Get Windows Hello Status
Summary
This script retrieves whether Windows Hello is enabled on the device and, if so, identifies which authentication method is currently in use.
Sample Run
Dependencies
Task Creation
Script Details
Step 1
Navigate to Automation ➞ Tasks
Step 2
Create a new Script Editor style task by choosing the Script Editor option from the Add dropdown menu
The New Script page will appear on clicking the Script Editor button:
Step 3
Fill in the following details in the Description section:
- Name:
Get Windows Hello Status - Description:
This script retrieves whether Windows Hello is enabled on the device and, if so, identifies which authentication method is currently in use. - Category:
Custom
Script Editor
Click the Add Row button in the Script Editor section to start creating the script
A blank function will appear:
Row 1 Function: PowerShell Script
Search and select the PowerShell Script function.
The following function will pop up on the screen:
Paste in the following PowerShell script and set the Expected time of script execution in seconds to 600 seconds. Click the Save button.
<#
.SYNOPSIS
Detects the last used Windows Hello sign-in method on the machine.
.DESCRIPTION
This script checks the registry value 'LastLoggedOnProvider' under
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
to determine the most recently used Windows sign-in provider.
It compares the retrieved provider GUID with known Windows Hello provider GUIDs
for PIN, Fingerprint, and Face authentication methods.
If a match is found, the script outputs the detected method in the format:
Enabled|<method>
If the provider does not match any known Windows Hello method, or if the
registry value cannot be accessed, the script returns:
Disabled
#>
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI"
$valueName = "LastLoggedOnProvider"
$providers = @{
PIN = "{D6886603-9D2F-4EB2-B667-1971041FA96B}"
Fingerprint = "{BEC09223-B018-416D-A0AC-523971B639F5}"
Face = "{8AF662BF-65A0-4D0A-A540-A338A999D36F}"
}
try {
$providerGUID = (Get-ItemProperty -Path $regPath -Name $valueName -ErrorAction Stop).$valueName
$matchedProvider = $providers.GetEnumerator() | Where-Object { $_.Value -eq $providerGUID }
if ($matchedProvider) {
Write-Output "Enabled|$($matchedProvider.Key.ToLower())"
}
else {
Write-Output "Disabled"
}
}
catch {
Write-Output "Disabled"
}
Row 2 Function: Script Log
Add a new row by clicking the Add Row button.
A blank function will appear.
Search and select the Script Log function.
In the script log message, simply type %output% and click the Save button.
Step 3 Logic: If/Then
Click on Add Logic > select If/Then
Row 3a Condition: Output Contains
- Condition:
Output - Operator:
Contains - Input Values:
Enabled
Row 3b Function: Set Custom Field
- Select
Windows Hello Statusfrom dropdown - Add
%output%in the Value
Save Task
Click the Save button at the top-right corner of the screen to save the script.
Completed Task
Output
- Script Log
- Custom Field
Schedule Task
Task Details
- Name:
Get Windows Hello Status - Description:
This script retrieves whether Windows Hello is enabled on the device and, if so, identifies which authentication method is currently in use. - Category:
Custom
Schedule
- Schedule Type:
Schedule - Timezone:
Local Machine Time - Start:
<Current Date> - Trigger:
TimeAt<Current Time> - Recurrence:
Every day
Targeted Resource
Device Groups: 'Machines Opted For Windows Hello Audit
Completed Scheduled Task
Changelog
2026-03-12
- Initial version of the document