Accounts Enable or Disable Enhanced Sign-in Security in Windows 11

  • Thread starter Thread starter Brink
  • Start date Published: Start date Updated Updated:
  • Tags Tags

Secure_sign-in_banner.png

This tutorial will show you how to enable or disable Enhanced Sign-in Security for all users in Windows 11.

Windows Hello enables biometrics or PIN authentication, eliminating the need for a password. Biometric authentication uses facial recognition or fingerprint to prove a user's identity in a way that's secure, personal, and convenient.

Malicious users and attackers constantly try to come up with new ways to access your device and access sensitive information. To stop them, you need a secure sign-in process that begins at the biometric sensor, and ends where your profile is stored.

Enhanced Sign-in Security (ESS) provides an additional level of security to biometric data with the use of specialized hardware and software components. Virtualization Based Security (VBS) and Trusted Platform Module 2.0 are used to isolate and protect user's authentication data, and to secure the data communication channel.

Since the ESS ecosystem is tightly controlled, introducing new items like plug-in cameras and fingerprint readers (FPR) may open the door for potential malicious users to access your biometrics. This is why you can’t use your external camera or FPR to sign into a device that has ESS enabled.

There are some situations where you may want to use an external peripheral for signing in, for example if you use your laptop on a docking station. In such cases, you won't be able to use the external peripheral for sign in, unless you disable ESS. The tradeoff of disabling ESS is that you lower the security of your device.

ESS System requirements

Compatible hardware and software components are required to enable Enhanced Sign-in Security:
Starting with Windows 11 build 26100.7705 (24H2) and build 26200.7705 (25H2), and build 28020.1619 (Canary 26H1), Windows Hello Enhanced Sign-in Security (ESS) now supports peripheral fingerprint sensors. This update extends this more secure sign-in option beyond devices with built in fingerprint sensors to include desktops and other Windows 11 PCs, including Copilot+ PCs. To get started, plug in a supported ESS fingerprint reader, go to Settings > Accounts > Sign-in options, and follow the prompts to enroll.

When ESS is enabled, you can still use your external camera with applications like Teams. Such apps don’t rely on biometrics for authentication.

When ESS is disabled, you can use Windows Hello compatible peripherals to sign in.


References:

Sign-In Options in Windows | Microsoft Support

Learn about the sign-in options in Windows settings.
support.microsoft.com support.microsoft.com

Enhanced Sign-in Security in Windows - Microsoft Support

Learn about Enhanced Sign in Security (ESS) and how to configure it.
support.microsoft.com support.microsoft.com
learn.microsoft.com

Windows Hello Enhanced Sign-in Security

Windows Hello Enhanced Sign-in Security provides your organization an additional level of security using biometrics or PIN.
learn.microsoft.com

Copilot+ PCs have ESS enabled by default.

You must be signed as an administrator to enable or disable Enhanced Sign-in Security.


After you enable or disable Enhanced Sign-in Security (ESS), users will have to sign in next time with their password or PIN, and set up their face and/or fingerprint again after signing in.




Contents

  • Option One: Enable or Disable Enhanced Sign-in Security in Settings
  • Option Two: Enable or Disable Enhanced Sign-in Security using REG file




Option One

Enable or Disable Enhanced Sign-in Security in Settings


1 Open Settings (Win+I).

2 Click/tap on Accounts on the left side, and click/tap on Sign-in options on the right side. (see screenshot below)


Enhanced_Sign-in_Security_Settings-1.png

3 Under Additional settings, turn On (disable ESS) or Off (enable ESS - default) Sign in with an external camera or fingerprint reader for what you want. (see screenshot below)

Enhanced_Sign-in_Security_Settings-2.png

4 Click/tap on Restart Now to immediately restart the computer to apply. (see screenshot below)

Be sure to save and close anything you want first.


Enhanced_Sign-in_Security_Settings-3.png




Option Two

Enable or Disable Enhanced Sign-in Security using REG file


1 Do step 2 (enable) or step 3 (disable) below for what you would like to do.

2 Enable Enhanced Sign-in Security

This is the default setting.


A) Click/tap on the Download button below to download the REG file below, and go to step 4 below.​

Enable_Enhanced_Sign-in_Security.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinBio]
"SupportPeripheralsWithEnhancedSignInSecurity"=dword:00000000

3 Disable Enhanced Sign-in Security

A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Disable_Enhanced_Sign-in_Security.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinBio]
"SupportPeripheralsWithEnhancedSignInSecurity"=dword:00000001

4 Save the .reg file to your desktop.

5 If you have Smart App Control turned on, you will need to unblock the downloaded REG file.

6 Double click/tap on the downloaded .reg file to merge it.

7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8 Restart the computer to apply.

9 You can now delete the downloaded .reg file if you like.


That's it,
Shawn Brink


Related Tutorials

 

Attachments

Last edited:
Click to expand...
ngciso.exe still runs for a minute after boot up even though I have the feature disabled as in option one of this tutorial.

If I use the reg key in option 2 will it stop the proccess from runing at all?
 

