Jóhannes's blog

Last Authentication Method Used

·

Ever wondered which authentication method your users last used to sign into their device?

Digging this out of entra can be a chore, assuming you even have access to the entra portal in the first place.

$CredentialProviders = @{
    '{01A30791-40AE-4653-AB2E-FD210019AE88}' = 'Automatic Redeployment Credential Provider'
    '{1b283861-754f-4022-ad47-a5eaaa618894}' = 'Smartcard Reader Selection Provider'
    '{1ee7337f-85ac-45e2-a23c-37c753209769}' = 'Smartcard WinRT Provider'
    '{2135f72a-90b5-4ed3-a7f1-8bb705ac276a}' = 'PicturePasswordLogonProvider'
    '{25CBB996-92ED-457e-B28C-4774084BD562}' = 'GenericProvider'
    '{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}' = 'TrustedSignal Credential Provider'
    '{3dd6bec0-8193-4ffe-ae25-e08e39ea4063}' = 'NPProvider'
    '{48B4E58D-2791-456C-9091-D524C6C706F2}' = 'Secondary Authentication Factor Credential Provider'
    '{600e7adb-da3e-41a4-9225-3c0399e88c0c}' = 'CngCredUICredentialProvider'
    '{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}' = 'PasswordProvider'
    '{8AF662BF-65A0-4D0A-A540-A338A999D36F}' = 'FaceCredentialProvider'
    '{8FD7E19C-3BF7-489B-A72C-846AB3678C96}' = 'Smartcard Credential Provider'
    '{94596c7e-3744-41ce-893e-bbf09122f76a}' = 'Smartcard Pin Provider'
    '{BEC09223-B018-416D-A0AC-523971B639F5}' = 'WinBio Credential Provider'
    '{C5D7540A-CD51-453B-B22B-05305BA03F07}' = 'Cloud Experience Credential Provider'
    '{cb82ea12-9f71-446d-89e1-8d0924e1256e}' = 'PINLogonProvider'
    '{D6886603-9D2F-4EB2-B667-1971041FA96B}' = 'WHFB PIN, NGC Credential Provider'
    '{e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}' = 'CertCredProvider'
    '{f64945df-4fa9-4068-a2fb-61af319edd33}' = 'RdpCredentialProvider'
    '{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}' = 'WLIDCredentialProvider'
    '{F8A1793B-7873-4046-B2A7-1F318747F427}' = 'FIDO Credential Provider'
}

$lastUserCredentialProvider = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI' -Name 'LastLoggedOnProvider' -ErrorAction SilentlyContinue | select-object -ExpandProperty LastLoggedOnProvider

write-host $CredentialProviders[$lastUserCredentialProvider]

exit 0

It basically grabs the GUID of the last credential provider used, chucks that into the hashtable and outputs the friendlier name.

I deploy this as a remediation script in intune

then once its been running for a little while, you can check the device status in the remediation to see what your devices report back

pro tip: you need to enable the “pre-remediation detection output” column

Leave a comment

Get updates

From art exploration to the latest archeological findings, all here in our weekly newsletter.

Subscribe