Biometrics refers to the unique characteristics that can be used for identification. This includes physical traits (such as fingerprints) and behavioral traits (such as typing rhythm). Biometric information is increasingly replacing passwords to identify and verify users.
Windows provides a biometric authentication service called Windows Hello that helps strengthen authentication and guard against potential spoofing through fingerprint matching and facial recognition. ºÚÁϺ£½Ç91Èë¿Ú's policy framework lets you remotely allow or restrict users from logging in to a managed device using biometrics. You can apply the policy to one managed Windows device or the entire fleet in your organization. See Get Started: Policies.
If you enable Multi-Factor Authentication (MFA) on a Windows device in ºÚÁϺ£½Ç91Èë¿Ú, then biometrics cannot be used as the primary authentication method for device login. However, Windows Hello can be used as an authentication method during an active user session.
- If you clear Allow The Use Of Biometrics, devices where you apply this policy can’t use the Windows Biometrics Services that Windows Hello relies on. In this case, the device notifies users that Windows Hello isn’t available on this device.
- If you select Allow The Use Of Biometrics and the device supports Windows Hello, users can set up Windows Hello:
- .
- If Windows Hello is enabled, users may be required to set and use a pin.
Considerations:
- Consistently apply all Windows system updates.
- ºÚÁϺ£½Ç91Èë¿Ú doesn’t support Microsoft accounts. They shouldn’t be enabled or locally tied to ºÚÁϺ£½Ç91Èë¿Ú accounts.
To create a policy to allow biometrics:
- Log in to the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal: .
- Go to DEVICE MANAGEMENT > Policy Management.
- Click (+).
- On the New Policy screen, select the Windows tab.
- Locate the Allow the Use of Biometrics policy, then click configure.
- (Optional) Enter a new name for the policy, or keep the default. Policy names must be unique.
- Under Settings, select Allow The Use of Biometrics to enable biometrics.
- (Optional) Select the Device Groups tab, then select one or more device groups where you'll apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
- (Optional) Select the Devices tab, then select one or more devices where you'll apply this policy.
- Click save.