Policy
Enable ESS with Supported Peripherals
Enhanced Sign-in Security (ESS) isolates Windows Hello biometric (face and fingerprint) template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine. If you enable this policy then it can have following possible values: 0 - Enhanced Sign-in Security disabled with peripheral sensors ESS will be disabled on systems with capable software and hardware. Authentication operations of peripheral Windows Hello capable devices will be allowed, subject to current feature limitations. 1 - Enhanced Sign-in Security enabled without peripheral sensors (default and recommended) ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any peripheral biometric device will be blocked and not available for Windows Hello. If you disable or not configure this policy then non-ESS sensors will be blocked on the ESS device.
a7c665118431 MSPassport_EnableEnhancedSignInSecurity Registry
Copy registry mappings
HKLM\Software\Microsoft\Policies\PassportForWork\Biometrics\EnableESSwithSupportedPeripheralsPolicy notes
Enhanced Sign-in Security (ESS) isolates Windows Hello biometric (face and fingerprint) template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine. If you enable this policy then it can have following possible values: 0 - Enhanced Sign-in Security disabled with peripheral sensors ESS will be disabled on systems with capable software and hardware. Authentication operations of peripheral Windows Hello capable devices will be allowed, subject to current feature limitations. 1 - Enhanced Sign-in Security enabled without peripheral sensors (default and recommended) ESS will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any peripheral biometric device will be blocked and not available for Windows Hello. If you disable or not configure this policy then non-ESS sensors will be blocked on the ESS device.