Configure enhanced anti-spoofing

Information

This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.
If you disable or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.

Solution

Policy Path: Windows Components\Biometrics\Facial Features
Policy Setting Name: Configure enhanced anti-spoofing

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 5637c5151d5364a7d507d8ee3992fb24db921538f70c9c6f9be5d168063ecb49