Accounts Enable or Disable Enhanced Sign-in Security in Windows 11

This tutorial will show you how to enable or disable Enhanced Sign-in Security for all users in Windows 11.

Windows Hello enables biometrics or PIN authentication, eliminating the need for a password. Biometric authentication uses facial recognition or fingerprint to prove a user's identity in a way that's secure, personal, and convenient.

Malicious users and attackers constantly try to come up with new ways to access your device and access sensitive information. To stop them, you need a secure sign-in process that begins at the biometric sensor, and ends where your profile is stored.

Enhanced Sign-in Security (ESS) provides an additional level of security to biometric data with the use of specialized hardware and software components. Virtualization Based Security (VBS) and Trusted Platform Module 2.0 are used to isolate and protect user's authentication data, and to secure the data communication channel.

Since the ESS ecosystem is tightly controlled, introducing new items like plug-in cameras and fingerprint readers (FPR) may open the door for potential malicious users to access your biometrics. This is why you can’t use your external camera or FPR to sign into a device that has ESS enabled.

There are some situations where you may want to use an external peripheral for signing in, for example if you use your laptop on a docking station. In such cases, you won't be able to use the external peripheral for sign in, unless you disable ESS. The tradeoff of disabling ESS is that you lower the security of your device.

ESS System requirements

Compatible hardware and software components are required to enable Enhanced Sign-in Security:

• Meet the requirements for Virtualization-Based Security (VBS), including Device Guard Enablement and Trusted Platform Module 2.0
• Biometric sensor hardware that supports ESS
• Biometric sensor drivers compatible with ESS
• Device firmware with a Secure Devices (SDEV) ACPI table configured by the device manufacturer for the included biometric hardware

When ESS is enabled, you can still use your external camera with applications like Teams. Such apps don’t rely on biometrics for authentication.

When ESS is disabled, you can use Windows Hello compatible peripherals to sign in.

References:

Copilot+ PCs have ESS enabled by default.

You must be signed as an administrator to enable or disable Enhanced Sign-in Security.

After you enable or disable Enhanced Sign-in Security (ESS), users will have to sign in next time with their password or PIN, and set up their face and/or fingerprint again after signing in.

1 Open Settings (Win+I).

2 Click/tap on Accounts on the left side, and click/tap on Sign-in options on the right side. (see screenshot below)



3 Under Additional settings, turn On (disable ESS) or Off (enable ESS - default) Sign in with an external camera or fingerprint reader for what you want. (see screenshot below)


4 Click/tap on Restart Now to immediately restart the computer to apply. (see screenshot below)

Be sure to save and close anything you want first.

1 Do step 2 (enable) or step 3 (disable) below for what you would like to do.

This is the default setting.

(Contents of REG file for reference)





(Contents of REG file for reference)

4 Save the .reg file to your desktop.

5 Double click/tap on the downloaded .reg file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 Restart the computer to apply.

8 You can now delete the downloaded .reg file if you like.


That's it,
Shawn Brink