This policy is used to manage Windows Hello for Business biometric settings, including biometric sign-in, facial anti-spoofing, and Enhanced Sign-in Security.
Overview
Supported Platforms | Windows |
Minimum System Requirements | Windows 10+ |
Supported Device Ownership | Company-owned, BYOD |
Reference |
Policy Fields
Use Biometrics
Field Name |
|
Type | Boolean |
Default |
|
Minimum System Requirements | Windows 10+ |
Allows users to use Windows Hello for Business biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. Disabling this policy prevents biometric gestures on the device for all account types.
Value | Description |
| Biometric sign-in is enabled |
| Biometric sign-in is disabled |
Facial Features Use Enhanced Anti Spoofing
Field Name |
|
Type | Boolean |
Default |
|
Minimum System Requirements | Windows 10+ |
Requires enhanced anti-spoofing for Windows Hello face authentication. Devices that don't support enhanced anti-spoofing can't use Windows Hello face authentication when this setting is enabled.
Value | Description |
| Enhanced anti-spoofing is required for face authentication |
| Enhanced anti-spoofing is not required |
Enable ESS with Supported Peripherals
Field Name |
|
Type | Integer |
Default |
|
Minimum System Requirements | Windows 11 22H2+ |
Controls Enhanced Sign-in Security on systems with capable software and hardware. ESS isolates biometric template data and matching operations to trusted hardware or specified memory regions.
Value | Label | Description |
| Disabled | Enhanced Sign-in Security is disabled |
| Enabled | Enhanced Sign-in Security is enabled |
Notes
Enabling Use Biometrics allows face and fingerprint authentication as alternatives to PIN for Windows Hello for Business.
Enhanced Anti Spoofing adds an extra layer of security for facial recognition but requires compatible hardware. Devices without support will fall back to other authentication methods.
Enhanced Sign-in Security (ESS) requires Windows 11 22H2 or later and compatible biometric hardware. It provides hardware-level isolation of biometric data for stronger protection against spoofing and data theft.
