locked
Windows Hello Face Recognition broke after installing Creators Update RRS feed

  • Question

  • After installing the Creators Update, the camera tries to scan (red light flickers), but then puts a message up on the Lock Screen that Windows Hello isn't working. Zero problems before installing the Creators Update and no problems with PIN or fingerprint, only face recognition. Turning on and off under "Sign-in options" doesn't help, nor does using the "Improve recognition" button.

    Details follow:

    Upon a restart, my Logitech Brio scans my face (red light flashing), but then it always says it doesn't recognize me. I can login fine with password, PIN, or fingerprint. If I then manually lock the computer (Win+L) and try to log back in with face recognition, the red light on the BRIO flashes very briefly, then it always pops up at the top of the Lock Screen with, "Windows Hello is currently disabled by your administrator." But Windows Hello works fine for PIN or fingerprint reader, so it's clearly not disabled. Problem limited to face recognition.

    This is a Domain connected computer, connected to Windows Server 2012 R2, but I have never made any changes to the Policy related to Windows Hello. I am the system administrator and no one else would have changed any Group Policy settings besides me.

    Under Sign-in options for Hello, the setting "Automatically dismiss the lock screen if we recognize your face" is set to On (I have tried turning it off and back on, just in case, but that had no effect). I've gone through the "Improve recognition" process several times. This does ask for a PIN every time before scanning my face, which is also new with the Creators Update (didn't used to ask for a PIN before each pass to improve recognition). This reports success every time after a few seconds, but doesn't appear to have any effect on the failure co sign in via face recognition. 

    Zero problems with this before the Creators Update. Definitely something in the Creators Update broke Windows Hello Facial Recognition. Any suggestions?

    Colin

    Saturday, April 8, 2017 3:41 PM

Answers

  • I had same issue, and I think it was solved below.
    Edit group policy on Sever
    Policies > Administrative Templates > Windows Components > Biometrics> Facial Features
    "Use enhanced anti-spoofing when available" change 'Not Configured' to 'disabled'
    • Proposed as answer by Omni_Gamer Thursday, April 13, 2017 8:12 PM
    • Marked as answer by GraniteStateColin Tuesday, April 18, 2017 10:20 PM
    Thursday, April 13, 2017 1:32 PM
  • I can confirm that this fixed it for me, although I could not find the policy on my servers Group Policy Editor but managed to change it on my PC local Group Policy Editor.

    "Edit group policy on Sever
    Policies > Administrative Templates > Windows Components > Biometrics> Facial Features
    "Use enhanced anti-spoofing when available" change 'Not Configured' to 'disabled'"

    Thursday, April 13, 2017 2:28 PM
  • Yes, @A Linnell and @kaishi, that fixed it!

    Note that if the Server is a Windows 2012 R2 Server, you won't have the Facial Features policy in the core network Group Policy. In that case, the quickest and easiest solution for individual affected users is to make the change on their local Windows 10 computer as A Linnell described.

    In case anyone isn't sure how to do what A Linnell wrote directly on the Windows 10 computer:

    1. In the Start/Cortana search box, type: gpedit and run the Group Policy Editor
    2. Under "Computer Configuration" open: Administrative Templates -> Windows Components -> Biometrics -> Facial Features
    3. Right click on "Configure enhanced anti-spoofing" and select Edit
    4. Set it to Disabled
    5. At least for me, it worked at the next system lock w/o requiring a restart -- BRIO recognized me and Hello unlocked my computer, just back like it was before the Creator's Update

    Obviously would be better if this weren't needed, but it's a great work-around for now.


    Colin


    Tuesday, April 18, 2017 10:29 PM

All replies

  • Kindly go through the Group policy setting:

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-manage-in-organization


    S.Sengupta, Windows Insider MVP

    Monday, April 10, 2017 1:06 AM
  • I have the exact same problem, before the Creators Update all function well.

