Remind users to enroll into Windows Hello for Business using Toast Notifications and ConfigMgr


I recently did a tweet about doing a toast notification to lure end-users into enrolling their device with Windows Hello for Business voluntarily.

Prior to doing the tweet, I found my self wrestling with Powershell and a way to locate devices not enrolled into WHfB yet. Seeing I only wanted to nag people not enrolled yet, this was a requirement for the entire process.

So this post is a little something on both the actual toast notification, but also on how I ended up locating devices not enrolled into WHfB yet using a Compliance Baseline in ConfigMgr.


As mentioned, I ended up creating a Powershell script which will return either True or False, indicating either successful enrollment or missing enrollment for the currently logged on user.

  • Credit where due: Niall Brady pointed me in the direction of the registry key used in the script. I was originally looking into traversing WHfB event logs, but that quickly turned out useless as they get overwritten.

The script does following in headlines:

  • Loads registry keys and values for the PIN credential provider
  • Looks up the logged on user’s SID in local Active Directory if any AD is available
    • Compares the SID in registry to the logged on user’s SID
      • If the logged on user’s SID exists in registry for the PIN provider, see if the PIN credential provider is used
        • Returns True if it does
        • Returns False if it doesn’t
  • If no local Active Directory is available, continue looking for the logged on user’s SID in WMI
    • Then do the same as above


Configuration Manager

So how does one use this script with SCCM? I have included 2 scripts doing practically the same in the download. The script tagged with SCCM_CI is the one I suggest you use, as this has been stripped for comments and other unnecessary cmdlets.

The other script is the initial script, containing commenting and write-verbose cmdlets for easing of the understanding.

  • Get-WHFBCompliance.ps1
  • Get-WHFBCompliance_SCCM_CI.ps1

Create a new Configuration Item with a Setting similar to the below illustration. Paste in the Powershell script from the download.

The important part here is, that the CI runs in the current users context, as we try to look up the users SID in Active Directory.

Also, create a Compliance Rule similar to below and complete the Configuration Item.

Attach the Configuration Item to a Configuration Baseline and deploy it.

Now, the deployment of the Configuration Baseline gives us some options to create additional collections. See below illustration.

Go ahead and create collections for both Compliant and Non-compliant.

  • Compliant = The user is enrolled into Windows Hello for Business
  • Non-compliant = The user is NOT enrolled into Windows Hello for Business

The collections created above can now be used to target the actual Toast Notification. See below for inspiration.

Toast Notification

The toast notification is obviously created with my Windows 10 Toast Notification Script found here:

Configuring the script to use with Windows Hello for Business is straightforward and just requires you to turn off all the built in features like so:

<Feature Name=”UpgradeOS” Enabled=”False” />
<Feature Name=”PendingRebootUptime” Enabled=”False” />
<Feature Name=”PendingRebootCheck” Enabled=”False” />
<Feature Name=”ADPasswordExpiration” Enabled=”False” />

Include some relevant images and text and you are set to deploy the script to the collection consisting of devices not yet enrolled into Windows Hello for Business.

HOT TIP: Make the toast notification action button redirect users directly into the WHfB enrollment page using this: <Option Name=”Action” Value=”ms-settings:signinoptions” />

More possible settings actions here:


8 thoughts on “Remind users to enroll into Windows Hello for Business using Toast Notifications and ConfigMgr”

  1. yes, it looks very interesting, but where is the script, the original link is broken and points to the technet gallery homepage. I run a search for the script names and could not find them there.

    • Right, that’s somewhat the same script as I used with ConfigMgr, just made for Intune. Takes very little adjustments to make it work as a CI in ConfigMgr 🙂

      • Hi Martin, these little adjustments, are they simply a matter of changing the exit codes to from 0 and 1 to True and False?


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.