PowerShell Tutorials

How to Remove User Pin with PowerShell

Learn how to remove user PINs using PowerShell with this step-by-step guide and sample script for managing biometric authentication on Windows systems.

PowerShell offers a variety of tools to help automate and manage tasks in Windows environments. In this guide, we’ll show you how to remove a user’s PIN using PowerShell. Removing a PIN from a system can be part of user management, security protocols, or resetting biometric authentication methods. Here’s a step-by-step process along with a sample script that utilizes the BiometricAuthentication PowerShell module.

Step 1: Install the Required Module

Before running the script, you need to ensure that you have the necessary PowerShell module. In this case, the module BiometricAuthentication is required for managing biometric authentication, including PINs.

To install the module, run:

Install-Module -Name "BiometricAuthentication" -Force

Step 2: Use the Script to Remove the PIN

The script below finds users with PINs and removes them:

# Import the necessary module
Import-Module -Name "BiometricAuthentication"

# Get all users with PINs
$usersWithPins = Get-WmiObject -Namespace "Root\cimv2\Security\MicrosoftTpm" -Class "Win32_Tpm" | Where-Object {$_.SpecVersion -ne $null}

# Remove PINs for each user
foreach ($user in $usersWithPins) {
    # Get the username
    $username = $user.PSComputerName -replace ".*\\"

    # Remove the PIN for the user
    $result = Disable-BiometricAuth -UserName $username

    # Check if the PIN removal was successful
    if ($result -eq $true) {
        Write-Host "PIN removed for user: $username"
    } else {
        Write-Host "Failed to remove PIN for user: $username"
    }
}

Explanation of the Script:

  1. Import the Biometric Authentication Module:
    • The Import-Module -Name "BiometricAuthentication" command loads the necessary module for PIN and biometric management.
  2. Retrieve Users with PINs:
    • The script queries the system using WMI (Windows Management Instrumentation) to find users who have a PIN configured. It looks for the Win32_Tpm class in the Root\cimv2\Security\MicrosoftTpm namespace.
  3. Loop Through Users:
    • It loops through the users retrieved and extracts the username by removing the domain prefix (PSComputerName -replace ".*\\").
  4. Remove the PIN:
    • The Disable-BiometricAuth cmdlet removes the PIN for each user. The script checks whether the PIN was successfully removed and logs the outcome for each user.

Step 3: Verify the PIN Removal

After running the script, you will receive output in the PowerShell window indicating whether the PIN removal was successful for each user:

PIN removed for user: username1
Failed to remove PIN for user: username2

his feedback helps ensure that all necessary users had their PINs removed successfully.

Conclusion

Using this PowerShell script, administrators can automate the process of removing PINs from Windows systems. This can be useful in various scenarios, such as when resetting security settings for multiple users or decommissioning systems.

Make sure to test the script in a controlled environment before deploying it across multiple systems to prevent any unintended consequences.

author avatar
Patrick Domingues

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.