You can execute code remotely by ... wait for it ... Windows Hello Feature[1]
To be honest, an attacker must send the user a malicious file and convince the user to open said file. But WTF - Windows Hello?
[1]
MSRC: CVE-2023-32018 - Windows Hello Remote Code Execution Vulnerability