Blog Post

Core Infrastructure and Security Blog

6 MIN READ

Passwordless RDP with Windows Hello for Business

Microsoft

May 04, 2022

Windows Hello for Business (WHfB) provides a password-less experience for users to log into their Windows 10 or 11 device. However, a challenge remains when accessing remote systems. This can be via MMC console for example to access Active Directory Users and Computers. Or RDP access onto a remote server. We still need to provide a password to run these tools. How do we protect these credentials from compromise? This is where we can use a combination of WHfB dual enrolment with a certificate deployed to the WHfB container protected with the users PIN/Biometrics.

The end goal will be that we can log on with our high privilege user, enrol in WHfB, obtain a certificate that can be used for RDP access, save this certificate in our protected WHfB container and use this when logged on with a low privilege user. This can give us a passwordless RDP and remote admin console experience.

I don't want to re-invent the wheel, so this guide will be pulling together a couple of guides already in the WHfB deployment guides into a single solution with an overview of how to use the solution.

Note: Microsoft recommends that the best way to protect your high privilege credentials is to use a Privileged Access Workstation. Not exposing high privilege credentials on systems that are a target for attack removes the risk of those credentials being compromised. This article does not supersede that advice in anyway. But offers an alternative way to protect high privilege credentials.

Extra care should be taken when syncing high privilege accounts to AAD. Do not sync Domain Admin accounts for example. Please refer to Microsoft's "Securing privileged access Enterprise access model" for further information.

Out of Scope

Deploying the components for WHfB is out of scope for this guide. It is assumed this is already deployed and the reader understands how to enrol a user in WHfB via GPO or Intune. If you have not already deployed WHfB, please start here Windows Hello for Business Deployment Overview - Windows security | Microsoft Docs

1. Requirements

Pre-requisites:

Hybrid joined windows 10/11 computer
PKI with a modified certificate template issued
Dual enrolment configured via GPO
Standard and high privileged user synchronised to azure AD.

2. Deploying Certificates to Key Trust Users

Use this guide, Deploying Certificates to Key Trust Users to Enable RDP - Windows security | Microsoft Docs, to setup the required certificate on your PKI.

Key points:

Duplicate the smartcard logon certificate
Modify template to save the certificate into the “Microsoft Passport Key Storage Provider”

Note 1: Only complete the “Create a Windows Hello for Business certificate template”. Do not complete the “Requesting a certificate” stage just yet. The high privilege user will complete this.

Note 2: You can apply a security group to this new certificate template. Make sure you place your admin users into this group.

3. Deploy Dual enrolment settings

We will use this guide Dual Enrolment - Windows security | Microsoft Docs to setup dual enrolment. The key points here are:

A modification to AdminSDHolder
GPO to enable “Allow enumeration of emulated smart cards for all users”

Note: The GPO is a computer-based policy. Make sure you are scoping this to include the computer objects of your admin users.

4. Enrolling users

Once we have deployed the certificate template to our PKI and enabled the dual enrolment settings on our target PCs, we can now enrol the high privilege and low privilege user.

Note: The “allow enumeration of emulated smart cards for all users” setting needs to be in place before we enrol any user. If you have already enrolled your normal user for WHfB, then we need to remove this. We use a certutil command for this:

Certutil -deletehellocontainer

4.1 Admin user hello enrolment and certificate enrolment

Sign in using your high privilege user and complete the windows hello for business enrolment. For security reasons, make sure to use a different pin than you will use for your standard user account.
Using the section “Requesting a certificate” from the guide, Deploying Certificates to Key Trust Users to Enable RDP - Windows security | Microsoft Docs obtain the high privilege user certificate.

Once enrolled, you will new see a new cert in the personal store, alongside your WHfB certificate, plus any other certificates issued by your environment.

4.2 Standard user WHfB enrolment

Sign back in as the standard user and complete the WHfB enrolment.
Done

Note. We do not need to enrol a certificate for this user. This user should not be doing using RDP with these credentials.

5. Effect of “Allow enumeration of emulated smart cards for all users” setting

Open the MMC.exe and add the certificate snap in. We will now see the certificate of the admin user in our personal store along with our own WHfB certificate. This allows us to select this certificate for authentication.

Windows 10 allows for up to WHfB enrolments per device. This will allow multiple certificates to be issued and used by the standard user.

As you can see here, an additional three users have been enrolled and their WHfB protected certificates are available for use.

6. How to use the admin certificate

We can use this certificate for two purposes.

