Short answer
- There is no user-selectable “encryption type” for Windows Hello biometrics, and it is not comparable to BitLocker’s XTS-AES options.
- Windows Hello does not store a fingerprint image or a hash (so SHA-1 vs SHA-2 is not applicable). It stores a biometric template that must be compared with some tolerance, which cannot be done with a one‑way hash.
- The template is stored only on the device and is encrypted/protected by the platform. On modern hardware it is often stored and matched entirely inside the fingerprint sensor’s secure element (“match on sensor/on chip”), using vendor-specific, undisclosed mechanisms.
- When Windows stores the template, it’s kept in the Windows Biometric Framework (WBF) database and encrypted at rest using Windows data protection (DPAPI), with keys bound to the device and, when present, protected by the TPM. DPAPI on modern Windows uses AES‑256; this detail is not user‑configurable and may be layered with other protections.
What Windows Hello actually uses cryptographically
- Authentication keys: Windows Hello for Business creates an asymmetric key pair (typically ECC NIST P‑256, sometimes RSA 2048) and stores the private key as a non‑exportable key in the TPM. Your PIN/biometric is just a “gesture” that gates use of that key; the biometric itself is not your network credential.
- Biometric templates: A vendor driver (via the Windows Biometric Framework) creates a template from your fingerprint. That template:
- Is not an image and cannot be reconstructed into one.
- Never roams off the device.
- Is stored encrypted. If the device/sensor supports match-on-sensor, the template and matching stay inside the sensor’s secure element (algorithm/protection are vendor-specific). If the host stores it, WBF protects it using DPAPI; DPAPI on Windows Vista+ uses AES‑256 with keys protected by system secrets and, when available, TPM sealing.
Why SHA-1 vs SHA-2 doesn’t apply
- Hashes are for exact-match verification; biometric matching requires fuzzy comparison. Windows Hello therefore does not store a simple hash of the fingerprint (SHA‑1 or SHA‑2). Cryptographic hashes may be used internally (e.g., for integrity/MACs in DPAPI), but not as the storage format for the biometric.
How to verify/learn more
- Microsoft documents the model (local-only, encrypted, often hardware-isolated), but does not expose or let you choose specific ciphers for biometric templates. Relevant docs:
- Windows Hello for Business overview/how it works (asymmetric keys in TPM, biometrics as a gesture)
- Windows Hello biometrics in the enterprise (templates stored locally, encrypted; anti‑spoofing; never sent to Microsoft)
- Windows Biometric Framework design (template handling and storage model)
- On some devices, the biometric database exists under the system-protected WBF path (e.g., WinBioDatabase), but it is encrypted and not meant for inspection.
- There is no UI or supported API to change or report “encryption type” the way BitLocker does, because the protection is an implementation detail and may be hardware-vendor specific.
Bottom line
- Windows Hello does not use XTS-AES 128/256 for biometrics; that’s a BitLocker disk encryption choice.
- Biometric templates are protected locally: either inside the sensor’s secure element (vendor-defined) or by Windows using DPAPI (AES‑256) with keys device-bound and TPM-protected when available.
- SHA‑1 vs SHA‑2 is not relevant to how fingerprints are stored or matched in Windows Hello.
