Close Menu
    Facebook X (Twitter) Instagram
    Saturday, February 28
    X (Twitter) LinkedIn Reddit RSS
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Entra ID»Why Enabling Windows Hello Enhanced Sign-Security S Can Suddenly Disable Face Recognition

    Why Enabling Windows Hello Enhanced Sign-Security S Can Suddenly Disable Face Recognition

    Eswar KonetiBy Eswar KonetiFebruary 27, 9:57 pm8 Mins Read Entra ID 16 Views
    Share
    Facebook Twitter LinkedIn Reddit

    Although this post focuses heavily on Windows Hello Face, Enhanced Sign‑in Security applies to both Face and Fingerprint authentication. Face recognition is impacted more frequently because far fewer IR cameras meet ESS requirements. Fingerprint sensors are more often ESS‑capable, but non‑ESS fingerprint devices will also be removed when ESS is enforced.

    Introduction:

    This post explains what happened, why it happened, and how to deploy Enhanced Sign-Security without breaking existing Windows Hello.

    As part of our identity modernization journey, we enabled Passwordless authentication using Passphrase (long password with no expiry) and Windows Hello across the organization and passphrase. This removed password‑based sign‑ins in favor of PIN and biometric authentication, significantly improving both security and user experience.

    As a next step in security hardening, we wanted to block the use of external cameras and fingerprint readers for Windows Hello sign‑in for all users by default. The goal was:

    • Reduce the attack surface introduced by external biometric devices
    • Rely on built‑in, OEM‑trusted hardware wherever possible
    • Allow external biometric usage only by exception, through an approved request process

    From a Windows user perspective, this control exists locally at:

    Settings > Accounts > Sign-in options > Additional settings > Sign in with an external camera or fingerprint reader, there's a toggle that allows you to enable or disable ESS:

    When the toggle is Off, ESS is enabled and you can't use external peripherals to sign in. Remember, you can still use external peripherals within apps like Teams

    When the toggle is On, ESS is disabled and you can use Windows Hello compatible peripherals to sign in

    This option only appears on devices where the IR camera supports Enhanced Sign‑in Security (ESS).

    From an Intune perspective, the supported way to block external biometric devices is to enforce Enhanced Sign‑in Security (ESS).

    On paper, this looked simple:

    • Enforce ESS
    • Block external cameras
    • Keep Windows Hello Face working on built‑in IR cameras

    Reality turned out to be very different.

    For more details about Windows hello Enhanced-sign security, please read Windows Hello Enhanced Sign-in Security | Microsoft Learn

    Difference: ESS‑Capable vs Non‑ESS IR Cameras

    To make this easier to understand, let’s look at how Windows behaves on different types of devices.

    Device with IR Camera and ESS Support

    The screenshot below is taken from a device that has:

    • A built‑in IR camera
    • Enhanced Sign‑in Security (ESS) support

    On the device, navigating to:

    Settings → Accounts → Sign‑in options → Additional settings

    shows the following option:

    Sign in with an external camera or fingerprint reader
    (Use Windows Hello without enhanced sign‑in security)

    Key observations:

    • The option is visible
    • By default, it is Off
    • Enabling it requires administrator privileges
    • When enabled, it allows:
      • External IR cameras
      • External fingerprint readers
      • Legacy (non‑ESS) biometric sign‑in

    This means:

    • The device can support ESS
    • Windows is offering a controlled fallback to non‑ESS biometric devices
    • This fallback must be centrally controlled in enterprise environments to avoid weakening security posture

    Understanding IR Cameras vs ESS‑Capable IR Cameras (Critical Background)

    Before going further, it’s important to clarify a key distinction that is not obvious from the Windows UI or OEM spec sheets:

    Not all IR cameras that support Windows Hello are compatible with Enhanced Sign‑in Security (ESS).

    This misunderstanding is at the heart of the issue described in this post.

    What is an IR camera (Windows Hello Face)?

    A standard IR (Infrared) camera enables Windows Hello Face using:

    • Infrared illumination
    • Depth sensing
    • Facial recognition algorithms

    Most enterprise laptops that advertise “Windows Hello Face” include this type of camera. When ESS is not enforced, Windows Hello Face works using the standard biometric pipeline.

    In this mode:

    • Facial templates are protected by Windows
    • Biometric processing runs in the normal OS context
    • External cameras and legacy devices may also be allowed

    This is why many devices:

    • Have IR cameras
    • Successfully use Windows Hello Face
    • Work perfectly for years — until ESS is enforced

    What is an ESS‑capable IR camera?

    An ESS‑capable IR camera meets additional hardware, firmware, and platform requirements defined by Microsoft.

    When ESS is enabled:

    • Facial recognition processing is isolated using Virtualization‑Based Security (VBS)
    • Biometric templates are generated and stored in protected memory regions
    • The communication path between the camera and Windows is hardware‑attested

    Only cameras that meet all ESS requirements can be used once ESS is enforced.

    Why this difference is easy to miss

    From an admin’s perspective:

    • Both devices appear as IR cameras
    • Both support Windows Hello Face
    • Both may work identically before ESS

    However:

    • ESS capability is not visible in Device Manager
    • OEM documentation rarely calls this out clearly
    • Microsoft documentation explains ESS requirements but does not explicitly warn that existing Windows Hello Face enrollments will be removed on non‑ESS cameras

    This makes it very easy to assume as “If the device has an IR camera, ESS will be fine.” That assumption is incorrect.

    What happens when ESS is enforced?

    When ESS is enabled, Windows performs a hard compatibility check at runtime.