Signing into an RDP session
Launching an application as another user like an MMC console or an RSAT tool

6.1 Signing into an RDP session

When we need to enter credentials for an RDP session, selecting more choices, the admin user is available for selection because the certificate is in our personal store. Simply select the credential and enter the pin we setup during the admin user enrolment.

6.2 Launching application as another user like an MMC console or an RSAT tool

When we select run as different user, we will then get the option to select the admin credential under more choices. When we select that credential, we will be asked to provide the pin we setup during the hello enrolment for that user.

Conclusion

Using this method, we have achieved passwordless multi factor authentication for RDP and remote admin tools. This is MFA because the something we have is the device where the certificates are stored and the something we know is the PIN used to unlock the keys in the TPM to use these certificates. We are protecting these credentials as we are not exposing their passwords to potentially targeted and compromised machines.

Update: To address some of the comments below, I thought it best to add a footnote. This demonstration of the dual enrolment feature of Windows Hello for Business is by no way a replacement for a properly deployed and maintained zero trust strategy using amongst other things, a PAW/SAW and a tiering model. The guidance held within the above linked enterprise access model will provide all the protection for high privilege credentials you need. However not all environments are mature enough or have the manpower to take on such a project. As such, I see on a daily basis admins exposing their high privilege credentials on their daily workstation several times a day. We can combine several protection features like protected users, credential guard, FGPP, Kerberos hardening, smart card required for interactive logon for the high privilege accounts we use daily combined with NTLM rolling in 2016 DFL to now rotate that SCRIL password with this WHfB protected certificate feature. If we are already exposing our high privilege credentials on our daily workstations, then we can add an extra layer of protection to reduce the use of their passwords. If we enable SCRIL, we wont even know the password of that account anyway.

Without getting too deep in the WHfB technical weeds, this feature can only be physically used at the computer on which it is enrolled. If you were to RDP to the computer setup with dual enrolment and you try to elevate, you will not get presented with the option of selecting a security device credential to enter a pin. You won't be able to log onto the computer using WHfB at all. To try and compromise the pin, you physically need to have the device.

The pin is also protected via a physical TPM (if enforced by the admin and recommended to do so). This has the benefits of anti tamper and lockout policies. Once locked, requires the user to reset the pin and in doing so, will need to MFA. Windows Hello for Business Frequently Asked Questions (FAQ) - Windows security | Microsoft Docs

And just for some extra reading, Password vs Pin Why a PIN is better than an online password (Windows) - Windows security | Microsoft Docs

I hope you can see the benefit in using an approach like this. Thank you for reading and please leave a comment below if you have any questions.

Updated May 09, 2022

Version 3.0

PaulRobinson

parobinson

Microsoft

Joined May 04, 2022

View Profile

Core Infrastructure and Security Blog

Follow this blog board to get notified when there's new activity

33 Comments

AlexR91
Brass Contributor
Jul 24, 2024
crocosoft Your comment is the exact reason we found our way to this article. I don't want to type in my high privilege administrator password when accessing servers, but the only other option appears to be complex smartcard login setups with a PKI or WHfB. Even if I was willing to entertain the smartcard route, I'm having a very difficult time understanding how this would be configured for us with RDP. WHfB seems like the simpler/smarter solution here, but we're not supposed to sync high privilege admin accounts to Azure.

My thought is to sync the high privilege accounts to Azure, give them a Entra ID P1 license and use Conditional Access to ensure where and how they log in is very limited. Even with this, we're still syncing these accounts to Azure.

We're a small company and don't have thousands of dollars to spend on a third-party solution to manage this issue and the complexity this sort of setup introduces may make our environment less, not more, secure. What's the best practice for companies in our situation?
crocosoft
Copper Contributor
Jun 12, 2024
parobinson: I was thinking about using WHFB as a mandatory 2FA for onprem domain privileged accounts (RDP mostly), we are using WHFB with cloud kerberos but I read syncing these accounts on the cloud is a big no-no.

You said :
"This will apply to all your users for their desktop logon. Then we worry about secure use of high privilege credentials. Hope that helps.
P.s. RDP can be used using the above method when storing a cert in the WHfB container using cloud trust too :)"
If I understand correctly there is no way to use this method without compromising the security of the privileged accounts (by syncing them on the cloud)...

I know there are 3rd party tools to do that but I'd rather use a Microsoft product, do you have any advice ?
RDruid
Copper Contributor
Jan 12, 2024
Hi,

After susccessfully using this method for passwordless RDP, I have the following issue. The admin user account was disabled and replaced by another admin account. Although the local profile was deleted from the workstation, every time I try to remove the admin certificate from other user certificate store it reappears.
How to completely remove an account or Whb credentials from dual enrollment? I haven't found a guide for this, yet.