    After the Creators Update the red light of the Logitech BRIO flickers and then Windows tells me that it not recognize me. Also after I manually lock the computer (Win+L) it tells me "Windows Hello is currently disabled by your administrator.".

    I checked the Group policy settings but not see what should be wrong. I think the problem is in the Creators Update himself.

    Monday, April 10, 2017 8:00 AM
  • Kindly go through the Group policy setting:

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-manage-in-organization


    S.Sengupta, Windows Insider MVP

    I believe I have confirmed this is not the issue. First, note that as I reported in the original post, Windows Hello PIN and fingerprint verification both work. It's only the Logitech Brio that fails, and it only fails after scanning my face (red light flashes when facial scanning), but the error message doesn't say that it didn't recognize me, it blames a setting. I think this is a bug in the Creators Update or Logitech's drivers with the new update.

    I did check Group Policy following your post. Note that we are still running under Windows Server 2012 R2, which does not provide direct support for Hello for Business, which leaves it up to the individual PCs. 

    I checked the Group Policy settings on the Windows 10 PC's. In all cases, the Windows Hello for Business policies are set as "Not configured," which again should mean it will work as a standalone Windows 10 PC.  Specifically, under the "Use Windows Hello for Business" setting, it says, "If you do not configure this policy setting, users can provision Windows Hello for Business as a convenience credential that encrypts their domain password."

    Further, as fellow user @mbaum reports, this problem started with the Creators Update. Everything worked before the update. Note that the Brio camera still works with Skype. It's only Windows Hello that fails following the Creators Update.


    Colin


    Monday, April 10, 2017 9:02 PM
  • Same issue. 
    Wednesday, April 12, 2017 6:52 PM
  • I'll add, after removing from the AzureAD domain, facial recognition works as it should, so drivers aren't the issue. 
    Wednesday, April 12, 2017 7:46 PM
  • I'll add, after removing from the AzureAD domain, facial recognition works as it should, so drivers aren't the issue. 

    Interesting. That would seem to indicate it's something related to the domain connection, maybe Group Policy, and a different interpretation by Windows 10 Creators Update. That actually fits with the error message. But why only the Brio -- other Hello devices and the PIN still work...

    I have reviewed the Group Policy settings and I don't see anything set that would pose a problem for Hello.


    Colin

    Thursday, April 13, 2017 3:17 AM
  • Ok, just like what Colin has explained, the same problem fits mine like glove, unfortunately... While everyone seems to be experiencing this on a Logitech Brio, mine is built-in camera on my Asus t303UA, so I do not think this is with Logitech... I think this is really with the Creator's update. I have also gone through the Group Policy settings and nothing work. The only thing that had work for me though was restoring to the previous build. Unfortunately, this is a temporary fix, considering that the Creator's Update offers a lot of new things.

    I will try to update and see if I could simple disconnect myself from company networks and see if those works. I hope this gets fix soon.

    Thursday, April 13, 2017 5:22 AM
  • I had same issue, and I think it was solved below.
    Edit group policy on Sever
    Policies > Administrative Templates > Windows Components > Biometrics> Facial Features
    "Use enhanced anti-spoofing when available" change 'Not Configured' to 'disabled'
    • Proposed as answer by Omni_Gamer Thursday, April 13, 2017 8:12 PM
    • Marked as answer by GraniteStateColin Tuesday, April 18, 2017 10:20 PM
    Thursday, April 13, 2017 1:32 PM
  • I can confirm that this fixed it for me, although I could not find the policy on my servers Group Policy Editor but managed to change it on my PC local Group Policy Editor.

