Forum Discussion
Solved
Logging on to Remote Desktop using Windows Hello for Business & Biometrics
In the release notes for build 17713, support was announced for logging into remote desktop sessions using biometrics via windows hello. I have a few questions I'm hoping someone can answer:
The way the blog post is worded, it's not clear whether the 'new' part of this is strictly related to biometrics, or if using Windows Hello to log into a remote desktop server is completely new. Was it previously possible to use Windows Hello with a PIN to log in to a remote desktop session? If so, is there any documentation on this available?
In the example used in the blog post, the Remote Desktop connection is from a Windows 10 client to a Windows Server 2016 server. Is Server 2016 required, or will this work with older server OS versions?
Does it matter which type of deployment (Key-Trust vs Certificate-Trust) is used for Windows Hello for business?
I've tried using this feature in my environment, to connect from a client running build 17713 to a Server 2016 server, but get an error "The client certificate does not contain a valid UPN. . . " (screenshot below)
Any idea what would cause that?
Have any Insiders out there been able to use this new feature successfully?
Although late, we have published information around WHfB with RDP :
- Any solution for this issue so far? Cant use my PIN to login to a remote desktop by when im using my username and password its working.
- Hi,
We are using WHFB cloud trust model instead of Key trust or Certificate-Trust.
Is it possible to login to Remote Desktop using Windows Hello for Business & Biometrics with cloud trust? I can't find an answer anywhere.
ThanksJeroen_Gielen I'd be interested if you find a solution to this. Just rolled out Cloud Kerberos Trust and having the same issue with RDP and WHfB
- It's possible, but technically it's not key based trust anymore. You don't need ADFS, just configure key based trust, then continue the guide to set up an NDES server and deploy user certificates through Intune
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert- You're a godsend - thank you for sharing!
- RDP does not work with key trust.
- I know, but as I said, when you deploy an NDES server after you have configured key based trust, you can distribute WHFB certificates to users through Intune. Now you have certificate based trust, and RDP works
- I have also deployed Key Trust model on the guidance and understanding from Microsoft that it was the simpler, more modern and reliable method to use in a cloud focused future. You can imagine my disappointment to learn of the limitations with this choice after deployment. Even worse, the limitations are not listed in the documentation when advising what solution to consider during deployment.
The two most significant limitations are:
- Up-to 30 minute delay window for key's to be sync'd via AAD Connect
- Can't be used as an RDP authentication method- Though an irritation, the 30 minute sync would be a blessing if RDP worked. I can't put into words how absolutely irrate I was when we saw that RDP would not work with key trust, especially given that it's the preferred model.
It just cripples us.- has this been resolved? is it possible to use WhfB PIN (not certs!) to RDP login into a windows server joined to Azure AD Domain Services?
It would be nice to actually get a reply to one question I ask on this forum.
- Matthew_Palko
Microsoft
RDP with Windows Hello for Business only works with certificate based deployments. Support for RDP with Windows Hello for Business PIN has been available for multiple releases. The changes in 1809 add support for biometric auth in addition to PIN.
- Unfortunately Microsoft documentation did not state that as a limitation for key trust deployments and Microsoft support didn't know that either. So we will have to switch to a certificate deployment in order to use PINs for RDP.
Dani HalfinAlthough late, we have published information around WHfB with RDP :
Could you please share the solution again? The original link has expired and isn't working anymore. I'm encountering the same problem in my environment and would appreciate your assistance
Thanks,
Akbar
the information has been moved here: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/faq#can-i-use-rdp-vdi-with-windows-hello-for-business-cloud-kerberos-trust
but basically it's says this (for future, if the link/content moves again)-
but in my opinion this also doesn't means, "this does not work" you've to understand and use it differently, its might just me but it took some time to think about it...
because you can't use WHfB for a "direct" login to RDP, so it doesn't work this way like to enter the username and then use biometrics for password login (this still have some consequences)...
instead you just don't enter a username/password at all, because you use Remote Credential Guard and like do a single-sign-on directly to RDP with your User (with your currently logged in User, though!!!)
for me the biggest problem is that this also don't solves a "PAW-Scenario" where i wouldn't like to have to enter a Admins Password on the Computer... there are ways of storing also a privileged User's WHfB Credential in your normal-Users WHfB container but this comes with some security degradations around the "certificates" that are behind all of them... this is called "Dual enrollment" you can read about this here: Dual enrollment | Microsoft Learn
i also had some issues in rolling this out correctly, had to mess around with my WHfB containers, remove and recreate my WHfB logins, ended in notworking Windows Hello too, all over all it was a little mess... it then worked at some point but i think its broken again now on my computer...
- The link is broken. 404
Did you ever figure this out? Just installed 1809 and ran into the same message.
