Finally got it to work the way I wanted! Struggled a bit to find which software is the right one to use. I did fly under the radar of IT - but I doubt involving them would have made things easier. In the end this ControlVault driver seems to work, but even though everything seemed to get recognized and running fine, it kept saying "Framework not activated". Eventually I checked the "Allow users to use fingerprint to log on to domain", and that made the difference.
One odd but convenient thing: after pressing CTRL-ALT-DEL on the logon screen, you're always presented with the password screen. However if you swipe finger anyway, it'll allow you in (provided the fingerprint read is good). Just a tip for whoever is puzzling over how to make the biometric credential to be the default.