My Computers

System One System Two

  • OS
    Windroid 11 Pro / Win 10 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI
    CPU
    Intel Core i9-14900K Raptor Lake Refreshed 6.0 GHZ
    Motherboard
    MSI MAG Z790 Tomahawk WiFi
    Memory
    32GB (2x16) GSKILL Trident Z5 RGB Series (Intel XMP 3.0) DDR5 RAM 6700MT/s
    Graphics Card(s)
    MSI Gaming GeForce RTX 4070 12GB
    Sound Card
    Onboard Realtek® ALC4080 Codec
    Monitor(s) Displays
    Monitor #1 Samsung Odyssey G50A WQHD G-Sync HDR10 Monitor #2 HP LA1911
    Screen Resolution
    2560x1440 and 1280x1024
    Hard Drives
    Samsung 980 PRO SSD 1TB PCIe 4.0 NVMe Gen 4 Gaming M.2 (145GB Win11/100GB Win10/685GB More Games)
    Crucial CT2000MX500SSD1 2TB (Games)
    Western Digital Blue WD60EZAZ 6TB (Data/Backup)
    Western Digital Blue WD60EZAZ 6TB (Media)
    Western Digital Blue WD80EAAZ 8TB (Storage)
    PSU
    Rosewill Hive-750S
    Case
    Cooler Master Elite 430 Mid Tower
    Cooling
    Cooler Master ML240L V2 Liquid CPU cooler + 3x120mm in + Isolated PSU Standard upward flow
    Keyboard
    Microsoft Natural Elite White PS/2 (with usb adapter)
    Mouse
    Microsoft D67-00001 Trackball Optical Mouse (rebuilt with ceramic bearings)
    Internet Speed
    450Mb/s hard wired
    Browser
    FF, Mullvad, Tor
    Antivirus
    Win Def
    Other Info
    Razer Tartarus V2 Gaming Keypad
    Logitech Z-906 5.1 THX 500w (Original 8" Sub with Polk Audio satellites)
  • Operating System
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI
    CPU
    Intel Core i9-14900K Raptor Lake Refreshed 6.0 GHz FCLGA1700 (Gen 14)
    Motherboard
    MSI MAG Z790 Tomahawk WiFi
    Memory
    32GB (2x16) GSKILL Trident Z5 RGB Series (Intel XMP 3.0) DDR5 RAM 6700MT/s
    Graphics card(s)
    MSI Gaming GeForce RTX 3060Ti 8GB
    Sound Card
    Onboard Realtek® ALC4080 Codec
    Monitor(s) Displays
    Monitor #1 Samsung Odyssey G50A WQHD G-Sync HDR10 Monitor #2 Samsung TU7000 55" TV
    Screen Resolution
    2560x1440 and 3840x2160
    Hard Drives
    Samsung 980 PRO SSD 1TB PCIe 4.0 NVMe Gen 4 Gaming M.2 (System)
    Samsung 980 PRO SSD 2TB PCIe 4.0 NVMe Gen 4 Gaming M.2 (Games)
    Crucial CT1000MX500SSD1 1TB (More Games)
    WD Green WD20EZRX 2TB (Data/Backup)
    WD Blue WD60EZAZ 6TB (Media)
    PSU
    Rosewill Hive-750S
    Case
    Cooler Master N400 NSE-400-KKN2 Mid-Tower
    Cooling
    Cooler Master ML240L V2 Liquid CPU cooler + 3x120mm in + 2x120mm + Isolated PSU Reverse flow front exhaust
    Keyboard
    Logitech MK345 Wireless
    Mouse
    MSI G20 Elite and Logitech MK345 Wireless
    Internet Speed
    450Mb/s hard wired
    Browser
    FF
    Antivirus
    Win Def
    Other Info
    Razer Tartarus Gaming Keypad
    MSI GC30 Gaming Controller (Xbox style)
Sqrly said:
ngciso.exe still runs for a minute after boot up even though I have the feature disabled as in option one of this tutorial.

If I use the reg key in option 2 will it stop the proccess from runing at all?
Click to expand...

Hey mate, :alien:

It will disable the enhanced sign-in security feature. No guarantee the process still won't run for a moment or not.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    TerraMaster F8 SSD Plus NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Amazon Basics Wired Full Keyboard MD005
    Mouse
    Logitech MX Master 4
    Internet Speed
    2 Gbps Download and 100 Mbps Upload
    Browser
    Chrome and Edge
    Antivirus
    Microsoft Defender
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    CyberPower CP1500PFCLCD
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Microsoft Defender
You must log in or register to reply here.

Similar Windows 11 Tutorials

  • Article Article
Privacy and Security Enable or Disable Enhanced Security and Performance for Batch and CMD files in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article Article
Browsers and Mail Enable or Disable HTTPS-First Mode in Microsoft Edge on Windows 11
Replies
0
Views
176
Brink
Brink
  • Article Article
Accessibility Enable or Disable Screen Tint in Windows 11
Replies
0
Views
597
Brink
Brink
  • Article Article
Accessibility Enable or Disable Automatically Start Magnifier before Sign-in in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article Article
Accessibility Enable or Disable Automatically Start Magnifier after Sign-in in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article Article
Devices Enable or Disable Touch Screen Overscroll Bouncing Animation in Windows 11
Replies
0
Views
859
Brink
Brink
  • Article Article
System Enable or Disable Audio Hardware Acceleration in Windows 11
Replies
0
Views
895
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom