Set Up Windows Hello Enhanced Sign-in Security in Windows 11/10

Set Up Windows Hello Enhanced Sign-in Security in Windows 11/10​

Difficulty: Beginner | Time Required: 10 minutes
Windows Hello already makes signing in with your face, fingerprint, or PIN faster and safer than using a traditional password. Enhanced Sign-in Security (ESS) adds another layer of protection by helping ensure biometric sign-in uses trusted hardware paths and is better protected against spoofing or tampering.
For everyday users, the benefit is simple: more secure sign-in without giving up convenience. If your PC supports it, enabling ESS can strengthen Windows Hello facial recognition and other sign-in experiences on compatible devices. This guide walks you through how to check support, turn it on, and troubleshoot common issues in both Windows 11 and Windows 10.

Prerequisites​

Before you begin, make sure the following are true:

• Your PC supports Windows Hello
• You already have a Windows Hello PIN set up
• Your device has compatible hardware, such as:
  • an IR camera for face sign-in, and/or
  • a compatible fingerprint reader
• You are using a supported version of Windows

Version notes​

• Windows 11: ESS support is most common here, especially on newer laptops and business PCs.
• Windows 10: Availability is more limited and depends heavily on device hardware and manufacturer support.
• Some features tied to external Windows Hello cameras and docking behavior were improved in Windows 11 version 22H2 and later.

Note: If your PC doesn’t show the ESS option, that usually means the hardware or driver stack does not support it—not that anything is broken.

---

What Enhanced Sign-in Security does​

Enhanced Sign-in Security is designed to strengthen Windows Hello by using more secure system paths between the biometric hardware and Windows. In plain English, it helps Windows trust the sign-in hardware more deeply and reduces the chance that fake or intercepted input could be used.
This is especially useful on modern business-class devices where security features are closely tied to firmware, TPM, and protected sign-in components.

Important: Windows Hello always requires a PIN fallback. Even if you use face or fingerprint sign-in, you still need a PIN in case your camera or sensor is unavailable.

---

Step 1: Check whether your PC supports Windows Hello​

Before looking for ESS, confirm that Windows Hello itself is available.

In Windows 11​

1. Open Settings
2. Click Accounts
3. Select Sign-in options
4. Look under:
   • Facial recognition (Windows Hello)
   • Fingerprint recognition (Windows Hello)
   • PIN (Windows Hello)

In Windows 10​

1. Open Settings
2. Click Accounts
3. Select Sign-in options
4. Check whether Windows Hello options appear

If you see only the PIN option and no face or fingerprint choices, your hardware may not support biometric Windows Hello.

Tip: A PIN alone is still more secure than a normal password in many cases because it is tied to the device and protected locally, often with TPM-backed security.

---

Step 2: Set up Windows Hello first​

If you haven’t already configured Windows Hello, do that before looking for ESS.

1. Go to Settings > Accounts > Sign-in options
2. Under PIN (Windows Hello), choose Set up if needed
3. Follow the prompts to create your PIN
4. If your device supports it, also set up:
   • Facial recognition
   • Fingerprint recognition

Windows requires the PIN because it acts as your secure fallback method.

Warning: Don’t remove or disable your PIN expecting to use biometrics only. Windows Hello depends on the PIN as a backup sign-in method.

---

Step 3: Look for the Enhanced Sign-in Security setting​

Once Windows Hello is configured, check whether your device exposes the ESS option.

In Windows 11​

1. Open Settings
2. Go to Accounts > Sign-in options
3. Expand Additional settings if needed
4. Look for a setting related to:
   • Enhanced sign-in security
   • or a note that Windows Hello uses enhanced security on supported devices

In Windows 10​

1. Open Settings
2. Go to Accounts > Sign-in options
3. Review Windows Hello-related settings for any ESS option

On many systems, especially managed or newer business PCs, the option may appear as a simple toggle.

---

Step 4: Turn on Enhanced Sign-in Security​

If the option is available:

1. In Settings > Accounts > Sign-in options, find Enhanced sign-in security
2. Turn the toggle On
3. If prompted, confirm with your PIN or administrator approval
4. Restart your PC if Windows asks you to

That’s it. Once enabled, Windows Hello will use the enhanced protection model supported by your device.

