Forum Discussion

Steve Whitcher's avatar
Steve Whitcher
Bronze Contributor
Jul 24, 2018
Solved

Logging on to Remote Desktop using Windows Hello for Business & Biometrics

In the release notes for build 17713, support was announced for logging into remote desktop sessions using biometrics via windows hello.  I have a few questions I'm hoping someone can answer:   The...
ChristianT85's avatar
ChristianT85
Copper Contributor
Jul 19, 2024
Hi Nils_WSC,
the key UseHelloCertificatesAsSmartCardCertificates should have forced the remote desktop
application to fall back to usemame/password. The error you get comes from trying to login to RDS
via WHfB-credentials. RDS doesn't understand that and throws the error.

In short you cannot login to RDS with Windows Hello for Business (key- or cloud kerberos- trust)! You
need to username/password or a different WHfB (cert based) for RDS login.

But to answer your question: In our environment we have your keys and RequireSecurityDevice=1 (to
require TPM for WHfB).

I hope that helps.

Cheers
Christian
Nils_WSC's avatar
Nils_WSC
Copper Contributor
Jul 23, 2024

Hello ChristianT85 , Thanks for your reply.
Actually I followed the guide for "Remote Desktop sign-in with Windows Hello for Business" https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/rdp-sign-in?tabs=adcs
And have a cert to be uses as smartcard as required (AD DS Policy deployment) . So from my understanding I have prepared WHfB for cert based RDS login. But still receive this UID error.
That's what confuses me.
I wonder if there is a something regarding the cert template missing in the official documentation.
For the subject alternate name in cert template upn is selected.
May I also need to select something additionally to be included in Subject Name Format beside Fully distinguished name?

  • DaStivi's avatar
    DaStivi
    Copper Contributor
    Aug 08, 2024

    following page: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust

     

    on the bottom states:

    Unsupported scenarios

    The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust:

    • RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
    • ....

     

    i don't fully understand what this line should tell us...

    obviously key-trust oder cloud-kerberos trust shouldn't be supported for whfb-RDP...  

     

    but you can use remote credential-guard with whfb?

  • ChristianT85's avatar
    ChristianT85
    Copper Contributor
    Jul 23, 2024
    sorry I cant help you with that, haven't done it this way yet.

Resources