Microsoft
Microsoftlukesrees Remember first and foremost WHfB is targeted at your end users to facilitate passwordless logon to their desktop. Really the RDP question is a after thought. There are many ways to protect your high privilege credentials. I would not let the requirement for your few admins dictate the direction of your many users.
Hybrid Certificate trust was the first and oldest method of providing sign-in to a domain controller using WHfB. It's aimed at orgs that can't update their DCs beyond 2012r2. Which at this stage really needs to be on an upgrade path. Another big requirement for Hybrid Cert Trust is that your domains need to be federated with ADFS (device registeration happens on ADFS). PHS and PTA are not supported. taking all that into account, Cert Trust these days should really be a last resort. Hybrid Azure AD joined Windows Hello for Business Prerequisites - Windows security | Microsoft Learn
Key trust supports PHS and PTA and does not need ADFS. Far simpler deployment and management and uses the same keys to log into a domain as are used to log into azure AD. IT requires some PKI work however.
But what would i recommend for new deployments starting from scratch. Hybrid Cloud Trust. the simplest and most straightforward deployment. this also opens up FIDO logon for desktops. This will become the default recommend method for WHfB. the main pre-req to be aware of is Win10 21H2 or later. Hybrid cloud Kerberos trust Deployment (Windows Hello for Business) - Windows security | Microsoft Learn
This will apply to all your users for their desktop logon. Then we worry about secure use of high privilege credentials. Hope that helps.
P.s. RDP can be used using the above method when storing a cert in the WHfB container using cloud trust too 🙂