Tip: After enabling ESS, test your normal sign-in method once or twice after a restart to confirm everything works as expected.

---

Step 5: Test Windows Hello after enabling ESS​

After turning ESS on:

1. Lock your PC by pressing Windows + L
2. Try signing in with:
   • Face recognition, or
   • Fingerprint recognition
3. If that fails, sign in with your PIN
4. Return to Settings > Accounts > Sign-in options and confirm your methods are still enrolled

If facial recognition or fingerprint sign-in stops working after ESS is enabled, it may mean your current hardware, docking setup, or accessory is not fully compatible with the more secure mode.

---

Step 6: If needed, remove and re-add Windows Hello biometrics​

If face or fingerprint sign-in behaves strangely after enabling ESS, re-enrolling often helps.

1. Open Settings > Accounts > Sign-in options
2. Select the Windows Hello method that is having trouble
3. Click Remove
4. Restart the computer
5. Go back and choose Set up
6. Re-enroll your face or fingerprint

This refreshes the local biometric enrollment data stored on the device.

Note: Windows Hello biometric data is stored locally on the device and does not roam with your account.

---

Tips and troubleshooting​

1) The ESS option is missing​

This is the most common situation.
Possible reasons:

• Your PC does not support ESS
• Your camera or fingerprint reader drivers are too old
• The device manufacturer didn’t implement support
• A work or school policy is controlling the feature

Try this:

1. Install all Windows Updates
2. Install the latest OEM drivers from your PC maker
3. Update BIOS/UEFI if your manufacturer recommends it
4. Restart the PC and check again

2) External Windows Hello camera no longer works​

If ESS is enabled, some external cameras or accessories may not work the same way as before.
Things to know:

• On systems with both internal and external Hello cameras, Windows may prefer one over the other
• External accessory behavior has improved on Windows 11 22H2 and later
• ESS may be more restrictive with devices that don’t meet the required secure path standards

Try:

• Disconnect and reconnect the accessory
• Update the accessory firmware and driver
• Test with the built-in camera
• Temporarily disable ESS to compare behavior

3) Face sign-in fails repeatedly​

If biometric authentication fails several times, Windows may temporarily stop allowing that biometric method.
What to do:

1. Sign in with your PIN
2. Once signed in, try face or fingerprint again later

Important: Restarting the PC does not always restore biometric availability immediately. Signing in with another valid method, like your PIN, is the normal recovery path.

4) I use a laptop dock or closed lid setup​

Some older hardware had issues using external Hello accessories while docked or with the lid closed.

• This behavior was improved in Windows 11 version 22H2
• If you rely on a dock, keep Windows and device firmware fully updated

5) I forgot my PIN​

Because PIN is your fallback, it matters.
To reset it:

1. On the sign-in screen, choose I forgot my PIN
2. Or go to Settings > Accounts > Sign-in options > PIN (Windows Hello)
3. Follow the prompts to reset it

---

When you should leave ESS off​

You may want to leave ESS disabled if:

• Your sign-in hardware becomes unreliable after enabling it
• You depend on an older external Hello camera
• Your device doesn’t fully support the feature
• Your workplace IT department has specific sign-in requirements

There is no need to force the setting if your hardware isn’t designed for it. Standard Windows Hello is still a strong sign-in method compared to passwords.

---

Conclusion​

Enhanced Sign-in Security is one of those features that works best when your hardware fully supports it. On compatible Windows 11 and Windows 10 devices, it can make Windows Hello even more secure by tightening how biometric sign-in is handled behind the scenes. For most users, setup is as simple as checking Sign-in options, enabling the toggle, and testing face or fingerprint sign-in afterward.
If the feature isn’t available on your PC, don’t worry—using Windows Hello with a PIN, face, or fingerprint is still an excellent step up from passwords alone.
Key Takeaways:

• Windows Hello Enhanced Sign-in Security adds stronger protection to compatible sign-in hardware
• It is most commonly available on newer Windows 11 devices
• A Windows Hello PIN is still required as the fallback sign-in method
• If ESS causes problems, re-enrolling biometrics or updating drivers often helps
• If the toggle is missing, your device likely does not support the feature

---

This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.