This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 93%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
I am writing a script to enroll users with a Certificate to the "Passport" Certificate Storage Provider / CSP using Windows Hello for Business.
However if the user has logged in with their username and password rather than Face/Finger/PIN (F/F/P) then they are presented with the "Looking for you" Face or Finger or PIN prompt as the Windows Passport TPM hasn't been unlocked.
This happens if I try and use the Get-Certificate in powershell or if I use certreq -new with the INF file and specify ProviderName = "Microsoft Passport Key Storage Provider"
I have used https://github.com/imabdk/PowerShell/blob/master/Detect-WindowsHelloEnrollment.ps1 to check if the device is enrolled in WHFB and https://www.powershellgallery.com/packages/Generate-CertificateRequest/1.0/Content/Generate-CertificateRequest.ps1 to issue the certificate using the Passport CSP. But neither check if you logged in with Password or F/F/P.
The issue is twofold with the F/F/P prompt:
1) I can't find a way in PowerShell to see if the user has logged in with AD domain password or F/F/P so the above prompt happens when I run Get-Certificate or certreq -new in the powershell script to give the user a heads up they are just about to get the above F/F/P prompt and to click on it.
2) When the F/F/P prompt happens is ALWAYS pops under, so it is underneath all other windows rather than being ontop. So as per the above screenshot I need to prompt the user beforehand that they may get the above icon appear in the task bar and need to click it.
Does anyone know how to check the current user state before running certreq -new so then I only prompt the user where necessary? And why does it always pop under and is there a way to change that?
Have logged a case with Microsoft and was given the suggestion to query for the LastLoggedOnProvider key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnProvider
Then on this page it lists all the different UUIDs depending on the credential providers: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
Credential Provider GUID
PIN {D6886603-9D2F-4EB2-B667-1971041FA96B}
Fingerprint {BEC09223-B018-416D-A0AC-523971B639F5}
Facial Recognition {8AF662BF-65A0-4D0A-A540-A338A999D36F}
And then at least the login with Face/Finger or PIN can be detected.