Detections
Analytics

18.10.80.1 Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1'

Information

Enhanced Sign-in Security isolates Windows Hello biometric (face and fingerprint) template data and matching operations to trusted hardware or specified memory regions.

The recommended state for this setting is: Enabled: 1 . (Enhanced Sign-in Security Enabled)

Because the channel of communication between the sensors and the algorithm is secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: 1 (Enhanced Sign-in Security Enabled):

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Hello for Business\Enable ESS with Supported Peripherals

Note: This Group Policy path is provided by the Group Policy template Passport.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates v1.0 (or newer).

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/26296

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Windows

Control ID: 677cde151c323eee8647ed30433111b137509114a11f0d82ef0ba076c1324593