SOLVED
Home

Logging on to Remote Desktop using Windows Hello for Business & Biometrics

%3CLINGO-SUB%20id%3D%22lingo-sub-218401%22%20slang%3D%22en-US%22%3ELogging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218401%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20release%20notes%20for%20build%2017713%2C%20support%20was%20announced%20for%20logging%20into%20remote%20desktop%20sessions%20using%20biometrics%20via%20windows%20hello.%20%26nbsp%3BI%20have%20a%20few%20questions%20I'm%20hoping%20someone%20can%20answer%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20way%20the%20blog%20post%20is%20worded%2C%20it's%20not%20clear%20whether%20the%20'new'%20part%20of%20this%20is%20strictly%20related%20to%20biometrics%2C%20or%20if%20using%20Windows%20Hello%20to%20log%20into%20a%20remote%20desktop%20server%20is%20completely%20new.%26nbsp%3B%20Was%20it%20previously%20possible%20to%20use%20Windows%20Hello%20with%20a%20PIN%20to%20log%20in%20to%20a%20remote%20desktop%20session%3F%26nbsp%3B%20If%20so%2C%20is%20there%20any%20documentation%20on%20this%20available%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20example%20used%20in%20the%20blog%20post%2C%20the%20Remote%20Desktop%20connection%20is%20from%20a%20Windows%2010%20client%20to%20a%20Windows%20Server%202016%20server.%26nbsp%3B%20Is%20Server%202016%20required%2C%20or%20will%20this%20work%20with%20older%20server%20OS%20versions%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20it%20matter%20which%20type%20of%20deployment%20(Key-Trust%20vs%20Certificate-Trust)%20is%20used%20for%20Windows%20Hello%20for%20business%3F%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20tried%20using%20this%20feature%20in%20my%20environment%2C%20to%20connect%20from%20a%20client%20running%20build%2017713%20to%20a%20Server%202016%20server%2C%20but%20get%20an%20error%20%22The%20client%20certificate%20does%20not%20contain%20a%20valid%20UPN.%20.%20.%20%22%20(screenshot%20below)%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F38146iF713DC1BB2FCFC94%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22hello_rdp3_surface.png%22%20title%3D%22hello_rdp3_surface.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20what%20would%20cause%20that%3F%20%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EHave%20any%20Insiders%20out%20there%20been%20able%20to%20use%20this%20new%20feature%20successfully%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330458%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330458%22%20slang%3D%22en-US%22%3EUnfortunately%20Microsoft%20documentation%20did%20not%20state%20that%20as%20a%20limitation%20for%20key%20trust%20deployments%20and%20Microsoft%20support%20didn't%20know%20that%20either.%20So%20we%20will%20have%20to%20switch%20to%20a%20certificate%20deployment%20in%20order%20to%20use%20PINs%20for%20RDP.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330450%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330450%22%20slang%3D%22en-US%22%3E%3CP%3ERDP%20with%20Windows%20Hello%20for%20Business%20only%20works%20with%20certificate%20based%20deployments.%20Support%20for%20RDP%20with%20Windows%20Hello%20for%20Business%20PIN%20has%20been%20available%20for%20multiple%20releases.%20The%20changes%20in%201809%20add%20support%20for%20biometric%20auth%20in%20addition%20to%20PIN.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330391%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330391%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20would%20be%20nice%20to%20actually%20get%20a%20reply%20to%20one%20question%20I%20ask%20on%20this%20forum.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-326006%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-326006%22%20slang%3D%22en-US%22%3E%3CP%3EI%20performed%20the%20steps%20in%20the%20guide%20after%20seeing%20this%20error%20and%20now%20WHFB%20has%20completely%20dissapeared%20as%20an%20option%20for%20RDP.%26nbsp%3B%20Just%20traditional%20UPN%20or%20Domain%5Cuser%20logon%20are%20the%20only%20options.%20I%20would%20love%20to%20go%20password-less%2C%20but%20it%20seems%20there%20is%20still%20some%20refinement%20required.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-309898%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-309898%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20only%20pertains%20to%20certificate%20trust%20deployments%20and%20biometrics.%20Will%20WHFB%20work%20with%20rdp%2Frdweb%20while%20using%20a%20PIN%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-266582%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-266582%22%20slang%3D%22en-US%22%3E%3CP%3EAlthough%20late%2C%20we%20have%20published%20information%20around%20WHfB%20with%20RDP%20%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-features%23remote-desktop-with-biometrics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-features%23remote-desktop-with-biometrics%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-266448%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-266448%22%20slang%3D%22en-US%22%3E%3CP%3EDid%20you%20ever%20figure%20this%20out%3F%20Just%20installed%201809%20and%20ran%20into%20the%20same%20message.