diff --git a/src/application/application.yaml b/src/application/application.yaml
index a93e67a5..b554854b 100644
--- a/src/application/application.yaml
+++ b/src/application/application.yaml
@@ -796,12 +796,29 @@ actions:
                             reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v "SubscribedContent-353694Enabled" /d "0" /t REG_DWORD /f
                             reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v "SubscribedContent-353696Enabled" /d "0" /t REG_DWORD /f
             -                
-                name: Disable biometrics
-                recommend: true
-                code: |-
-                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d 0 /f 
-                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f
-                    reg add "HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d 4 /f 
+                category: Disable biometrics (breaks fingerprinting/facial login)
+                children:
+                    -
+                        name: Do not allow the use of biometrics
+                        docs: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio
+                        code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f
+                        revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "1" /f
+                    -
+                        name: Do not allow users to log on using biometrics
+                        docs: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv
+                        code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f
+                        revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "1" /f
+                    -
+                        name: Do not start Windows Biometric Service
+                        docs: 
+                            - http://batcmd.com/windows/10/services/wbiosrvc/
+                            - http://revertservice.com/10/wbiosrvc/
+                        code: |-
+                            reg add "HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d 4 /f
+                            sc stop "WbioSrvc" & sc config "WbioSrvc" start=disabled
+                        revertCode: |-
+                            reg add "HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d 2 /f
+                            sc config "WbioSrvc" start=demand
             -
                 name: Disable Wi-Fi sense
                 recommend: true
@@ -1948,17 +1965,12 @@ actions:
                         recommend: true
                         code: sc stop "XboxNetApiSvc" & sc config "XboxNetApiSvc" start=disabled
                         revetCode: sc config "XboxNetApiSvc" start=demand
-            -
-                name: Windows Biometric Service
-                recommend: true
-                docs: https://en.wikipedia.org/wiki/Windows_Push_Notification_Service#Privacy_Issue
-                code: sc stop "WbioSrvc" & sc config "WbioSrvc" start=disabled
             -
                 name: Volume Shadow Copy Service
                 recommend: true
                 docs: https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service
                 code: sc stop "VSS" & sc config "VSS" start=disabled
-                revertCode: sc config vss start=auto
+                revertCode: sc config "vss" start=auto
     -
         category: Remove bloatware
         children: