Windows Biometric Framework Overview

  • Article

Applies To: Windows 8.1, Windows Server 2012, Windows Server 2012 R2

This topic for the IT professional, and hardware and software developers describes the Windows Biometric Framework (WBF) and the enhancements included in Windows Server 2012 R2, Windows Server 2012, Windows 8.1, and Windows 8.

Did you mean…

Feature description

Biometrics is an increasingly popular technology that provides convenient access to systems, services, and resources. Biometrics relies on measuring an unchanging physical characteristic of a person to uniquely identify that person. Fingerprints are one of the most frequently used biometric characteristics, with millions of fingerprint biometric devices that are embedded in personal computers and peripherals.

The Windows Biometric Framework (WBF) is a set of services and interfaces that permit consistent development and management of biometric devices, such as fingerprint readers. WBF improves the reliability and compatibility with biometric services and drivers. The WBF allows device developers the ability to interact with the client side of the framework to support each biometric solution.

The Windows Biometric Service, which is part of the WBF, gives client applications the ability to capture, compare, manipulate, and store biometric data without gaining direct access to any biometric hardware or samples. The service is hosted in a privileged SVCHOST process, and it runs in the security context of Local System.

The Windows Biometric service provides the following functionality:

  • Captures biometric samples and uses them to create a template.

    A template is generated by collecting multiple biometric samples of a single characteristic for a single individual to form a statistical average. A template typically contains only the features that are necessary to determine whether a new sample matches.

  • Securely saves and manages biometric templates.

  • Maps each biometric template to a unique identifier, such as a GUID or SID.

  • Enrolls new biometric templates.

You can use the Windows Biometric Framework API to leverage this functionality. For more information, see Windows Biometric Framework API (Windows) in the MSDN Library.

Practical applications

The WBF provides the following:

  • A Biometric Devices item on the Control Panel that allows users to manage device settings and enroll devices to sign in.

  • Device Manager support for managing drivers for biometric devices.

  • Credential provider support to enable the use of biometric data to log on to a local computer or domain, and then perform elevation of privileges through User Account Control (UAC).

  • Group Policy settings to enable, disable, or limit the use of biometric data for a local computer or domain.

  • Windows Update support for downloading biometric device driver software.

New and changed functionality from Windows Server 2012 to Windows Server 2012 R2 and Windows 8.1

Note

The Windows Biometrics Framework (WBF) Win32 client API, driver specification and adapter specification have not changed for Windows 8.1.

The Biometric Input Device (BID) class driver for USB fingerprint readers is no longer part of WBF.

The biometrics Control Panel that was present in Windows 7 and Windows 8 is no longer part of Windows 8.1. It has been removed from the operating system. Users will find new ways to access fingerprint management applications.

New WinRT APIs are exposed for Windows Store apps to leverage the power of biometric authentication.

For more information about these changes and the impact on user functionality, see What’s New in Biometrics in Windows 8.1.

New and changed functionality from Windows Server 2008 R2 to Windows Server 2012

Fast user switching for biometric devices

Fast user switching (FUS), which has been in previous operating system versions, has been enhanced to work with fingerprint technologies. FUS is still activated by pressing CTRL+ALT+DEL to reach the Secure Desktop.

What value does this change add?

This increased authentication capability allows a user to use the biometric credentials when signing on through FUS.

What works differently?

There are no visual changes in FUS functionality. You still can control FUS use through Group Policy settings.

Changes in Group Policy for WBF

Two policy settings are new in Windows Server 2012 and Windows 8. They control the capability of using biometric authentication at computer startup.

Policy setting Applies to Description

Allow automatic logon using boot-time biometric authentication
  • Windows Server 2012

  • Windows Server 2008 R2

  • Windows 8

  • Windows 7

Determines whether a user will be automatically logged on after providing a boo-time biometric sample.

Specify timeout for preboot auto-logon authentication
  • Windows Server 2012

  • Windows Server 2008 R2

  • Windows 8

  • Windows 7

Specifies the time after system startup that a preboot biometric authentication will be used for auto-logon before being discarded.

Four policy settings remain unchanged in Windows Server 2012 and Windows 8.

Policy setting Applies to Description

Timeout for fast user switching events

Note
Renamed “Specify timeout for fast user switching events”

  • Windows Server 2012

  • Windows Server 2008 R2

  • Windows 8

  • Windows 7

Specifies the number of seconds a pending fast user switch event will remain active before the switch is initiated.

Allow the use of biometrics
  • Windows Server 2012

  • Windows Server 2008 R2

  • Windows 8

  • Windows 7

Determines whether the Windows Biometric Service can run on the computer.

Allow users to log on using biometrics
  • Windows Server 2012

  • Windows Server 2008 R2

  • Windows 8

  • Windows 7

Determines whether users can log on or elevate User Account Control permissions using biometrics.

Allow domain users to log on using biometrics
  • Windows Server 2012

  • Windows Server 2008 R2

  • Windows 8

  • Windows 7

Determines whether domain users can log on on or elevate User Account Control permissions using biometrics.

Deprecated functionality

The biometrics Control Panel that was present in Windows 7 and Windows 8 is no longer part of Windows 8.1. Other means of access have been implemented.

The Biometric Input Device (BID) class driver for USB fingerprint readers is no longer part of WBF for Windows Server 2012 R2 and Windows 8.1.

There is no deprecated functionality in the WBF for Windows Server 2012 and Windows 8.

Software requirements

You must enable the Windows Biometric Framework using the Server Manager’s Add Features utility to enable biometric service. In addition, Group Policy settings must be configured to manage biometric devices in your environment.

Device drivers must be compatible with the WBF architecture in Windows Server 2012 to take advantage of the new functionality.

Server Manager information

The Windows Biometric Framework is a feature installed from the Add Features utility of Server Manager. The following components are activated on the server:

  • Windows Biometric Driver Interface (WBDI)

  • Windows Biometric Server (WBS)

  • Windows Biometric Framework API

See also

This table lists other resources that relate to the Windows Biometric Framework.

Content type References

Product evaluation

What’s New in Biometrics in Windows 8.1

Development

Using the Windows Biometric Framework API (Windows)

From the 2013 BUILD conference: Biometrics-Fingerprints for Apps

From the 2013 TechEd North America conference: What’s New in Windows 8.1 Security: Modern Access Control Deep Dive

Security

Windows Biometric Framework: Framework Security (Windows)

Tools and settings

Windows Biometric Framework API (Windows)

Community resources

Protecting your digital identity - Building Windows 8 - Site Home - MSDN Blogs

Related technologies

Windows Authentication Overview