Enhanced Sign-in Security in Windows
Applies To
When you sign in with Windows Hello, your biometric data is stored securely (see here for more technical information).
Malicious users and attackers constantly try to come up with new ways to access your device and access sensitive information. To stop them, you need a secure sign-in process that begins at the biometric sensor, and ends where your profile is stored.
What does Enhanced Sign-in Security do for you?
Enhanced Sign-in Security adds a layer of security to biometric data by using specialized hardware and software components, for example, Virtualization Based Security (VBS) and Trusted Platform Module 2.0. See here to learn more about ESS.
Implications when Enhanced Sign-in Security is enabled
Since the Enhanced Sign-in Security ecosystem is tightly controlled, introducing new items like non-secure peripheral cameras and fingerprint readers may open the door for potential malicious users to access your biometrics.
Configure Enhanced Sign-in Security
You can use the Settings app to configure Enhanced Sign-in Security.
-
In the Settings app  on your Windows device, select Accounts > Sign-in options or use the following shortcut: ​​​​​​​​​​​​​​​​​​​​​
-
Sign-in options​​​​​​​​​​​​​​
-
-
On devices running Windows 11, version 24H2 or newer: Under Additional settings > Enhanced sign-in security, there’s a toggle that allows you to enable or disable ESS if you have relevant sensors available. Â
-
When the toggle is Off, ESS is disabled and you can use non-ESS Windows Hello compatible peripherals to sign in.
-
When the toggle is On, ESS is enabled and you can’t use non-ESS Windows Hello compatible peripherals to sign in. Remember, you can still use external peripherals within apps like Teams when ESS is On.
-
If you have no toggle but see Enhanced sign-in security available as set up, the first sensor you enroll will determine your ESS state. For example, if you first enroll an ESS sensor, you will have ESS On. If you enroll a non-ESS sensor first, you will have ESS Off.
-
-
On devices running Windows 11, version 23H2:Â Under Additional settings > Sign in with an external camera or fingerprint reader, there's a toggle that allows you to enable or disable ESS:
-
When the toggle is Off , ESS is enabled and you may not be able to use external peripherals to sign in. Remember, you can still use external peripherals within apps like Teams
-
When the toggle is On , ESS is disabled and you can use Windows Hello compatible peripherals to sign in
-
See also
Using third-party fingerprint readers and cameras with Windows Hello ​​​​​​​
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