Thanks.
C-Money
Copper Contributor
Oct 11, 2023
schrewst

Sorry to hear you hit the same wall that I did. I abandoned this shortly after I posted that comment, as you can see no one was able to help or give me any guidance either. I have a Remote Desktop Services farm that provides the workspace for most of my users, so if RDP through WHFB doesn't work through the Remote Desktop Gateway it just wasn't worth the time and effort to implement it.

If you ever find a way to make it work please post here and I'll do the same!
schrewst
Copper Contributor
Oct 11, 2023
C-Money

Just wanted to add that we are facing the same issue. We were using key trust and enrolled smart card certificates from our internal PKI, for authenticating with WH4B on rd remoteapps from our windows clients. Logging on to the session hosts through a remote desktop gateway works when allowing to bypass the gateway and accessing the session hosts directly with RDP. But when enforcing the access to go through the gateway by https and udp 3391, smart card authentication stops working. SSO with username and password works in both scenarios though.

I don't have any in depth knowledge about every mechanism at play here, but i am kind of on the same track as you. Looking at the events on the rd gateway/kdc-proxy, it looks like it does nothing when we are forcing everything through the rd gateway and trying to authenticate with our enrolled smart cards. I am at my wits end with this, and i cannot find any documentation on how to properly configure everything for this particular scenario - if possible.

We have migrated to cloud trust now, but the smart cards for authentication on RDP is still needed as i have understood from the documentation.
C-Money
Copper Contributor
Dec 11, 2022
Has anyone gotten this to work with Remote Desktop Gateway? I'm using Key Trust (I need certs on my domain controllers for LDAPS, and the 30 minute Azure AD Connect lag doesn't bother me) and I've tried everything I could think to try and it just won't work. It won't even work when I have line of sight to a Domain Controller (I also have KDC Proxy up and running too, no difference.) According to this article (https://cloudbrothers.info/en/windows-business-cloud-trust-kdc-proxy/) " HttpsClientAuth must be set to 0 otherwise the all connections will fail, even when the Windows Hello for Business certificate is replicated to the on-prem AD. This is because the root certificate of this certificate (e.g. MS-Organization-P2P-Access [2022]) is not trusted by the KDC proxy server and a validation is not possible.

I assume that if KDC Proxy won't authenticate because of this, that is also why Remote Desktop Gateway doesn't work because they both use the netsh http system?
parobinson
Microsoft
Oct 21, 2022
notyouraverageadmin Yes, moved out of preview early last week
notyouraverageadmin
Brass Contributor
Oct 14, 2022
parobinson when did Cloud Trust move out of preview status (if it did)?
lukesrees
Copper Contributor
Oct 14, 2022
parobinson thanks for the detailed response - food for thought!
parobinson
Microsoft
Oct 12, 2022
lukesrees Remember first and foremost WHfB is targeted at your end users to facilitate passwordless logon to their desktop. Really the RDP question is a after thought. There are many ways to protect your high privilege credentials. I would not let the requirement for your few admins dictate the direction of your many users.

Hybrid Certificate trust was the first and oldest method of providing sign-in to a domain controller using WHfB. It's aimed at orgs that can't update their DCs beyond 2012r2. Which at this stage really needs to be on an upgrade path. Another big requirement for Hybrid Cert Trust is that your domains need to be federated with ADFS (device registeration happens on ADFS). PHS and PTA are not supported. taking all that into account, Cert Trust these days should really be a last resort. Hybrid Azure AD joined Windows Hello for Business Prerequisites - Windows security | Microsoft Learn

Key trust supports PHS and PTA and does not need ADFS. Far simpler deployment and management and uses the same keys to log into a domain as are used to log into azure AD. IT requires some PKI work however.

But what would i recommend for new deployments starting from scratch. Hybrid Cloud Trust. the simplest and most straightforward deployment. this also opens up FIDO logon for desktops. This will become the default recommend method for WHfB. the main pre-req to be aware of is Win10 21H2 or later. Hybrid cloud Kerberos trust Deployment (Windows Hello for Business) - Windows security | Microsoft Learn

This will apply to all your users for their desktop logon. Then we worry about secure use of high privilege credentials. Hope that helps.

P.s. RDP can be used using the above method when storing a cert in the WHfB container using cloud trust too 🙂