Block biometrics completely in the operating system

Dec 7, 2018 13:27 GMT  ·  By

Facial recognition is the next big thing in the tech world, and it’s now being adopted by device manufacturers en-masse, with such capabilities added to both laptops and smartphones.

As you probably know if you’re a long-time Windows 10 user, Microsoft itself is offering biometrics in its operating system powered by a feature called Windows Hello, and which any device can sport as long as the necessary hardware is there.

Windows Hello debuted in late 2015 and was even available on Microsoft phones running Windows 10 Mobile. It later expanded to many other devices, and it’s now one of the key features on Microsoft’s Surface devices.

And while biometrics represents a very convenient way to sign in to Windows 10, IT pros may choose to disable Windows Hello on domain computers or within their networks and instead force users to stick with very complex passwords that guarantee their account security.

Microsoft isn’t offering an easy way to disable biometrics in Windows 10, but this can be done from the Group Policy Editor and the Registry Editor.

Group Policy Editor

If you want to use the Group Policy Editor to disable biometrics, it all comes down to just a few clicks. First of all, launch the app by clicking the Start menu or opening the run dialog (Windows key + R) and then by typing gpedit.msc.

Navigate to the following path in the Group Policy Editor:

Computer Configuration > Administrative Templates > Windows Components > Biometrics There are several policies on the right side of the screen, and the one you’re going to use is called: Allow the use of biometrics As you can easily figure out by simply reading its name, this policy is supposed to allow or block the use of biometrics in Windows 10. Double-click the policy and then switch to the Disabled mode so that the service would be turned off, in which case users would be required to stick with a password.

Microsoft also recommends IT administrators to create a password recovery disk because using complex passwords can lead to incidents like lost credentials.

“Users who log on using biometrics should create a password recovery disk; this will prevent data loss in the event that someone forgets their logon credentials,” the software giant explains.

Setting up the policy in the Group Policy Editor

Registry Editor

Those who want to stick with the Registry Editor need to create the aforementioned policy manually and change its value to reflect the desired settings.

To launch the Registry Editor, you need to click the Start menu and type regedit.exe. Navigate to the following path in the Registry Editor:

HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Biometrics > Credential Provider If you’ve previously configured Windows Hello, on the right side of the screen you should find a registry item called Enabled. Depending on the value that you provide for this key you’re going to allow or block biometrics in Windows 10.

Value 0 = Disabled Value 1 = Enabled

Simply double-click the key and then change the value according to your preferences. You can change the settings at a later time if you want to return to the original configuration.

If this entry isn’t there, right-click in the right pane and go to New > DWORD (32-bit) Value to create it manually.

Keep in mind that blocking biometrics forces users to stay with passwords, in which case you are recommended to configure complex phrases that would include both numbers and letters. Switching to PINs could help make the signing in process a bit more convenient if complex passwords are used, but even so, password recovery disks are still recommended.

Photo Gallery (2 Images)

Windows Hello was rolled out in late 2015
Setting up the policy in the Group Policy Editor
Open gallery