18.10.8.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'

Information

This policy setting determines whether enhanced anti-spoofing is configured for devices which support it.

The recommended state for this setting is: Enabled

Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\Biometrics\Facial Features\Configure enhanced anti-spoofing

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Biometrics.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).

Note #2: In the Windows 10 Release 1511 and Windows 10 Release 1607 & Server 2016 Administrative Templates, this setting was initially named

Use enhanced anti-spoofing when available

. It was renamed to

Configure enhanced anti-spoofing

starting with the Windows 10 Release 1703 Administrative Templates.

Impact:

Windows will require all users on the device to use anti-spoofing for facial features, on devices which support it.

See Also

https://workbench.cisecurity.org/benchmarks/15105

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16

Plugin: Windows

Control ID: 2cad421873550efb871458d3d392a97d4d685e0a310891bef6e609e5643f3dd4