How can I determine if windows have numerical pin code activated using PowerShell?

Question

I've looked into the registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

as well as the CIM registry:root/CIMv2/Security/MicrosoftVolumeEncryption

But these doesn't reflect the users settings. I have run this on our office 9 computers which I know only 3 have the PIN code activated (the rest have the default alpha numerical password) but all 9 return the same values when polling the above two paths.

Can someone tell me a rock solid way of knowing if a user have a PIN code set? Not a security breach since I only am interested in if the user have the PIN activated, not the PIN itself.

Answer 1

See the PowerShell script Detect-WindowsHelloEnrollment.ps1 :

Script will detect if the logged on user is using the PIN credential provider indicating that the user is making use of Windows Hello for Business

The script checks the subkeys of the registry key for the PIN credential provider at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}.

The item LogonCredsAvailable for the user's SID needs to have the value of 1 for PIN to be enabled.