This tutorial demonstrates how to configure enhanced anti-spoofing for Windows Hello for Windows 10 and Windows 11 devices. Enabling enhanced anti-spoofing adds additional protection to biometric login on your PC, helping to protect your device and data.
Understanding Enhanced Anti-Spoofing for Windows Hello
Windows Hello is a feature of Windows 10 and Windows 11 that lets you log in using a PIN, fingerprint, or face scan rather than entering your password. Which methods are available depends on the hardware support for your specific device (i.e., a face scan requires a supported web camera, and fingerprint login requires a fingerprint reader).
Forgoing password authentication increases security as it means you can use a stronger password for your PC and your Microsoft Account as you won’t need to type it each time you start or unlock your device. It also reduces the chance that your password can be captured by a keylogger or seen by an observer.
In enterprise environments using a Windows Domain and Active Directory, Windows Hello is preferable as it means that user credentials don’t need to be transmitted for each login — once the user has logged in once, Windows Hello stores a token that can be used instead, further securing user authentication in sensitive business environments. While more secure than traditional usernames and passwords, Windows Hello is not infallible, and there have been demonstrated cases of facial recognition being beaten by presenting the camera with images of the user (known as ‘spoofing’).
Enhanced Anti-Spoofing helps protect against this by requiring that devices that use facial recognition to log in have additional hardware features like infrared cameras that aren’t fooled by common spoofing tactics.
How to enable/disable Enhanced Anti-Spoofing for Windows Hello in Windows 10 and Windows 11
The below instructions for using the Local Group Policy Editor and Registry Editor to configure Enhanced Anti-Spoofing for Windows Hello apply to both Windows 10 and Windows 11. Note that all methods require that you be logged in as an administrator.
Before making changes, you should back up your PC (or at the very least, back up your Local Group Policy or Windows Registry, depending on which method you use). You should also make sure you know the password to the local user account or Microsoft Account you use to log in to your Windows device as if you are already using Windows Hello to log in you may need to re-authenticate after making changes.
Using the Windows Registry (Windows 10/11 Home & all other editions)
Enabling or disabling Enhanced Anti-Spoofing for Windows Hello can be done using the Windows Registry on all versions of Windows 10 and Windows 11.
- Right-click on the Start button and select Run
- Enter the command regedit and press OK to open the Windows Registry Editor
- Navigate to the registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
- If the Biometrics sub-key doesn’t exist at this location, create it by selecting Edit > New > Key from the toolbar
- Within the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics sub-key, create a FacialFeatures sub-key if it doesn’t already exist
You can then enable or disable Enhanced Anti-Spoofing by adding or removing a registry value:
- To enable Enhanced Anti-Spoofing for Windows Hello, navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures in the Registry Editor, then select Edit > New > DWORD (32-Bit) Value
- Name the new DWORD value EnhancedAntiSpoofing and set its value to 1
- To disable Enhanced Anti-Spoofing, delete the EnhancedAntiSpoofing DWORD value
- You may need to reboot your device for the changes to take effect.
Note that the registry key shown above is for PCs that aren’t connected to a Domain or using Windows Hello for Business (in which case, Group Policy is the best way to deploy configuration).
Using the Local Group Policy Editor (Windows 10/11 Pro & Enterprise)
You can also use the Windows Local Group Policy Editor to make changes on the current device or deploy a Group Policy to an Active Directory Domain to enable/disable Enhanced Anti-Spoofing for multiple PCs in an enterprise environment:
- Right-click on the Start button and select Run
- Type the command gpedit.msc and press the Enter key to open the Local Group Policy Editor
- Navigate to Computer Configuration\Administrative Templates\Windows Components\Biometrics\Facial Features
- Double-click on the Configure enhanced anti-spoofing setting
- To enable Enhanced Anti-Spoofing for Windows Hello, select the Enabled value
- To disable it, select the Not configured value
- Press OK to save the change
Troubleshooting common Windows Hello issues
If after enabling Enhanced Anti-Spoofing for Windows Hello you find that face login is no longer available, it is most likely because your camera does not support the technology required for Advanced Anti-Spoofing. If your device is supported, but you are having trouble logging in, you can follow this guide to improving Windows Hello Face Recognition.
Managing Windows Hello and authentication for enterprise and education
Securing end-user devices in enterprise and education environments is a continual challenge for IT teams: authentication and security must both adequately protect devices, while being convenient so that users don’t attempt workarounds (like deferring password changes, or using easily-guessed or re-used passwords). Windows Hello and device-based authentication provide strong security that is more convenient than traditional password-based login.
NinjaOne provides a complete mobile device management (MDM) solution that allows you to deploy security policies (including enabling Enhanced Anti-Spoofing for Windows Hello in Windows), and monitor your users’ devices. If a mobile device is lost or stolen, it can be remotely tracked and wiped to prevent data leaks, protecting your valuable business data, as well as your customers’ private information.
