Manage Device Level Windows Biometrics Using a Policy

Biometrics refers to the unique characteristics that can be used for identification. This includes physical traits (such as fingerprints) and behavioral traits (such as typing rhythm). Biometric information is increasingly replacing passwords to identify and verify users.

Note:

This is a device level policy that applies system-wide to the device and all of its users. You can bind this policy to individual devices or device groups. For policies that apply to a specific user's profile across devices, see Get Started: Policies and Learn More section of this article.

Windows provides a biometric authentication service called Windows Hello that helps strengthen authentication and guard against potential spoofing through fingerprint matching and facial recognition. JumpCloud's policy framework lets you remotely allow or restrict users from logging in to a managed device using biometrics. You can apply the policy to one managed Windows device or the entire fleet in your organization. See Get Started: Policies.

Warning:

If you enable Multi-Factor Authentication (MFA) on a Windows device in JumpCloud, then biometrics cannot be used as the primary authentication method for device login. However, Windows Hello can still be used as an authentication method during an active user session (while a user is logged in) for UAC or other administrative prompts.

  • If you clear Allow The Use Of Biometrics, devices where you apply this policy can’t use the Windows Biometrics Services that Windows Hello relies on. In this case, the device notifies users that Windows Hello isn’t available on this device.
  • If you select Allow The Use Of Biometrics and the device supports Windows Hello, users can set up Windows Hello:

Considerations

  • Consistently apply all Windows system updates.
  • JumpCloud doesn’t support Microsoft accounts. They shouldn’t be enabled or locally tied to JumpCloud accounts.

Creating the Policy

To create a Allow the Use of Biometrics policy for Windows devices, do the following:

Selecting the Policy Template

  1. Log in to the JumpCloud Admin portal.

Important:

If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.

  1. Go to Device Management > Policy Management. The Policy Management page is displayed.
  2. On the Policy Management page, click +Add New.
  3. Select Device Policy to assign the policy to devices and device groups. On the New Device Policy page:
    • Select the Windows tab.
    • Search and select the policy name and click Configure. The Details tab of the policy is displayed.
    • On the Details tab, configure the required policy configuration settings.
    • (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
    • (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.

Configuring the Policy

  • Under Settings, select Allow The Use of Biometrics to enable biometrics.

Applying the Policy

  • (Optional) Select the Policy Groups tab. Select one or more policy groups where you want to add this policy. 
  • Select the Device Groups tab. Select one or more device groups where you want to apply this policy to. For device groups with multiple OS member types, the policy only applies when a user logs into a supported Windows device that is enrolled in MDM.
  • Or, select the Devices tab. Select one or more devices where you want to apply this policy.
  • Click Create Policy. A success message is displayed indicating the completion of policy creation.

Note:

You must select either a device or device group to create and apply this policy.

Viewing Policy Status

  1. Select the Status tab.
  2. To see the last Result Log for a device where this policy is applied, click view.

Note:
  • If any errors occur, they're listed in Exit Status. If you have an Exit Status of 0, no errors occurred when applying or enforcing this policy.
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case