CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\Biometrics\Facial Features\Configure enhanced anti-spoofing

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Biometrics.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Windows 10 Release 1511 and Windows 10 Release 1607 & Server 2016 Administrative Templates, this setting was initially named Use enhanced anti-spoofing when available . It was renamed to Configure enhanced anti-spoofing starting with the Windows 10 Release 1703 Administrative Templates.

Impact:

Windows will require all users on the device to use anti-spoofing for facial features, on devices which support it.

Default Value:

Users are able to choose whether or not to use enhanced anti-spoofing on supported devices.

CIS Controls:

Version 6

16 Account Monitoring and Control Account Monitoring and Control

Version 7

16.2 Configure Centralized Point of Authentication Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.

777 | P a g e