Forum Discussion

Steve Whitcher's avatar
Steve Whitcher
Bronze Contributor
Jul 24, 2018
Solved

Logging on to Remote Desktop using Windows Hello for Business & Biometrics

In the release notes for build 17713, support was announced for logging into remote desktop sessions using biometrics via windows hello.  I have a few questions I'm hoping someone can answer:   The...
Clint Lechner's avatar
Clint Lechner
Iron Contributor
Jan 22, 2020
RDP does not work with key trust.
BusinessFish's avatar
BusinessFish
Copper Contributor
Jan 22, 2020
I know, but as I said, when you deploy an NDES server after you have configured key based trust, you can distribute WHFB certificates to users through Intune. Now you have certificate based trust, and RDP works
  • FriskySpider29347654's avatar
    FriskySpider29347654
    Copper Contributor
    Dec 21, 2021

    BusinessFish Bro that sounds good (using NDES to get certs synced with Intune) do you have any instructions?

  • Anders Gidlund's avatar
    Anders Gidlund
    Copper Contributor
    Feb 16, 2021

    BusinessFish 

     

    How does this work exactly with NDES? Do you have a guide?

    • Matthew_Palko's avatar
      Matthew_Palko
      Icon for Microsoft rankMicrosoft
      Feb 24, 2021

      Anders Gidlund you can follow the guide for using certificates with Azure AD Joined devices to enable SSO with Windows Hello for Business to on-prem (Using Certificates for AADJ On-premises Single-sign On single sign-on - Microsoft 365 Security | Microsoft Docs). For Azure AD Joined devices, AD FS cannot be used as a certificate RA so Intune and NDES have to be used to distribute certs. The method isn't unique to Azure AD Join and can be done with any modern managed device.

      • Anders Gidlund's avatar
        Anders Gidlund
        Copper Contributor
        Mar 04, 2021

        Matthew_Palko sorry If I am dumb, but I just want to make this clear.

        Im setting up a Key Trust because I do not and cannot use ADFS in our environment. Youre referring to a guide for a Certificate Trust setup.

        Im using these guides:
        https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust
        https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki


        Do you mean that I can setup a Key Trust deployment without ADFS and then just install NDES like in the guide your linking to (starting from here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert#install-and-configure-the-ndes-role) and then have functionality to login using WHfB to on-premises RDS servers?

Resources