    Camera typeResult when ESS is enforced
    IR camera with ESS supportWindows Hello Face continues to work
    IR camera without ESS supportWindows Hello Face is disabled and enrollment removed

    Windows does not:

    • Fall back to non‑ESS mode
    • Preserve existing face enrollments
    • Display a warning before removal

    This is intentional — ESS enforces a strict trust boundary.

    Why PIN still works:

    • PIN is still Windows Hello
    • PIN is TPM‑backed
    • PIN is ESS‑compatible

    So when ESS is enforced:

    • Face sign‑in may be removed
    • PIN remains available

    This is expected behavior.

    The Issue: Mixed Hardware + ESS Enforcement

    We deployed ESS enforcement to a small pilot group that included devices with:

    • IR camera with ESS support
    • IR camera without ESS support

    All devices already had Windows Hello Face configured and working.

    What happened next

    On devices where the IR camera did not support ESS, Windows (post restart):

    • Disabled Windows Hello Face
    • Removed the existing Hello Face enrollment
    • Left PIN as the only available Windows Hello method

    due to “Detected camera can’t be used to sign in and not compatible with enhanced sign‑in security”

    This resulted in:

    • Sudden loss of Face sign‑in
    • Confused users
    • Service desk escalations
    • A near‑miss from deploying this broadly

    The most dangerous part? These devices did have IR cameras and Windows Hello Face did work previously

    Why This Happens (and Why It’s by Design):

    ESS is not an enhancement toggle — it enforces a new biometric trust boundary.

    When ESS is enabled:

    • Legacy biometric pipelines are no longer allowed
    • Existing biometric templates cannot be reused
    • Windows removes non‑ESS face enrollments immediately

    There is no compatibility or fallback mode.

    This is why:

    • Face sign‑in disappears
    • The external camera toggle vanishes
    • PIN remains available

    This behavior is intentional.

    Correct Deployment Model:

    Device capabilityCorrect action
    ESS‑capable IR cameraDeploy ESS
    IR camera without ESS supportDo NOT deploy ESS
    Mixed hardware fleetUse device‑based targeting

    ESS must be targeted, not broadly deployed.

    The Safe Approach: Detect First, Deploy Later

    Step 1: Detect ESS‑capable IR cameras (Intune Remediation)

    PowerShell

    $essCapableCameras = @()

    $essNOTCapableCameras = @()

    # Get all OK-status cameras

    $biometricDevices = @(Get-PnpDevice -Class Camera -Status OK)

    foreach ($device in $biometricDevices) {

        $caps = Get-PnpDeviceProperty -InstanceId $device.InstanceId -KeyName 'DEVPKEY_Device_Capabilities' -ErrorAction SilentlyContinue

        if ($caps -and ($caps.Data -band 0x0400)) {

            $essCapableCameras += $device.FriendlyName

        } else {

            $essNOTCapableCameras += $device.FriendlyName

        }

    }

    $CapableString    = if ($essCapableCameras.Count -eq 0) { "NONE" } else { $essCapableCameras -join "," }

    $NOTCapableString = if ($essNOTCapableCameras.Count -eq 0) { "NONE" } else { $essNOTCapableCameras -join "," }

    # Ensure registry key exists

    $regPath = "HKLM:\SOFTWARE\eskonr\ESSCameraSupport"

    if (-not (Test-Path $regPath)) {

        New-Item -Path $regPath -Force | Out-Null

    }

    # Write values directly

    New-ItemProperty -Path $regPath -Name "ESSCapableCameras"    -Value $CapableString    -PropertyType String -Force | Out-Null

    New-ItemProperty -Path $regPath -Name "ESSNOTCapableCameras" -Value $NOTCapableString -PropertyType String -Force | Out-Null

    # Optional console output

    Write-Host "ESSCapableCameras: $CapableString"

    Write-Host "ESSNOTCapableCameras: $NOTCapableString"

    Test the script before deploying to larger audience.

    Step 2: Analyze with Log Analytics + Power BI

    • Collect registry values to Log analytics (use remediation script)
    • Visualize ESS capability by model and camera type using PowerBI
    • Identify safe deployment scope

    Step 3: Deploy ESS only to supported devices

    • Target ESS‑capable devices only
    • Exclude non‑ESS hardware
    • Prevent user impact

    Final Warning:

    If you enforce ESS on devices that:

    • Have IR cameras
    • Already use Windows Hello Face
    • Do not support ESS

    Windows Hello Face will be removed immediately. At scale, this can cause significant disruption.

    Final Thoughts:

    Enhanced Sign‑in Security is a powerful and necessary security feature — but only when deployed with hardware awareness.

    Microsoft documentation explains what ESS is, but not clearly what breaks when it’s enforced. In mixed hardware environments, that distinction matters.

    Hope you found this blogpost informative.

    Reference

    Windows Hello Enhanced Sign-in Security | Microsoft Learn

    rockenroll.tech/2025/01/21/windows-hello-enhanced-sign-in-security/

    data band Enhanced Sign-in Security EntraID ESS Face Fingerprint IR camera Passwordless Powershell Security Windows hello Windows hello face
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    iOS Intune MAM Apps Showing “Your organization will remove its data for this account (614)”

    February 21, 11:34 pm

    Export Microsoft Entra ID User Authentication Methods to CSV using PowerShell & Microsoft Graph API

    August 13, 2:08 pm

    Automating Intune Deployment Rings Using Entra ID Dynamic Groups and Regex

    July 01, 10:31 pm

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2025 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.

     

    Loading Comments...