    "Edit group policy on Sever
    Policies > Administrative Templates > Windows Components > Biometrics> Facial Features
    "Use enhanced anti-spoofing when available" change 'Not Configured' to 'disabled'"

    Thursday, April 13, 2017 2:28 PM
  • I could not find the policy on my servers Group Policy Editor 

    Probably, you should install administrative templates on server.
    How to create and manage the Central Store for Group Policy Administrative Templates in Windows

    Thursday, April 13, 2017 2:52 PM
  • I had same issue, and I think it was solved below.
    Edit group policy on Sever
    Policies > Administrative Templates > Windows Components > Biometrics> Facial Features
    "Use enhanced anti-spoofing when available" change 'Not Configured' to 'disabled'
    Thank you so much! That was exactly it!
    Thursday, April 13, 2017 6:04 PM
  • You just saved many hours of frustration bro-beans. And for this, I thank you.
    Thursday, April 13, 2017 8:12 PM
  • Perfect, this solved the problem at me! Thanks!
    Tuesday, April 18, 2017 6:24 AM
  • Same problem here.

    How can I edit GPO on AzureAD domain? Is there a GPO management feature on Azure portal?

    Tuesday, April 18, 2017 2:39 PM
  • Yes, @A Linnell and @kaishi, that fixed it!

    Note that if the Server is a Windows 2012 R2 Server, you won't have the Facial Features policy in the core network Group Policy. In that case, the quickest and easiest solution for individual affected users is to make the change on their local Windows 10 computer as A Linnell described.

    In case anyone isn't sure how to do what A Linnell wrote directly on the Windows 10 computer:

    1. In the Start/Cortana search box, type: gpedit and run the Group Policy Editor
    2. Under "Computer Configuration" open: Administrative Templates -> Windows Components -> Biometrics -> Facial Features
    3. Right click on "Configure enhanced anti-spoofing" and select Edit
    4. Set it to Disabled
    5. At least for me, it worked at the next system lock w/o requiring a restart -- BRIO recognized me and Hello unlocked my computer, just back like it was before the Creator's Update

    Obviously would be better if this weren't needed, but it's a great work-around for now.


    Colin


    Tuesday, April 18, 2017 10:29 PM
  • Yes, @A Linnell and @kaishi, that fixed it!

    Note that if the Server is a Windows 2012 R2 Server, you won't have the Facial Features policy in the core network Group Policy. In that case, the quickest and easiest solution for individual affected users is to make the change on their local Windows 10 computer as A Linnell described.

    In case anyone isn't sure how to do what A Linnell wrote directly on the Windows 10 computer:

    1. In the Start/Cortana search box, type: gpedit and run the Group Policy Editor
    2. Under "Computer Configuration" open: Administrative Templates -> Windows Components -> Biometrics -> Facial Features
    3. Right click on "Configure enhanced anti-spoofing" and select Edit
    4. Set it to Disabled
    5. At least for me, it worked at the next system lock w/o requiring a restart -- BRIO recognized me and Hello unlocked my computer, just back like it was before the Creator's Update

    Obviously would be better if this weren't needed, but it's a great work-around for now.


    Colin


    Thanks a lot, it fixed the issue on my computer!

    Just a detail: In the Start/Cortana search box, type gpedit.msc on a non-English Windows 10.

    Wednesday, April 19, 2017 6:30 PM
  • I have tried all of these steps but I am unable to complete a facial recognition in Windows 10 1703 (Creators Edition). My camera is the Intel REALSense SR300. The camera works fine in the camera app but when I perform a facial recognition as part of the setup of Windows Hello my face never appears and just returns to Windows Hello activation. This has to be an issue with 1703. My computer is domain joined.
    Friday, April 21, 2017 8:51 PM
  • Yes, @A Linnell and @kaishi, that fixed it!

    Note that if the Server is a Windows 2012 R2 Server, you won't have the Facial Features policy in the core network Group Policy. In that case, the quickest and easiest solution for individual affected users is to make the change on their local Windows 10 computer as A Linnell described.

