This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. If you do not configure this policy setting, users will be able to choose whether or not to use enhanced anti-spoofing on supported devices. If you enable this policy setting, Windows will require all users on the device to use anti-spoofing for facial features, on devices which support it. If you disable this policy setting, enhanced anti-spoofing is turned off for all users on the device and they will be unable to turn it on. Vulnerability: Disabling or not configuring this setting may compromise security as users will determine whether or not enhanced anti-spoofing is active for their device. Counter Measure: Enable this setting. Potential Impact: Windows will require all users to use anti-spoofing for supported devices. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Biometrics\Facial Features\Use enhanced anti-spoofing when available (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures!EnhancedAntiSpoofing [enable/disable] (1) GPO: Computer Configuration\\Administrative Templates\\Windows Components\\Biometrics\\Facial Features\\Use enhanced anti-spoofing when available (2) REG: HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Biometrics\\FacialFeatures!EnhancedAntiSpoofing oval:org.secpod.oval:def:40191 SCAP Repo OVAL Definition 2017-04-25