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-468370%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-468370%22%20slang%3D%22en-US%22%3EPlease%20don't%20recommend%20keytrust%20everywhere%2C%20then%20make%20it%20incompatible%20with%20remote%20desktop.%20I%20can't%20tell%20you%20the%20irritation%20this%20created%20for%20us.%3CBR%20%2F%3E%3CBR%20%2F%3ECertificates%20are%20vastly%20more%20complicated%20to%20set%20up%20and%20ADFS%20is%20mandatory%20for%20authentication%2C%20which%20we%20just%20found%20out%20after%20two%20weeks%20of%20troubleshooting%20with%20Microsoft.%20To%20be%20clear%2C%20with%20certificate%20trust%2C%20you%20can't%20be%20using%20SSO%20with%20Azure%20connect%20pass%20through%2C%20adfs%20must%20be%20used.%3CBR%20%2F%3E%3CBR%20%2F%3EVery%20disappointing%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-666231%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-666231%22%20slang%3D%22en-US%22%3EI%20have%20also%20deployed%20Key%20Trust%20model%20on%20the%20guidance%20and%20understanding%20from%20Microsoft%20that%20it%20was%20the%20simpler%2C%20more%20modern%20and%20reliable%20method%20to%20use%20in%20a%20cloud%20focused%20future.%20You%20can%20imagine%20my%20disappointment%20to%20learn%20of%20the%20limitations%20with%20this%20choice%20after%20deployment.%20Even%20worse%2C%20the%20limitations%20are%20not%20listed%20in%20the%20documentation%20when%20advising%20what%20solution%20to%20consider%20during%20deployment.%3CBR%20%2F%3EThe%20two%20most%20significant%20limitations%20are%3A%3CBR%20%2F%3E-%20Up-to%2030%20minute%20delay%20window%20for%20key's%20to%20be%20sync'd%20via%20AAD%20Connect%3CBR%20%2F%3E-%20Can't%20be%20used%20as%20an%20RDP%20authentication%20method%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-667129%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-667129%22%20slang%3D%22en-US%22%3EThough%20an%20irritation%2C%20the%2030%20minute%20sync%20would%20be%20a%20blessing%20if%20RDP%20worked.%20I%20can't%20put%20into%20words%20how%20absolutely%20irrate%20I%20was%20when%20we%20saw%20that%20RDP%20would%20not%20work%20with%20key%20trust%2C%20especially%20given%20that%20it's%20the%20preferred%20model.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20just%20cripples%20us.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-687466%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-687466%22%20slang%3D%22en-US%22%3Ehas%20this%20been%20resolved%3F%20is%20it%20possible%20to%20use%20WhfB%20PIN%20(not%20certs!)%20to%20RDP%20login%20into%20a%20windows%20server%20joined%20to%20Azure%20AD%20Domain%20Services%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-688530%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688530%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305564%22%20target%3D%22_blank%22%3E%40jurajt%3C%2FA%3E%26nbsp%3B%20Nope%2C%20not%20as%20far%20as%20I%20know.%26nbsp%3B%20If%20it%20was%20resolved%2C%20and%20key-trust%20worked%20with%20RDP%2C%20I%20would%20be%20chugging%20margaritas%20and%20dancing%20on%20tables.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-688914%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688914%22%20slang%3D%22en-US%22%3E%3CP%3ESadly%20it%20still%20hasn't%20been%20fixed%2C%20and%20there%20is%20still%20little%20information%20available.%20I'm%20engaging%20Microsoft%20under%20our%20Unified%20Support%20to%20better%20understand%20what's%20happening%20in%20this%20space.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-688993%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688993%22%20slang%3D%22en-US%22%3EAs%20of%20a%20few%20weeks%20ago%20there%20wasn't%20any%20action%20and%20we%20were%20speaking%20with%20senior%20engineers.%20The%20documentation%20that%20states%20that%20ADFS%20is%20an%20absolute%20requirement%20with%20key%20trust%20is%20because%20of%20our%20case%20unfortunately.%3CBR%20%2F%3E%3CBR%20%2F%3EPreviously%20there%20was%20some%20gray%20area%20where%20it%20was%20thought%20that%20AD%20Connect%20would%20be%20sufficient.%20Our%20original%20thought%20was%20that%20we%20would%20go%20passwordless%20with%20Windows%20hello%20for%20business%20combined%20with%20phone%20sign%20in%20for%20Office%20365%20Authentication%2C%20on%20the%20back%20of%20multi-factor%20Authentication%20width%20required%20biometric%20login.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20actually%20rolled%20it%20out%20with%20incredibly%20positive%20user%20feedback.%20We%20were%20heroes.%20And%20then%20RDP%20bit%20us%20in%20the%20arse.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-688995%22%20slang%3D%22en-US%22%3ERe%3A%20Logging%20on%20to%20Remote%20Desktop%20using%20Windows%20Hello%20for%20Business%20%26amp%3B%20Biometrics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688995%22%20slang%3D%22en-US%22%3E%3CP%3EI'd%20be%20happy%20with%20a%20registry%20key%20to%20disable%2Fhide%20the%20PIN%2FBiometric%20login%20option%20from%20RDP%20while%20Microsoft%20work%20to%20make%20the%20Key%20Trust%20model%20work.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Steve Whitcher
Regular Contributor

