Windows Hello for Business: Enhanced Sign-in Security

Leave a Comment / Identity, Intune, Security, Windows 11 / By

In this post we will discover how to further harden the security around Windows Hello for Business. We will have a look at that Enhanced Sign-in Security is, when to use it and how to enable it.

❗Make sure to read the full post before starting your testing.

What is Enhanced Sign-in Security?

I think that Microsoft did a great job in explaining what it is, so I will quote MS on this one:

“Enhanced Sign-in Security (ESS) isolates both biometric template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine.”
Source

✅This sounds good to me, as I have heard some users express concerns about how their biometric data is protected. Without this feature, bad actors might be able to simulate a sign-in.

💡ESS uses most of the Windows 11 hardware requirements to work. If you allow your unsupported devices to install Windows 11, you will not be able to use ESS.

That being said; installing Windows 11 on unsupported devices is NOT recommended!
Read what Microsoft says on the topic here: Windows 11 on devices that don’t meet minimum system requirements – Microsoft Support

Enhanced Sign-in Security: Prerequisites

  • All the Windows 11 hardware requirements
  • A camera (internal) with ESS support
  • A fingerprint sensor (internal) with ESS support
  • BIOS must support ESS. Most brands has a specific setting that must be enable. For Lenovo devices the setting is called “Enhanced Windows Biometric Security”

💡ESS does not support external cameras or fingerprint sensors. Keep that in mind before enabling ESS in production, as your users can no longer use the camera on-top of the monitor to sign-in to the computer.

💡If a computer has just one ESS capable device, all other devices will be blocked when ESS is enabled.
Example: Let’s say a computer has one camera and one fingerprint sensor. Only the ESS-capable device can be used to sign in to the computer; the other device will be completely blocked. If both the camera and the fingerprint sensor are ESS-capable, then both devices can be used to sign in.

Enhanced Sign-in Security: Check compatibility

Microsoft explains how to manually check if a device is compatible with ESS. Refer to this post for the detailed steps: Windows Hello Enhanced Sign-in Security | Microsoft Learn

Checking compatibility through code is a different challenge, as our devices are built with varying components. I have created a script to check camera compatibility. The script can be run locally on a device for a quick check or deployed as a remediation script using Intune. The script’s output can help determine compatibility before pushing the policy to enable ESS

Use Intune remediation to check compatibility

  1. 💾 Download the script “ESS_Check capability_Detection_v1.0.ps1”
  2. Run it as a remediation script, or manually in your devices.
    We just need the detection script and will not use a remediation script.

    We just need to run it once. Windows 365 is not compatible with ESS, so I use a filter to not check those.
  3. Review the output to determine ESS compatibility for your devices. Refer to the manufacturer’s documentation to learn more about specific BIOS settings that may be required.
  4. Enable ESS for compatible devices, start with tests.

Enhanced Sign-in Security: Enable

❗Remember to test the configuration on a small number of devices before rolling it out in a controlled manner. We received reports of BSODs back in 2023 due to misconfigurations on specific devices.

Here’s how you can enable Windows Hello Enhanced Sign-in Security using Intune:

  1. Create a new or edit an existing Settings Catalog policy
  2. Find “Enable ESS with Supported Peripherals”
  3. Enable the setting
  4. Assign the policy to a test group

Enhanced Sign-in Security: Verify

Microsoft has documented the manual steps on how to verify that ESS is enabled. I have created a script that at this point covers how to verify that the internal camera is using ESS. The script can be targeted at select devices for verification.

  1. 💾 Download the script “ESS_Verify capability_Detection_v1.0.ps1”
  2. Deploy it as a detection script to the same group we used to enable ESS.

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

This website uses cookies. By continuing to use this site, you accept our use of cookies.