Enhanced anti-spoofing for facial recognition must be enabled on Windows 11.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-253389WN11-CC-000195SV-253389r1210292_ruleCCI-000366medium
Description
Enhanced anti-spoofing provides additional protections when using facial recognition with devices that support it. Note: A different registry location is needed when systems are managed by Intune versus GPO.
STIGDate
Microsoft Windows 11 Security Technical Implementation Guide2026-05-19

Details

Check Text (C-253389r1210292_chk)

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures\ (For GPO-managed systems) Or Registry Path: \SOFTWARE\Microsoft\Policies\PassportForWork\Biometrics\ (For Intune-managed systems) Value Name: EnhancedAntiSpoofing Or Value Name: FacialFeaturesUseEnhancedAntiSpoofing (For GPO-managed systems) Value Type: REG_DWORD Value: 0x00000001 (1)

Fix Text (F-56792r1210207_fix)

For GPO-managed systems: Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Biometrics >> Facial Features >> "Configure enhanced anti-spoofing" to "Enabled". For Intune-managed systems: Revise the Intune policy to enable enhanced anti-spoofing for Facial Features.