I am writing a script to enroll users with a Certificate to the "Passport" Certificate Storage Provider / CSP using Windows Hello for Business.
However if the user has logged in with their username and password rather than Face/Finger/PIN (F/F/P) then they are presented with the "Looking for you" Face or Finger or PIN prompt as the Windows Passport TPM hasn't been unlocked.
This happens if I try and use the Get-Certificate
in powershell or if I use certreq -new
with the INF file and specify ProviderName = "Microsoft Passport Key Storage Provider"
I have used https://github.com/imabdk/PowerShell/blob/master/Detect-WindowsHelloEnrollment.ps1 to check if the device is enrolled in WHFB and https://www.powershellgallery.com/packages/Generate-CertificateRequest/1.0/Content/Generate-CertificateRequest.ps1 to issue the certificate using the Passport CSP. But neither check if you logged in with Password or F/F/P.
The issue is twofold with the F/F/P prompt:
1) I can't find a way in PowerShell to see if the user has logged in with AD domain password or F/F/P so the above prompt happens when I run Get-Certificate
or certreq -new
in the powershell script to give the user a heads up they are just about to get the above F/F/P prompt and to click on it.
2) When the F/F/P prompt happens is ALWAYS pops under, so it is underneath all other windows rather than being ontop. So as per the above screenshot I need to prompt the user beforehand that they may get the above icon appear in the task bar and need to click it.
Does anyone know how to check the current user state before running certreq -new
so then I only prompt the user where necessary? And why does it always pop under and is there a way to change that?