Policy
Enable ESS with Supported Peripherals
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows11
Enhanced Sign-in Security (ESS) isolates Windows Hello biometric (face and fingerprint) template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine. If you enable this policy then it can have following possible values: 0 - Enhanced Sign-in Security disabled with peripheral sensors ESS will be disabled on systems with capable software and hardware. Authentication operations of peripheral Windows Hello capable devices will be allowed, subject to current feature limitations. 1 - Enhanced Sign-in Security enabled without peripheral sensors (default and recommended) ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any peripheral biometric device will be blocked and not available for Windows Hello. If you disable or not configure this policy then non-ESS sensors will be blocked on the ESS device.
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Enable ESS with Supported Peripherals ID MSPassport_EnableEnhancedSignInSecurityDataType | decimal | HKLM\Software\Microsoft\Policies\PassportForWork\Biometrics\EnableESSwithSupportedPeripherals Type REG_DWORD | Range: 0 to 1 |
Other policies in this category
Explore related policies at the same level.
- ComputerAllow enumeration of emulated smart card for all usersAt least Windows 10
- ComputerConfigure device unlock factorsAt least Windows 10
- ComputerConfigure dynamic lock factorsAt least Windows 10
- ComputerTurn off smart card emulationAt least Windows 10
- ComputerUse a hardware security deviceAt least Windows 10
- ComputerUse biometricsAt least Windows 10
- ComputerUse certificate for on-premises authenticationAt least Windows 10
- UserUse certificate for on-premises authenticationAt least Windows 10
- ComputerUse cloud trust for on-premises authenticationAt least Windows 10
- ComputerUse PIN RecoveryAt least Windows 10
- UserUse Windows Hello for BusinessAt least Windows 10
- ComputerUse Windows Hello for BusinessAt least Windows 10