    In case anyone isn't sure how to do what A Linnell wrote directly on the Windows 10 computer:

    1. In the Start/Cortana search box, type: gpedit and run the Group Policy Editor
    2. Under "Computer Configuration" open: Administrative Templates -> Windows Components -> Biometrics -> Facial Features
    3. Right click on "Configure enhanced anti-spoofing" and select Edit
    4. Set it to Disabled
    5. At least for me, it worked at the next system lock w/o requiring a restart -- BRIO recognized me and Hello unlocked my computer, just back like it was before the Creator's Update

    Obviously would be better if this weren't needed, but it's a great work-around for now.


    Colin


    Is that really a "fix" though?  You reduce security by making that change.

    Wouldn't a real fix be Microsoft fixing this bug?


    Saturday, April 22, 2017 8:21 PM
  • Thank you so much for posting the fix. I've had this issue with my laptop off and on for a while now.

    As a follow-on, the description for this policy setting includes some information (emphasis added) that may explain why this doesn't affect everyone consistently:

    If you enable or don't configure this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.

    If you disable this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.

    Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.

    For me, the bit about being managed was the critical bit, as my laptop is enrolled to Intune MDM.  That led me to look into my Intune policies, and in doing so I found a similar policy setting there.  Under Intune > Device Enrollment > Windows Enrollment > Windows Hello for Business > (Policy Name) > Settings, you'll find an option for Use Enhanced anti-spoofing, when available with similar values as the GPO: Not Configured, Yes, No.  Setting this to No allowed by camera to finally work with Windows Hello again.

    I wouldn't normally encourage changing a setting that reduces security, but I wasn't able to find much information about what the anti-spoofing hardware requirements are.  I would definitely do more research before enabling this in a business setting, but this is on my personal laptop which is only "managed" because I have my own Intune subscription for testing.

    Sunday, April 23, 2017 1:49 AM
  • No help for me. I already have this policy set and my REALSense SR300 still will not perform a facial recognition test.
    Friday, April 28, 2017 5:38 PM
  • Ok, I managed to get the facial recognition test to at least scan my face. Unfortunately that is the extent of it. The test remains at "make sure your face remains centered in the frame" and remains there. My only choice is to cancel the test.
    Friday, April 28, 2017 6:05 PM
  • Colin that worked a treat! Now can these policies be rolled out on a Server 2012 R2 domain at all? Or is an upgrade to Server 2016 required here?

    Cheers,

    Jimmy

    Tuesday, May 2, 2017 1:06 AM
  • I installed the Win 10 Creators Update policy, and still didn't see the Facial Features option. Biometrics was there, but not the sub folder you get with the local group policy. I ended up editing the local group policy.
    Thursday, May 4, 2017 12:21 PM
  • The fixes here aren't working for me.  I have the original Surface Book.  Please advise!
    Thursday, May 18, 2017 7:18 PM
  • Still waiting for MS to chime in here.
    Friday, May 19, 2017 5:29 PM
  • I just upgraded to 1703 on my Surface Book and 'Hello' stopped working, so I went thru the same solutions above regarding gpedit settings but still the same issue ... but then I found this driver update 'SurfaceBook_Win10_15063_1704200_0.msi' reinstalled it and it started working again. 

    Note; I previously had version 1.0.85.3 of the Hello Camera driver and when it was installing it did state it was installing Hello Camera version 1.0.85.1 but after installing I checked and it's still 1.0.85.3.

    Driver location:

    https://www.microsoft.com/en-us/download/details.aspx?id=49497

    Hope this helps someone.

    Billy


    Wednesday, November 22, 2017 2:51 PM
  • Thanks, this fixed it for me, though I note, just locking didn't work, I had to do a full restart.

    Edit:

    After a restart or two, back to the same issue again - "windows hello is currently disabled by your administrator". Double checked and the policy is still in place. 

    I'll also note that my PC is not on a domain, or otherwise managed, it's a personal home desktop.

    Edit2:

    This appears to have finally fixed it for me - appears to be an issue with the intel drivers for the SR300 camera and version 1703 of windows 10. More details/fix at the link below.

    https://communities.intel.com/thread/113973

    Friday, February 23, 2018 10:14 AM