Forum Discussion

Steve Whitcher's avatar
Steve Whitcher
Bronze Contributor
Jul 24, 2018
Solved

Logging on to Remote Desktop using Windows Hello for Business & Biometrics

In the release notes for build 17713, support was announced for logging into remote desktop sessions using biometrics via windows hello.  I have a few questions I'm hoping someone can answer:   The...
jpcaid5's avatar
jpcaid5
Copper Contributor
Mar 09, 2021

Dani Halfin 

Great i live the fact the Microsoft links never work

  • RossWalker's avatar
    RossWalker
    Copper Contributor
    Mar 09, 2021

    The method that has seemed to work best for us is to enable Remote Credential Guard which works directly with Windows Hello for Business to provide SSO RDP. We made our environment all RCG friendly by applying the DisableRestrictedAdmin registry item and the "Remote host allows delegation of non-exportable credentials" GPO setting at the domain level, then applied the "Restrict delegation of credentials to remote servers" just to the laptops OU. If your RDP servers access other RDP resources internally, then you may want to apply RCG settings to those too to make nested RDP SSO.

     

    The only issue is if you have any pre-2016 RDP servers, which don't support RCG, as clients will refuse to connect to any RDP server that doesn't support RCG (wish MS had an exception list for this!). A couple work arounds for these legacy RDP servers is, 1) to use the RDWeb Web Client for those services until such time as they can be migrated to 2016/2019, 2) keep a 2016+ RDP server without RCG as a jump-off point for those services.

     

     

    • dmutsaers's avatar
      dmutsaers
      Iron Contributor
      Feb 10, 2022
      Hello RossWalker,

      I can't get Remote Credential Guard to authenticate successfully when connecting to a Remote Desktop Collection using a Remote Desktop Connection Broker. Should this even be possible?
      • RossWalker's avatar
        RossWalker
        Copper Contributor
        Feb 11, 2022
        RCG depends on Kerberos authentication so if that isn’t working properly or if you have redundant brokers setup, as Kerberos isn’t supported with redundant brokers (no shared service account support) then that will be the issue. If you do have redundant brokers then smart card will be you’re only alternative. For me when enabling key trust I was able to prevent the self signed smart card certificate from being created by setting group policy option to NOT enable smart card emulation then if you issue a smart card certificate through SCEP or group policy to users there won’t be a duplicate and then no prompting for a cert.
      • StephenG's avatar
        StephenG
        Copper Contributor
        Nov 01, 2022

        Clint Lechner  all went well till I hit this command
        certutil -dstemplate \<TemplateName\> \> \<TemplateName\>.txt

         

        Can't make heads or tail of what to leave or remove so if my template is called

        "authenticationCertificate"  how would this code above be formatted?

         

Resources