpt:
Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a
convenience PIN for Windows 10, version 1607, enable the Group Policy
setting Turn on convenience PIN sign-in. Use Windows Hello for
Business policy settings to manage PINs for Windows Hello for
Business.
If you want to use key or certificate based Windows Hello you can follow the guides in the links. Don't get confused though. You can still use regular TPM for normal Windows Hello.
Best Answer
This message means that you are in a company domain.
Administrators of your domain have automatically centralized the configuration of the machines in the domain by using GPO or GPP.
The goal can be :
If you need to access those options, you will have to ask your company IT service which manage the Active Directory rules to enable those options for you.