Forum Discussion

Steve Whitcher's avatar
Steve Whitcher
Bronze Contributor
Jul 24, 2018

Logging on to Remote Desktop using Windows Hello for Business & Biometrics

In the release notes for build 17713, support was announced for logging into remote desktop sessions using biometrics via windows hello.  I have a few questions I'm hoping someone can answer:

 

The way the blog post is worded, it's not clear whether the 'new' part of this is strictly related to biometrics, or if using Windows Hello to log into a remote desktop server is completely new.  Was it previously possible to use Windows Hello with a PIN to log in to a remote desktop session?  If so, is there any documentation on this available?

 

In the example used in the blog post, the Remote Desktop connection is from a Windows 10 client to a Windows Server 2016 server.  Is Server 2016 required, or will this work with older server OS versions?

 

Does it matter which type of deployment (Key-Trust vs Certificate-Trust) is used for Windows Hello for business?  

 

I've tried using this feature in my environment, to connect from a client running build 17713 to a Server 2016 server, but get an error "The client certificate does not contain a valid UPN. . . " (screenshot below)

  

Any idea what would cause that?  


Have any Insiders out there been able to use this new feature successfully?

    • Micah Castorina's avatar
      Micah Castorina
      Copper Contributor

      This only pertains to certificate trust deployments and biometrics. Will WHFB work with rdp/rdweb while using a PIN?

    • Azim null's avatar
      Azim null
      Copper Contributor

      I performed the steps in the guide after seeing this error and now WHFB has completely dissapeared as an option for RDP.  Just traditional UPN or Domain\user logon are the only options. I would love to go password-less, but it seems there is still some refinement required.

      • HotCakeX's avatar
        HotCakeX
        MVP

        Azim null 


        Azim null wrote:

        I performed the steps in the guide after seeing this error and now WHFB has completely dissapeared as an option for RDP.  Just traditional UPN or Domain\user logon are the only options. I would love to go password-less, but it seems there is still some refinement required.


        For me I want to have access to PIN when using my Hyper-V VM in enhanced session mode, but Windows hello options disappear and only appear when using basic session mode in Hyper-V VM console.

    • HotCakeX's avatar
      HotCakeX
      MVP
      Hi,
      I can't find that group policy in MDMs such as Azure Intune or Office365 device management.
      my devices run Windows 10 1909. any ideas?
    • Matthew_Palko's avatar
      Matthew_Palko
      Icon for Microsoft rankMicrosoft

      RDP with Windows Hello for Business only works with certificate based deployments. Support for RDP with Windows Hello for Business PIN has been available for multiple releases. The changes in 1809 add support for biometric auth in addition to PIN.  

      • Micah Castorina's avatar
        Micah Castorina
        Copper Contributor
        Unfortunately Microsoft documentation did not state that as a limitation for key trust deployments and Microsoft support didn't know that either. So we will have to switch to a certificate deployment in order to use PINs for RDP.
  • I have also deployed Key Trust model on the guidance and understanding from Microsoft that it was the simpler, more modern and reliable method to use in a cloud focused future. You can imagine my disappointment to learn of the limitations with this choice after deployment. Even worse, the limitations are not listed in the documentation when advising what solution to consider during deployment.
    The two most significant limitations are:
    - Up-to 30 minute delay window for key's to be sync'd via AAD Connect
    - Can't be used as an RDP authentication method
    • Clint Lechner's avatar
      Clint Lechner
      Steel Contributor
      Though an irritation, the 30 minute sync would be a blessing if RDP worked. I can't put into words how absolutely irrate I was when we saw that RDP would not work with key trust, especially given that it's the preferred model.

      It just cripples us.
      • jurajt's avatar
        jurajt
        Brass Contributor
        has this been resolved? is it possible to use WhfB PIN (not certs!) to RDP login into a windows server joined to Azure AD Domain Services?
      • BusinessFish's avatar
        BusinessFish
        Copper Contributor
        I know, but as I said, when you deploy an NDES server after you have configured key based trust, you can distribute WHFB certificates to users through Intune. Now you have certificate based trust, and RDP works
    • paulyberg's avatar
      paulyberg
      Copper Contributor
      You're a godsend - thank you for sharing!
  • Joan Bennett's avatar
    Joan Bennett
    Copper Contributor

    Did you ever figure this out? Just installed 1809 and ran into the same message.

  • Jeroen_Gielen's avatar
    Jeroen_Gielen
    Copper Contributor
    Hi,

    We are using WHFB cloud trust model instead of Key trust or Certificate-Trust.
    Is it possible to login to Remote Desktop using Windows Hello for Business & Biometrics with cloud trust? I can't find an answer anywhere.

    Thanks
    • JayDollas's avatar
      JayDollas
      Copper Contributor

      Jeroen_Gielen I'd be interested if you find a solution to this. Just rolled out Cloud Kerberos Trust and having the same issue with RDP and WHfB

  • Vince97's avatar
    Vince97
    Copper Contributor
    Any solution for this issue so far? Cant use my PIN to login to a remote desktop by when im using my username and password its working.

Resources