Skip to main content

Windows Biometrics Policy

This policy is used to manage Windows Hello for Business biometric settings, including biometric sign-in, facial anti-spoofing, and Enhanced Sign-in Security.


Overview

Supported Platforms

Windows

Minimum System Requirements

Windows 10+

Supported Device Ownership

Company-owned, BYOD

Reference


Policy Fields

Use Biometrics

Field Name

useBiometrics

Type

Boolean

Default

false

Minimum System Requirements

Windows 10+

Allows users to use Windows Hello for Business biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. Disabling this policy prevents biometric gestures on the device for all account types.

Value

Description

true

Biometric sign-in is enabled

false

Biometric sign-in is disabled


Facial Features Use Enhanced Anti Spoofing

Field Name

facialFeaturesUseEnhancedAntiSpoofing

Type

Boolean

Default

false

Minimum System Requirements

Windows 10+

Requires enhanced anti-spoofing for Windows Hello face authentication. Devices that don't support enhanced anti-spoofing can't use Windows Hello face authentication when this setting is enabled.

Value

Description

true

Enhanced anti-spoofing is required for face authentication

false

Enhanced anti-spoofing is not required


Enable ESS with Supported Peripherals

Field Name

enableESSwithSupportedPeripherals

Type

Integer

Default

1 (Enabled)

Minimum System Requirements

Windows 11 22H2+

Controls Enhanced Sign-in Security on systems with capable software and hardware. ESS isolates biometric template data and matching operations to trusted hardware or specified memory regions.

Value

Label

Description

0

Disabled

Enhanced Sign-in Security is disabled

1

Enabled

Enhanced Sign-in Security is enabled


Notes

  • Enabling Use Biometrics allows face and fingerprint authentication as alternatives to PIN for Windows Hello for Business.

  • Enhanced Anti Spoofing adds an extra layer of security for facial recognition but requires compatible hardware. Devices without support will fall back to other authentication methods.

  • Enhanced Sign-in Security (ESS) requires Windows 11 22H2 or later and compatible biometric hardware. It provides hardware-level isolation of biometric data for stronger protection against spoofing and data theft.

Did this answer your question?