Applies To
Windows 11 Windows 10

When you sign in with Windows Hello, your biometric data is stored securely (see here for more technical information).

Malicious users and attackers constantly try to come up with new ways to access your device and access sensitive information. To stop them, you need a secure sign-in process that begins at the biometric sensor, and ends where your profile is stored.

What does Enhanced Sign-in Security do for you?

Enhanced Sign-in Security adds a layer of security to biometric data by using specialized hardware and software components, for example Virtualization Based Security (VBS) and Trusted Platform Module 2.0. See here to learn more about ESS.

Note: Copilot+ PCs have Enhanced Sign-in Security enabled by default. For more information, see Copilot+ PC hardware requirements.

Implications when Enhanced Sign-in Security is enabled 

Since the Enhanced Sign-in Security ecosystem is tightly controlled, introducing new items like non-secure peripheral cameras and fingerprint readers may open the door for potential malicious users to access your biometrics. 

Caution: 

  • Some fingerprint peripherals labelled as "Windows Hello compatible" will enable Enhanced Sign-in Security and other Windows features that require Enhanced Sign-in Security on your device.

  • These peripherals do not pose a security risk, but if you would like to use them with Enhanced Sign-in Security before it is officially supported in Windows, we recommend plugging in the fingerprint reader before booting the device for the first time, enrolling in Windows Hello during Windows set-up, and never detaching the sensor from the PC. 

  • Full Enhanced Sign-in Security support for peripherals is expected late 2025.

Configure Enhanced Sign-in Security

You can use the Settings app to configure Enhanced Sign-in Security.

  1. In the Settings app  on your Windows device, select Accounts > Sign-in options or use the following shortcut:

    Sign-in options

  2. Under Additional settings > Sign in with an external camera or fingerprint reader, there's a toggle that allows you to enable or disable ESS:

  • When the toggle is Off, ESS is enabled and you may not be able to use external peripherals to sign in. Remember, you can still use external peripherals within apps like Teams

  • When the toggle is On, ESS is disabled and you can use Windows Hello compatible peripherals to sign in

Screenshot of Settings - Disable ESS toggle.

See also

Using third-party fingerprint readers and cameras with Windows Hello​​​​​​​

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center