Windows Hello Enhanced Sign-In Security (ESS) is one of several mysterious Windows 11 features that most people have never experienced. In this case, there’s a good reason: You can’t just enable it on any PC, it has to be configured by your PC maker at manufacture time, and, to date, few have done so because of the expense and difficulty of doing so. But with this month’s Copilot+ PC launch, that’s about to change.
For those unfamiliar–i.e. just about everyone–Windows Hello ESS does exactly what its name suggests in that it enhances the security of biometric user authentication in Windows 11. This requires specific hardware components, which helps explain why it’s so rare: PC makers generally try to maximize margins by keeping costs as low as possible, and the components required by ESS are an added cost. So you will only find this feature, and the hardware it requires, in select premium laptops.
Windows Hello ESS uses a technology called Virtualization Based Security (VBS) to secure the data communication channel and isolate and protect a user’s authentication data, ensuring that it cannot be spoofed. And VBS is the primary source of Windows ESS’s hardware requirements: You can see the lengthy list of these requirements on the Microsoft Learn website.
Like you, I don’t understand a lot of this, but the requirements boil down to a modern 64-bit microprocessor with support for hardware-based (hypervisor) virtualization capabilities with support for virtualization extensions and Second Level Address Translation (SLAT); Secure Boot, a Trusted Platform Module (TPM) 2.0 security chip; firmware that conforms to the Windows SMM Security Mitigations Table (WMST) specification and supports the UEFI v2.6 Memory Attributes Table (MAT) memory map format, EFI Page Protections, and Secure MOR v2 memory attack protections; IOMMU (input-output memory management unit) or SMMU (system memory management unit)protected DMA-capable I/O devices; and hardware drivers that conform to Microsoft’s Code Integrity compatibility checks. If any of those conditions are not met–if your PC has even a single DMA-capable I/O device that is not behind an IOMMU or SMMU, for example–your PC cannot support Windows Hello ESS.
But those are just the requirements for VBS. Windows Hello ESS has other requirements, too. It only works with select IR cameras and fingerprint readers that specifically support ESS in firmware and have a Microsoft-issued certificate burned into the device during manufacturing. The fingerprint reader must have a match-on-sensor fingerprint sensor (which includes its own microprocessor and memory to isolate and protect your authentication data from the rest of the system). And these devices can only be installed and certified at manufacture time: You cannot add an external facial or fingerprint recognition device to a PC later and use it with Windows Hello ESS; they’re not secure enough: Windows will recognize it but not make it availabl…