Detect if logged into Windows Hello for Business in Powershell?

Peter 16 Reputation points
2022-11-24T20:09:10.63+00:00

I am writing a script to enroll users with a Certificate to the "Passport" Certificate Storage Provider / CSP using Windows Hello for Business.

However if the user has logged in with their username and password rather than Face/Finger/PIN (F/F/P) then they are presented with the "Looking for you" Face or Finger or PIN prompt as the Windows Passport TPM hasn't been unlocked.

264004-looking.png

This happens if I try and use the Get-Certificate in powershell or if I use certreq -new with the INF file and specify ProviderName = "Microsoft Passport Key Storage Provider"

I have used https://github.com/imabdk/PowerShell/blob/master/Detect-WindowsHelloEnrollment.ps1 to check if the device is enrolled in WHFB and https://www.powershellgallery.com/packages/Generate-CertificateRequest/1.0/Content/Generate-CertificateRequest.ps1 to issue the certificate using the Passport CSP. But neither check if you logged in with Password or F/F/P.

The issue is twofold with the F/F/P prompt:

1) I can't find a way in PowerShell to see if the user has logged in with AD domain password or F/F/P so the above prompt happens when I run Get-Certificate or certreq -new in the powershell script to give the user a heads up they are just about to get the above F/F/P prompt and to click on it.

2) When the F/F/P prompt happens is ALWAYS pops under, so it is underneath all other windows rather than being ontop. So as per the above screenshot I need to prompt the user beforehand that they may get the above icon appear in the task bar and need to click it.

Does anyone know how to check the current user state before running certreq -new so then I only prompt the user where necessary? And why does it always pop under and is there a way to change that?

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,462 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Peter 16 Reputation points
    2022-11-27T21:03:29.393+00:00

    Have logged a case with Microsoft and was given the suggestion to query for the LastLoggedOnProvider key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnProvider  
    

    Then on this page it lists all the different UUIDs depending on the credential providers: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock

    Credential Provider	GUID  
    PIN					{D6886603-9D2F-4EB2-B667-1971041FA96B}  
    Fingerprint			{BEC09223-B018-416D-A0AC-523971B639F5}  
    Facial Recognition	{8AF662BF-65A0-4D0A-A540-A338A999D36F}  
    

    And then at least the login with Face/Finger or PIN can be detected.

    3 people found this answer helpful.
    0 comments No comments