Although this post focuses heavily on Windows Hello Face, Enhanced Sign‑in Security applies to both Face and Fingerprint authentication. Face recognition is impacted more frequently because far fewer IR cameras meet ESS requirements. Fingerprint sensors are more often ESS‑capable, but non‑ESS fingerprint devices will also be removed when ESS is enforced.
Introduction:
This post explains what happened, why it happened, and how to deploy Enhanced Sign-Security without breaking existing Windows Hello.
As part of our identity modernization journey, we enabled Passwordless authentication using Passphrase (long password with no expiry) and Windows Hello across the organization and passphrase. This removed password‑based sign‑ins in favor of PIN and biometric authentication, significantly improving both security and user experience.
As a next step in security hardening, we wanted to block the use of external cameras and fingerprint readers for Windows Hello sign‑in for all users by default. The goal was:
- Reduce the attack surface introduced by external biometric devices
- Rely on built‑in, OEM‑trusted hardware wherever possible
- Allow external biometric usage only by exception, through an approved request process
From a Windows user perspective, this control exists locally at:
Settings > Accounts > Sign-in options > Additional settings > Sign in with an external camera or fingerprint reader, there's a toggle that allows you to enable or disable ESS:
When the toggle is Off, ESS is enabled and you can't use external peripherals to sign in. Remember, you can still use external peripherals within apps like Teams
When the toggle is On, ESS is disabled and you can use Windows Hello compatible peripherals to sign in
This option only appears on devices where the IR camera supports Enhanced Sign‑in Security (ESS).
From an Intune perspective, the supported way to block external biometric devices is to enforce Enhanced Sign‑in Security (ESS).
On paper, this looked simple:
- Enforce ESS
- Block external cameras
- Keep Windows Hello Face working on built‑in IR cameras
Reality turned out to be very different.
For more details about Windows hello Enhanced-sign security, please read Windows Hello Enhanced Sign-in Security | Microsoft Learn
Difference: ESS‑Capable vs Non‑ESS IR Cameras
To make this easier to understand, let’s look at how Windows behaves on different types of devices.
Device with IR Camera and ESS Support
The screenshot below is taken from a device that has:
- A built‑in IR camera
- Enhanced Sign‑in Security (ESS) support
On the device, navigating to:
Settings → Accounts → Sign‑in options → Additional settings
shows the following option:
Sign in with an external camera or fingerprint reader
(Use Windows Hello without enhanced sign‑in security)
Key observations:
- The option is visible
- By default, it is Off
- Enabling it requires administrator privileges
- When enabled, it allows:
- External IR cameras
- External fingerprint readers
- Legacy (non‑ESS) biometric sign‑in
This means:
- The device can support ESS
- Windows is offering a controlled fallback to non‑ESS biometric devices
- This fallback must be centrally controlled in enterprise environments to avoid weakening security posture
Understanding IR Cameras vs ESS‑Capable IR Cameras (Critical Background)
Before going further, it’s important to clarify a key distinction that is not obvious from the Windows UI or OEM spec sheets:
Not all IR cameras that support Windows Hello are compatible with Enhanced Sign‑in Security (ESS).
This misunderstanding is at the heart of the issue described in this post.
What is an IR camera (Windows Hello Face)?
A standard IR (Infrared) camera enables Windows Hello Face using:
- Infrared illumination
- Depth sensing
- Facial recognition algorithms
Most enterprise laptops that advertise “Windows Hello Face” include this type of camera. When ESS is not enforced, Windows Hello Face works using the standard biometric pipeline.
In this mode:
- Facial templates are protected by Windows
- Biometric processing runs in the normal OS context
- External cameras and legacy devices may also be allowed
This is why many devices:
- Have IR cameras
- Successfully use Windows Hello Face
- Work perfectly for years — until ESS is enforced
What is an ESS‑capable IR camera?
An ESS‑capable IR camera meets additional hardware, firmware, and platform requirements defined by Microsoft.
When ESS is enabled:
- Facial recognition processing is isolated using Virtualization‑Based Security (VBS)
- Biometric templates are generated and stored in protected memory regions
- The communication path between the camera and Windows is hardware‑attested
Only cameras that meet all ESS requirements can be used once ESS is enforced.
Why this difference is easy to miss
From an admin’s perspective:
- Both devices appear as IR cameras
- Both support Windows Hello Face
- Both may work identically before ESS
However:
- ESS capability is not visible in Device Manager
- OEM documentation rarely calls this out clearly
- Microsoft documentation explains ESS requirements but does not explicitly warn that existing Windows Hello Face enrollments will be removed on non‑ESS cameras
This makes it very easy to assume as “If the device has an IR camera, ESS will be fine.” That assumption is incorrect.
What happens when ESS is enforced?