In the release notes for build 17713, support was announced for logging into remote desktop sessions using biometrics via windows hello.  I have a few questions I'm hoping someone can answer:

 

The way the blog post is worded, it's not clear whether the 'new' part of this is strictly related to biometrics, or if using Windows Hello to log into a remote desktop server is completely new.  Was it previously possible to use Windows Hello with a PIN to log in to a remote desktop session?  If so, is there any documentation on this available?

 

In the example used in the blog post, the Remote Desktop connection is from a Windows 10 client to a Windows Server 2016 server.  Is Server 2016 required, or will this work with older server OS versions?

 

Does it matter which type of deployment (Key-Trust vs Certificate-Trust) is used for Windows Hello for business?  

 

I've tried using this feature in my environment, to connect from a client running build 17713 to a Server 2016 server, but get an error "The client certificate does not contain a valid UPN. . . " (screenshot below)hello_rdp3_surface.png

  

Any idea what would cause that?  


Have any Insiders out there been able to use this new feature successfully?

15 Replies

Did you ever figure this out? Just installed 1809 and ran into the same message.

This only pertains to certificate trust deployments and biometrics. Will WHFB work with rdp/rdweb while using a PIN?

I performed the steps in the guide after seeing this error and now WHFB has completely dissapeared as an option for RDP.  Just traditional UPN or Domain\user logon are the only options. I would love to go password-less, but it seems there is still some refinement required.

It would be nice to actually get a reply to one question I ask on this forum. 

RDP with Windows Hello for Business only works with certificate based deployments. Support for RDP with Windows Hello for Business PIN has been available for multiple releases. The changes in 1809 add support for biometric auth in addition to PIN.  

Unfortunately Microsoft documentation did not state that as a limitation for key trust deployments and Microsoft support didn't know that either. So we will have to switch to a certificate deployment in order to use PINs for RDP.
Please don't recommend keytrust everywhere, then make it incompatible with remote desktop. I can't tell you the irritation this created for us.

Certificates are vastly more complicated to set up and ADFS is mandatory for authentication, which we just found out after two weeks of troubleshooting with Microsoft. To be clear, with certificate trust, you can't be using SSO with Azure connect pass through, adfs must be used.

Very disappointing

I have also deployed Key Trust model on the guidance and understanding from Microsoft that it was the simpler, more modern and reliable method to use in a cloud focused future. You can imagine my disappointment to learn of the limitations with this choice after deployment. Even worse, the limitations are not listed in the documentation when advising what solution to consider during deployment.
The two most significant limitations are:
- Up-to 30 minute delay window for key's to be sync'd via AAD Connect
- Can't be used as an RDP authentication method
Though an irritation, the 30 minute sync would be a blessing if RDP worked. I can't put into words how absolutely irrate I was when we saw that RDP would not work with key trust, especially given that it's the preferred model.

It just cripples us.
has this been resolved? is it possible to use WhfB PIN (not certs!) to RDP login into a windows server joined to Azure AD Domain Services?

@jurajt  Nope, not as far as I know.  If it was resolved, and key-trust worked with RDP, I would be chugging margaritas and dancing on tables.

Sadly it still hasn't been fixed, and there is still little information available. I'm engaging Microsoft under our Unified Support to better understand what's happening in this space.

As of a few weeks ago there wasn't any action and we were speaking with senior engineers. The documentation that states that ADFS is an absolute requirement with key trust is because of our case unfortunately.

Previously there was some gray area where it was thought that AD Connect would be sufficient. Our original thought was that we would go passwordless with Windows hello for business combined with phone sign in for Office 365 Authentication, on the back of multi-factor Authentication width required biometric login.

We actually rolled it out with incredibly positive user feedback. We were heroes. And then RDP bit us in the arse.

I'd be happy with a registry key to disable/hide the PIN/Biometric login option from RDP while Microsoft work to make the Key Trust model work.

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies