Configure enhanced anti-spoofing

Information

This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.
If you disable or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.

Solution

Policy Path: Windows Components\Biometrics\Facial Features
Policy Setting Name: Configure enhanced anti-spoofing

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: e2256b4483a1217b3a5cd44ebd869c9caa7155631aaf08cb01ac22b4f4936bb8