When ESS is enabled, Windows performs a hard compatibility check at runtime.
| Camera type | Result when ESS is enforced |
| IR camera with ESS support | Windows Hello Face continues to work |
| IR camera without ESS support | Windows Hello Face is disabled and enrollment removed |
Windows does not:
- Fall back to non‑ESS mode
- Preserve existing face enrollments
- Display a warning before removal
This is intentional — ESS enforces a strict trust boundary.
Why PIN still works:
- PIN is still Windows Hello
- PIN is TPM‑backed
- PIN is ESS‑compatible
So when ESS is enforced:
- Face sign‑in may be removed
- PIN remains available
This is expected behavior.
The Issue: Mixed Hardware + ESS Enforcement
We deployed ESS enforcement to a small pilot group that included devices with:
- IR camera with ESS support
- IR camera without ESS support
All devices already had Windows Hello Face configured and working.
What happened next
On devices where the IR camera did not support ESS, Windows (post restart):
- Disabled Windows Hello Face
- Removed the existing Hello Face enrollment
- Left PIN as the only available Windows Hello method
due to “Detected camera can’t be used to sign in and not compatible with enhanced sign‑in security”
This resulted in:
- Sudden loss of Face sign‑in
- Confused users
- Service desk escalations
- A near‑miss from deploying this broadly
The most dangerous part? These devices did have IR cameras and Windows Hello Face did work previously
Why This Happens (and Why It’s by Design):
ESS is not an enhancement toggle — it enforces a new biometric trust boundary.
When ESS is enabled:
- Legacy biometric pipelines are no longer allowed
- Existing biometric templates cannot be reused
- Windows removes non‑ESS face enrollments immediately
There is no compatibility or fallback mode.
This is why:
- Face sign‑in disappears
- The external camera toggle vanishes
- PIN remains available
This behavior is intentional.
Correct Deployment Model:
| Device capability | Correct action |
| ESS‑capable IR camera | Deploy ESS |
| IR camera without ESS support | Do NOT deploy ESS |
| Mixed hardware fleet | Use device‑based targeting |
ESS must be targeted, not broadly deployed.
The Safe Approach: Detect First, Deploy Later
Step 1: Detect ESS‑capable IR cameras (Intune Remediation)
PowerShell
$essCapableCameras = @()
$essNOTCapableCameras = @()
# Get all OK-status cameras
$biometricDevices = @(Get-PnpDevice -Class Camera -Status OK)
foreach ($device in $biometricDevices) {
$caps = Get-PnpDeviceProperty -InstanceId $device.InstanceId -KeyName 'DEVPKEY_Device_Capabilities' -ErrorAction SilentlyContinue
if ($caps -and ($caps.Data -band 0x0400)) {
$essCapableCameras += $device.FriendlyName
} else {
$essNOTCapableCameras += $device.FriendlyName
}
}
$CapableString = if ($essCapableCameras.Count -eq 0) { "NONE" } else { $essCapableCameras -join "," }
$NOTCapableString = if ($essNOTCapableCameras.Count -eq 0) { "NONE" } else { $essNOTCapableCameras -join "," }
# Ensure registry key exists
$regPath = "HKLM:\SOFTWARE\eskonr\ESSCameraSupport"
if (-not (Test-Path $regPath)) {
New-Item -Path $regPath -Force | Out-Null
}
# Write values directly
New-ItemProperty -Path $regPath -Name "ESSCapableCameras" -Value $CapableString -PropertyType String -Force | Out-Null
New-ItemProperty -Path $regPath -Name "ESSNOTCapableCameras" -Value $NOTCapableString -PropertyType String -Force | Out-Null
# Optional console output
Write-Host "ESSCapableCameras: $CapableString"
Write-Host "ESSNOTCapableCameras: $NOTCapableString"
Test the script before deploying to larger audience.
Step 2: Analyze with Log Analytics + Power BI
- Collect registry values to Log analytics (use remediation script)
- Visualize ESS capability by model and camera type using PowerBI
- Identify safe deployment scope
Step 3: Deploy ESS only to supported devices
- Target ESS‑capable devices only
- Exclude non‑ESS hardware
- Prevent user impact
Final Warning:
If you enforce ESS on devices that:
- Have IR cameras
- Already use Windows Hello Face
- Do not support ESS
Windows Hello Face will be removed immediately. At scale, this can cause significant disruption.
Final Thoughts:
Enhanced Sign‑in Security is a powerful and necessary security feature — but only when deployed with hardware awareness.
Microsoft documentation explains what ESS is, but not clearly what breaks when it’s enforced. In mixed hardware environments, that distinction matters.
Hope you found this blogpost informative.
Reference
Windows Hello Enhanced Sign-in Security | Microsoft Learn
rockenroll.tech/2025/01/21/windows-hello-enhanced-sign-in-security/