Forum Discussion
Solved
Logging on to Remote Desktop using Windows Hello for Business & Biometrics
In the release notes for build 17713, support was announced for logging into remote desktop sessions using biometrics via windows hello. I have a few questions I'm hoping someone can answer: The...
Although late, we have published information around WHfB with RDP :
It's possible, but technically it's not key based trust anymore. You don't need ADFS, just configure key based trust, then continue the guide to set up an NDES server and deploy user certificates through Intune
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert
RDP does not work with key trust.
- I know, but as I said, when you deploy an NDES server after you have configured key based trust, you can distribute WHFB certificates to users through Intune. Now you have certificate based trust, and RDP works
BusinessFish Bro that sounds good (using NDES to get certs synced with Intune) do you have any instructions?
- Matthew_Palko
Microsoft
Anders Gidlund you can follow the guide for using certificates with Azure AD Joined devices to enable SSO with Windows Hello for Business to on-prem (Using Certificates for AADJ On-premises Single-sign On single sign-on - Microsoft 365 Security | Microsoft Docs). For Azure AD Joined devices, AD FS cannot be used as a certificate RA so Intune and NDES have to be used to distribute certs. The method isn't unique to Azure AD Join and can be done with any modern managed device.
