Forum Discussion
Logging on to Remote Desktop using Windows Hello for Business & Biometrics
In the release notes for build 17713, support was announced for logging into remote desktop sessions using biometrics via windows hello. I have a few questions I'm hoping someone can answer:
The way the blog post is worded, it's not clear whether the 'new' part of this is strictly related to biometrics, or if using Windows Hello to log into a remote desktop server is completely new. Was it previously possible to use Windows Hello with a PIN to log in to a remote desktop session? If so, is there any documentation on this available?
In the example used in the blog post, the Remote Desktop connection is from a Windows 10 client to a Windows Server 2016 server. Is Server 2016 required, or will this work with older server OS versions?
Does it matter which type of deployment (Key-Trust vs Certificate-Trust) is used for Windows Hello for business?
I've tried using this feature in my environment, to connect from a client running build 17713 to a Server 2016 server, but get an error "The client certificate does not contain a valid UPN. . . " (screenshot below)
Any idea what would cause that?
Have any Insiders out there been able to use this new feature successfully?
Although late, we have published information around WHfB with RDP :
- Dani HalfinMicrosoft
Although late, we have published information around WHfB with RDP :
- Micah CastorinaCopper Contributor
This only pertains to certificate trust deployments and biometrics. Will WHFB work with rdp/rdweb while using a PIN?
- Azim nullCopper Contributor
I performed the steps in the guide after seeing this error and now WHFB has completely dissapeared as an option for RDP. Just traditional UPN or Domain\user logon are the only options. I would love to go password-less, but it seems there is still some refinement required.
Azim null wrote:I performed the steps in the guide after seeing this error and now WHFB has completely dissapeared as an option for RDP. Just traditional UPN or Domain\user logon are the only options. I would love to go password-less, but it seems there is still some refinement required.
For me I want to have access to PIN when using my Hyper-V VM in enhanced session mode, but Windows hello options disappear and only appear when using basic session mode in Hyper-V VM console.
- Hi,
I can't find that group policy in MDMs such as Azure Intune or Office365 device management.
my devices run Windows 10 1909. any ideas?
- Micah CastorinaCopper Contributor
It would be nice to actually get a reply to one question I ask on this forum.
- Matthew_PalkoMicrosoft
RDP with Windows Hello for Business only works with certificate based deployments. Support for RDP with Windows Hello for Business PIN has been available for multiple releases. The changes in 1809 add support for biometric auth in addition to PIN.
- Micah CastorinaCopper ContributorUnfortunately Microsoft documentation did not state that as a limitation for key trust deployments and Microsoft support didn't know that either. So we will have to switch to a certificate deployment in order to use PINs for RDP.
- Christoph BerthoudCopper ContributorI have also deployed Key Trust model on the guidance and understanding from Microsoft that it was the simpler, more modern and reliable method to use in a cloud focused future. You can imagine my disappointment to learn of the limitations with this choice after deployment. Even worse, the limitations are not listed in the documentation when advising what solution to consider during deployment.
The two most significant limitations are:
- Up-to 30 minute delay window for key's to be sync'd via AAD Connect
- Can't be used as an RDP authentication method- Clint LechnerSteel ContributorThough an irritation, the 30 minute sync would be a blessing if RDP worked. I can't put into words how absolutely irrate I was when we saw that RDP would not work with key trust, especially given that it's the preferred model.
It just cripples us.- jurajtBrass Contributorhas this been resolved? is it possible to use WhfB PIN (not certs!) to RDP login into a windows server joined to Azure AD Domain Services?
- BusinessFishCopper ContributorIt's possible, but technically it's not key based trust anymore. You don't need ADFS, just configure key based trust, then continue the guide to set up an NDES server and deploy user certificates through Intune
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert- Clint LechnerSteel ContributorRDP does not work with key trust.
- BusinessFishCopper ContributorI know, but as I said, when you deploy an NDES server after you have configured key based trust, you can distribute WHFB certificates to users through Intune. Now you have certificate based trust, and RDP works
- paulybergCopper ContributorYou're a godsend - thank you for sharing!
- Joan BennettCopper Contributor
Did you ever figure this out? Just installed 1809 and ran into the same message.
- Deleted.
- Jeroen_GielenCopper ContributorHi,
We are using WHFB cloud trust model instead of Key trust or Certificate-Trust.
Is it possible to login to Remote Desktop using Windows Hello for Business & Biometrics with cloud trust? I can't find an answer anywhere.
Thanks- JayDollasCopper Contributor
Jeroen_Gielen I'd be interested if you find a solution to this. Just rolled out Cloud Kerberos Trust and having the same issue with RDP and WHfB
- Vince97Copper ContributorAny solution for this issue so far? Cant use my PIN to login to a remote desktop by when im using my username and password its working.