Logging on to Remote Desktop using Windows Hello for Business & Biometrics

Akbar 

the information has been moved here: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/faq#can-i-use-rdp-vdi-with-windows-hello-for-business-cloud-kerberos-trust

but basically it's says this (for future, if the link/content moves again)-

but in my opinion this also doesn't means, "this does not work" you've to understand and use it differently, its might just me but it took some time to think about it...

because you can't use WHfB for a "direct" login to RDP, so it doesn't work this way like to enter the username and then use biometrics for password login (this still have some consequences)...

instead you just don't enter a username/password at all, because you use Remote Credential Guard and like do a single-sign-on directly to RDP with your User (with your currently logged in User, though!!!)

for me the biggest problem is that this also don't solves a "PAW-Scenario" where i wouldn't like to have to enter a Admins Password on the Computer... there are ways of storing also a privileged User's WHfB Credential in your normal-Users WHfB container but this comes with some security degradations around the "certificates" that are behind all of them... this is called "Dual enrollment" you can read about this here:  https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/dual-enrollment

i also had some issues in rolling this out correctly, had to mess around with my WHfB containers, remove and recreate my WHfB logins, ended in notworking Windows Hello too, all over all it was a little mess... it then worked at some point but i think its broken again now on my computer...

The method that has seemed to work best for us is to enable Remote Credential Guard which works directly with Windows Hello for Business to provide SSO RDP. We made our environment all RCG friendly by applying the DisableRestrictedAdmin registry item and the "Remote host allows delegation of non-exportable credentials" GPO setting at the domain level, then applied the "Restrict delegation of credentials to remote servers" just to the laptops OU. If your RDP servers access other RDP resources internally, then you may want to apply RCG settings to those too to make nested RDP SSO.

The only issue is if you have any pre-2016 RDP servers, which don't support RCG, as clients will refuse to connect to any RDP server that doesn't support RCG (wish MS had an exception list for this!). A couple work arounds for these legacy RDP servers is, 1) to use the RDWeb Web Client for those services until such time as they can be migrated to 2016/2019, 2) keep a 2016+ RDP server without RCG as a jump-off point for those services.

Azim null 

---

Azim null wrote:

I performed the steps in the guide after seeing this error and now WHFB has completely dissapeared as an option for RDP.  Just traditional UPN or Domain\user logon are the only options. I would love to go password-less, but it seems there is still some refinement required.

---

For me I want to have access to PIN when using my Hyper-V VM in enhanced session mode, but Windows hello options disappear and only appear when using basic session mode in Hyper-V VM console.