Allowing the system to automatically dismiss the lock screen if Windows recognizes your face is a simple adjustment that can improve the user experience. However, this activation also equates to voluntarily bypassing a traditional and crucial security layer.
In high-risk environments, IT managers may choose to go the other way and sustain log-in or sleep policies on top of facial recognition. To cater to both scenarios, check out this guide on optimizing Windows Hello sign-in options when facial recognition is enabled.
Methods for configuring lock screen preferences
Use the table to choose and quickly navigate to your preferred activation steps.
📌 Prerequisites:
- Face recognition enabled
- May require network and system access
| Click to Choose a Method | 💻
Best for Individual Users |
💻💻💻
Best for Enterprises |
| Method 1: Windows Settings | ✓ | |
| Method 2: Windows Registry | ✓ | |
| Method 3: PowerShell script | ✓ |
💡 Tip: Check out the Things to look out for section to optimize your action plan and manage risks.
Method 1: Set dismiss lock screen preferences via Settings
This method is best for self-service or Remote Desktop Protocol configuration.
📌 Use cases: Remote activation, personal devices
- Open Settings from Search 🔎 or press Win + I.
- Navigate to Accounts → Sign-in options.
- Under Facial recognition (Windows Hello), toggle Automatically dismiss the lock screen if Windows Hello recognizes your face to manage your preferences.
When switched on, the user will still be required to enter their PIN. Leaving it off will waive the PIN and log the user after facial recognition.
💡 Tip: Check out this detailed guide on how to set up Windows Hello.
Method 2: Set dismiss lock screen preferences via Registry
This method uses the Command Prompt to display user information (e.g., SID), which is then used to modify the registry.
📌 Use cases: Enterprise and system-wide deployments
- Press Win + R, type cmd, and tap OK to open the Command Prompt.
- Run the whoami /user command and press Enter to display the active user’s info.
- Locate and copy your SID (Security Identifier), which starts with “S-1-5-21…”.
- Press Win + R, type regedit, and tap OK to open the Registry Editor.
- Navigate to the following registry path, replacing <YourSID> with the SID you copied earlier:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\FaceLogon\<YourSID>
- Look for a DWORD (32-bit) Value named AutoDismissOn in the right panel. If AutoDismissOn does not exist, right-click an empty space, select New → DWORD (32-bit) Value, and name it AutoDismissOn.
- Open it and set its Value data according to your preferences.
- 0 = Disable auto-dismiss
- 1 = Enable auto-dismiss
- Close the Registry Editor.
⚠️ Warning: Editing the database can cause system issues. Create a registry backup before proceeding.
Method 3: Set dismiss lock screen preferences via a PowerShell script
PowerShell scripts are often used for task automation and software deployment.
📌 Use case: Automation and RMM scripting
📌 Prerequisite: Network and system access
(A) PowerShell script to enable auto-dismissal
- Open PowerShell from Search 🔎 and select Run as administrator.
- Use the following command:
New-Item -Path
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\FaceLogon\<YourSID>" -Force
Set-ItemProperty -Path
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\FaceLogon\<YourSID>" -Name "AutoDismissOn" -Value 1 -Type DWord
(B) PowerShell script to disable auto-dismissal
- Open PowerShell from Search 🔎 and select Run as administrator.
- Use the following command:
Set-ItemProperty -Path
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\FaceLogon\<YourSID>" -Name "AutoDismissOn" -Value 0 -Type DWord
💡 Note: This script may run or fail without displaying any confirmation or prompt. To verify that changes have been applied successfully, please check the corresponding Registry keys or system settings.
Things to look out for when configuring lock screen settings
Missing something? Consider these scenarios and tips for handling errors, preventing system issues, and reinforcing policies.
| Risks and Considerations | Potential Consequences/Scenarios | Reversals and Tips |
| Device wake behavior | The system may unlock unintentionally during wake-up. | Combine with the “Require sign-in after sleep” policy. |
| Deployment conflicts | Other settings via GPO and MDM may cause conflict. | Ensure configuration precedence is defined; test in pilot groups. |
| No official GPO policy | Use alternative methods for enforcing a policy. | Consider using registry or script-based methods for deployment. |
| Hardware compatibility | Camera hardware must support Windows Hello face recognition. | N/A |
Since this setting automatically bypasses the lock screen upon facial recognition, it’s recommended to only enable it in secure environments and devices. For more tips, check out this guide on how to improve Windows Hello Facial recognition.
Best practices for managing Windows Hello sign-in options
When face recognition is set up via Windows Hello, users can swiftly sign in without additional verification. While this interaction can help improve workflow for individual users, it’s understandably a riskier practice in business and shared environments.
For IT management, the optional setting to prevent the lock screen from being dismissed automatically after facial recognition allows the enforcement of a more secure password or PIN verification.
To accomplish en masse, IT security can update system-wide preferences using a script or the registry, which can be paired with an MDM-enabled sleep policy or similar deployments.
Related topics:
