Enhanced Sign-in Security in Windows
Applies To
Windows 11When you sign in with Windows Hello, your biometric data is stored securely (see here for more technical information).
Malicious users and attackers constantly try to come up with new ways to access your device and access sensitive information. To stop them, you need a secure sign-in process that begins at the biometric sensor, and ends where your profile is stored.
What does Enhanced Sign-in Security do for you?
Enhanced Sign-in Security (ESS) adds a layer of security to biometric data by using specialized hardware and software components, for example Virtualization Based Security (VBS) and Trusted Platform Module 2.0. See here to learn more about ESS.
Note: Copilot+ PCs have ESS enabled by default. For more information, see Copilot+ PC hardware requirements.
Implications when ESS is enabled
Since the ESS ecosystem is tightly controlled, introducing new items like plug-in cameras and fingerprint readers (FPR) may open the door for potential malicious users to access your biometrics. This is why you can’t use your external camera or FPR to sign into a device that has ESS enabled.
Note: when ESS is enabled, you can still use your external camera with applications like Teams. Such apps don’t rely on biometrics for authentication.
There are some situations where you may want to use an external peripheral for signing in, for example if you use your laptop on a docking station. In such cases, you won't be able to use the external peripheral for sign in, unless you disable ESS. The tradeoff of disabling ESS is that you lower the security of your device.
Configure ESS
You can use the Settings app to configure ESS.
-
In the Settings app on your Windows device, select Accounts > Sign-in options or use the following shortcut:
-
Under Additional settings > Sign in with an external camera or fingerprint reader, there's a toggle that allows you to enable or disable ESS:
-
When the toggle is Off, ESS is enabled and you can't use external peripherals to sign in. Remember, you can still use external peripherals within apps like Teams
-
When the toggle is On, ESS is disabled and you can use Windows Hello compatible peripherals to sign in