Forum Discussion

Steve Whitcher's avatar
Steve Whitcher
Bronze Contributor
Jul 24, 2018
Solved

Logging on to Remote Desktop using Windows Hello for Business & Biometrics

In the release notes for build 17713, support was announced for logging into remote desktop sessions using biometrics via windows hello.  I have a few questions I'm hoping someone can answer:   The...
ChristianT85's avatar
ChristianT85
Copper Contributor
Jul 18, 2024

Thank you FriskySpider29347654!
The regkey lead me to the GPO-setting "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftPassportForWork::MSPassport_UseHelloCertificatesAsSmartCardCertificates"(admx.help) and from there to the settings catalog in Intune (same name) from where we currently distribute our settings for WHfB cloud kerberos trust to our clients.

This forces the remote desktop client to use (and silently fail) WHfB as smart card and then fall back to username and password, just like we wanted!

Cheers

Christian

Nils_WSC's avatar
Nils_WSC
Copper Contributor
Jul 19, 2024

Hello ChristianT85 ,

 

I also added the registry key on my device. Unfortunately I still receive the error message (UID...)during connectiong to rdp.
I currently have Cloud Trust setup and the following settings in Registry set:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork

UseHelloCertificatesAsSmartCardCertificates=1

Enabled=1
UseCloudTrustForOnPremAuth=1
DisablePostLogonProvisioning=1

Could you share all of youre regkey settings here  please.

  • DaStivi's avatar
    DaStivi
    Copper Contributor
    Aug 08, 2024

    following page: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust

     

    on the bottom states:

    Unsupported scenarios

    The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust:

    • RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
    • ....

     

    i don't fully understand what this line should tell us...

    obviously key-trust oder cloud-kerberos trust shouldn't be supported for whfb-RDP...  

     

    but you can use remote credential-guard with whfb?

  • ChristianT85's avatar
    ChristianT85
    Copper Contributor
    Jul 23, 2024
    sorry I cant help you with that, haven't done it this way yet.
  • Nils_WSC's avatar
    Nils_WSC
    Copper Contributor
    Jul 23, 2024

    Hello ChristianT85 , Thanks for your reply.
    Actually I followed the guide for "Remote Desktop sign-in with Windows Hello for Business" https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/rdp-sign-in?tabs=adcs
    And have a cert to be uses as smartcard as required (AD DS Policy deployment) . So from my understanding I have prepared WHfB for cert based RDS login. But still receive this UID error.
    That's what confuses me.
    I wonder if there is a something regarding the cert template missing in the official documentation.
    For the subject alternate name in cert template upn is selected.
    May I also need to select something additionally to be included in Subject Name Format beside Fully distinguished name?

  • ChristianT85's avatar
    ChristianT85
    Copper Contributor
    Jul 19, 2024
    Hi Nils_WSC,
    the key UseHelloCertificatesAsSmartCardCertificates should have forced the remote desktop
    application to fall back to usemame/password. The error you get comes from trying to login to RDS
    via WHfB-credentials. RDS doesn't understand that and throws the error.

    In short you cannot login to RDS with Windows Hello for Business (key- or cloud kerberos- trust)! You
    need to username/password or a different WHfB (cert based) for RDS login.

    But to answer your question: In our environment we have your keys and RequireSecurityDevice=1 (to
    require TPM for WHfB).

    I hope that helps.

    Cheers
    Christian

Resources