Windows Hello for Business - External peripherals with "Enhanced Anti-Spoofing"

Adrian Halfdan Ulland 20 Reputation points
2025-02-05T10:40:17.4666667+00:00

Greetings, I am in the middle of implementing Windows Hello for Business in our tenant.

One of the settings that we've decided to enable, leaves me a bit confused after experimenting with it. The setting in question is "Facial Features Use Enhanced Anti Spoofing".

We want this setting on as it adds very important security and since most of our users have laptops with integrated Windows Hello camera's.

According to Microsoft's Documentation(*) enabling this should block external peripherals from being able to be used as Windows Hello devices, unless I'm misunderstanding something.

I'd like to know more about the following:

#1: While I do notice that the external camera struggles a bit to recognize me, it still does. I initially expected to lose access to Facial Recognition completely, or at least have it no longer function. Can someone fill me in on how they interpret the feature?

#2: Does someone know how I can check on a client directly if the policy has been applied successfully? I'd like to use this during troubleshooting; according to Intune the setting has been set but I don't know for sure.

(*)I'm struggling to relocate the source, maybe it was changed- looking for some sort of confirmation on this.

The testing environment consists of a Desktop computer with no integrated peripherals, and a Lenovo Performance FHD Camera as the Windows Hello peripheral.

Thank you in advance, looking forward to all and any responses I might get.

~Adrian H. Ulland

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
10,781 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,567 questions
0 comments No comments
{count} votes

Accepted answer
  1. ZhoumingDuan-MSFT 16,045 Reputation points Microsoft Vendor
    2025-02-06T02:06:44.57+00:00

    @Adrian Halfdan Ulland, Thanks for posting in Q&A.

    Q1. Can someone fill me in on how they interpret the feature?

    A1. The "Enhanced Anti-Spoofing" feature is designed to add an extra layer of security by making it harder for unauthorized users to spoof the facial recognition system. This feature primarily enhances the detection capabilities of the integrated camera to differentiate between a real face and a spoof (such as a photo or video). It doesn't necessarily block external cameras but makes it more challenging for them to pass the enhanced security checks. This is why your external camera still works but struggles more to recognize you.

    Q2. Does someone know how I can check on a client directly if the policy has been applied successfully?

    A2. Please first go to Microsoft Intune portal and check the Windows Hello for Business policy status, if the policy status is success and then go to client device.

    Open the Registry Editor by typing regedit in the Run dialog (Win + R).

    Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures.

    Look for a REG_DWORD named EnhancedAntiSpoofing and check whether its value is set to 1.

    Also, the feature needs some requirements mentioned in the following link.

    https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security

    This disables Windows Hello face authentication on devices that don't support enhanced anti-spoofing.

    https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp#devicebiometricsfacialfeaturesuseenhancedantispoofing

    Hope above information can help you.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.