Policy
Enable ESS with Supported Peripherals
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows11
Enhanced Sign-in Security (ESS) isolates Windows Hello biometric (face and fingerprint) template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine. If you enable this policy then it can have following possible values: 0 - Enhanced Sign-in Security disabled with peripheral sensors ESS will be disabled on systems with capable software and hardware. Authentication operations of peripheral Windows Hello capable devices will be allowed, subject to current feature limitations. 1 - Enhanced Sign-in Security enabled without peripheral sensors (default and recommended) ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any peripheral biometric device will be blocked and not available for Windows Hello. If you disable or not configure this policy then non-ESS sensors will be blocked on the ESS device.
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Scope | Element | Type | Registry mapping | Constraints & behavior | Copy |
|---|---|---|---|---|---|
| Computer | Enable ESS with Supported Peripherals ID MSPassport_EnableEnhancedSignInSecurityDataType | decimal | Path Software\Microsoft\Policies\PassportForWork\Biometrics Value name EnableESSwithSupportedPeripherals Type REG_DWORD | Range: 0 to 1 |