Forum Discussion

Steve Whitcher's avatar
Steve Whitcher
Bronze Contributor
Jul 24, 2018
Solved

Logging on to Remote Desktop using Windows Hello for Business & Biometrics

In the release notes for build 17713, support was announced for logging into remote desktop sessions using biometrics via windows hello.  I have a few questions I'm hoping someone can answer:   The...
RossWalker's avatar
RossWalker
Copper Contributor
Apr 24, 2021
I saw that article and followed it, which was similar to what has already been posted about using endpoint mgr to deploy smart card certs to passport after the fact. The how-to for deploying them using an in-house CA was nice though.

It works, but had issue where RDP client would first pick the wrong cert and you would need to manually chose the correct cert so there is a cert ordering issue. Also, there is still the issue where only one RDP session can use the smart card cert at a time, is that for everyone or just me? We utilize multiple RemoteApp servers for line of business apps, so being able to log into multiple sessions simultaneously is needed.

Fix the certificate ordering issue and allow simultaneous access to the cert from multiple RDP sessions and then we might have a workable solution, but in the meantime we’re continuing to use Remote Credential Guard for domain computers which works very nicely except that RDP over UDP doesn’t work with it.

  • amreagan's avatar
    amreagan
    Copper Contributor
    Aug 04, 2021
    Crossposted on Reddit: https://www.reddit.com/r/sysadmin/comments/oxzj5f/using_certificate_authentication_for_rdp_in/

    I've got a working key trust deployment and have created an AD CS template for user certificates as described in https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.

    After obtaining the user certificate, I attempt to connect to another Windows device via RDP. Hello takes facial recognition/fingerprint, but gives the message , "An authentication error has occurred. The client certificate does not contain a valid upn, or does not match the client name in the logon request."

    However, if I select "more choices" and select the UPN-based security device credential it works. If I remove the cert, it breaks, which leads me to assume that certificate is working. Judging on the other options listed under more choices it looks like fingerprint and face are trying to pass domain\samaccountname instead of UPN. Has anyone figured out a workaround for this?
    • Martin Lim's avatar
      Martin Lim
      Copper Contributor
      Jan 10, 2022
      Hi,
      Have you figure it out what the issue was?
      I'm having the same issue
      • FriskySpider29347654's avatar
        FriskySpider29347654
        Copper Contributor
        Jan 10, 2022

        Martin Lim yehea dawg I solved it.

        Push this script to your devices from intune, it forces the machines to treat the certificates as smart cards and then uses them for RDP. Working like a charm for me 🙂

        #Setting registry key to force WHfB certs to be treated as smart cards.
$RegistryLocation = "HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork"
$keyname = "UseHelloCertificatesAsSmartCardCertificates"

#Test if path exists and create if missing
if (!(Test-Path -Path $RegistryLocation)){
Write-Output "Registry location missing. Creating"
New-Item $RegistryLocation | Out-Null
}

#Force create key with value 1
New-ItemProperty -Path $RegistryLocation -Name $keyname -PropertyType DWord -Value 1 -Force | Out-Null
Write-Output "Registry key set"



         

    • RossWalker's avatar
      RossWalker
      Copper Contributor
      Aug 04, 2021
      I believe the smart card login is defaulting to the key trust certificate rather than the smart card one you created. As my user base can’t even put up with picking a cert to login with, they want true SSO, I went with the Remote Credential Guard option on our WHfB devices which works like a charm.

Resources