top of page
Search

(156) Microsoft Intune - Deleting Windows Hello for Business PIN

  • Writer: Mr B SOE way
    Mr B SOE way
  • Mar 6
  • 2 min read

Had a customer who wanted to delete Windows Hello for Business PIN once already setup as a win32 app.

As we know we, by running this manually in PowerShell: 

certutil /deletehellocontainer

This will delete the 'Windows Hello Container'.


Prepare the following:


certutil /deletehellocontainer
shutdown /r /f /t 60 /C "Restarting your PC for WHfB removal"




# Retrieve the current user's Windows principal and SID (Security Identifier)
$currentUser = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
$currentUserSid = $currentUser.Identity.User.Value

# Define the registry path for the PIN credential provider
$PINguid = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}"

# Check if the registry path for the PIN credential provider exists
if (Test-Path -Path $PINguid) {
    # Retrieve information from the registry about each SID folder under the PIN credential provider
    $SIDFolders = Get-ChildItem -Path $PINguid | ForEach-Object { Get-ItemProperty $_.PSPath }

    # Check if the SID of the logged-on user is available
    if ($currentUserSid -ne $null -and $currentUserSid -ne '') {
        # Check if the PIN credential provider is in use for the logged-on user and logon credentials are available
        if ($SIDFolders.PSChildName -eq $currentUserSid -and $SIDFolders.LogonCredsAvailable -eq 1) {
            Write-Output "User is enrolled in WHfB."
            Exit 1
        }
        else {
            Write-Output "User is not enrolled in WHfB."
            exit 0
        }
    }
    else {
        Write-Output "Unable to retrieve the SID for the logged-on user."
        exit 0
    }
}
else {
    Write-Output "Registry path for the PIN credential provider was not found."
    exit 0
}

Then package the app using https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool, then upload to Intune.


Note:

  • Install command line:

    • %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -executionpolicy bypass -command .\install.ps1

  • Install behaviour must be in 'User' Context as it applies to the user.


After the device restarts, it will bring the user back to this screen to re-setup.


 
 
 

コメント

bottom of page