Blog Post

Core Infrastructure and Security Blog
6 MIN READ

Passwordless RDP with Windows Hello for Business

parobinson's avatar
parobinson
Icon for Microsoft rankMicrosoft
May 04, 2022
  Windows Hello for Business (WHfB) provides a password-less experience for users to log into their Windows 10 or 11 device. However, a challenge remains when accessing remote systems. This can be ...
Updated May 09, 2022
Version 3.0
PaulRobinson
robertro-sit's avatar
robertro-sit
Copper Contributor
May 05, 2022

to add some more details to what raver2475 said. 

 

the statement "We are protecting these credentials as we are not exposing their passwords to potentially targeted and compromised machines" is misleading and incorrect. when you logon with WH4B to a workstation, certificate or not - https://www.strong-it.at/windows-hello-for-business-the-passwordless-way-of-the-future/ WH4B does not magically remove those two essential things, they are still there under the hood to make things work as they do with plain password logons. 

 

now when you "run as a different user..." on that same workstation, and again use WH4B for doing the logon, the same will happen. it will leave your credentials in LSASS. should that "other user" be your domain admin, or server admin, or other sensitive credential, it is vulnerable to the same credential theft principles as when you do the login without WH4B.

 

so use case 6.2 is a very bad idea and should be prohibited via "Deny Logon As" policies as per the 3-tier-admin-segmentation concept, unless a true PAW is used.

 

 

using this method for use case 6.1 on the other hand sounds interesting, and should not have the mentioned security issue, as creds used for initiating RDP sessions are not stored in local LSASS.EXE. however initial enrollment of the privileged account on the workstation is problematic - in a correctly segmented 3-tier-environment logon is not possible to do the enrollment because the privileged account is denied local logon. which leaves this use case to "true PAWs" only where this restriction wouldn't apply.

 

 

final question: the documentation https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop says "The remote desktop with biometric feature does not work with https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature." is the documentation outdated?