@BusinessFish 

How does this work exactly with NDES? Do you have a guide?

@Anders Gidlund you can follow the guide for using certificates with Azure AD Joined devices to enable SSO with Windows Hello for Business to on-prem (Using Certificates for AADJ On-premises Single-sign On single sign-on - Microsoft 365 Security | Mic...). For Azure AD Joined devices, AD FS cannot be used as a certificate RA so Intune and NDES have to be used to distribute certs. The method isn't unique to Azure AD Join and can be done with any modern managed device.

@Matthew_Palko sorry If I am dumb, but I just want to make this clear.

Im setting up a Key Trust because I do not and cannot use ADFS in our environment. Youre referring to a guide for a Certificate Trust setup.

Im using these guides:
Hybrid Key Trust Deployment (Windows Hello for Business) - Microsoft 365 Security | Microsoft Docs
Configure Hybrid key trust Windows Hello for Business - Microsoft 365 Security | Microsoft Docs


Do you mean that I can setup a Key Trust deployment without ADFS and then just install NDES like in the guide your linking to (starting from here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybri...) and then have functionality to login using WHfB to on-premises RDS servers?

@Anders Gidlund I think that’s what he’s saying.

this is what we’ve done and it works perfectly 

@Dani Halfin 

Great i live the fact the Microsoft links never work

The method that has seemed to work best for us is to enable Remote Credential Guard which works directly with Windows Hello for Business to provide SSO RDP. We made our environment all RCG friendly by applying the DisableRestrictedAdmin registry item and the "Remote host allows delegation of non-exportable credentials" GPO setting at the domain level, then applied the "Restrict delegation of credentials to remote servers" just to the laptops OU. If your RDP servers access other RDP resources internally, then you may want to apply RCG settings to those too to make nested RDP SSO.

The only issue is if you have any pre-2016 RDP servers, which don't support RCG, as clients will refuse to connect to any RDP server that doesn't support RCG (wish MS had an exception list for this!). A couple work arounds for these legacy RDP servers is, 1) to use the RDWeb Web Client for those services until such time as they can be migrated to 2016/2019, 2) keep a 2016+ RDP server without RCG as a jump-off point for those services.

@BusinessFish Bro that sounds good (using NDES to get certs synced with Intune) do you have any instructions?

@Martin Lim yehea dawg I solved it.

Push this script to your devices from intune, it forces the machines to treat the certificates as smart cards and then uses them for RDP. Working like a charm for me :)

#Setting registry key to force WHfB certs to be treated as smart cards.
$RegistryLocation = "HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork"
$keyname = "UseHelloCertificatesAsSmartCardCertificates"

#Test if path exists and create if missing
if (!(Test-Path -Path $RegistryLocation)){
Write-Output "Registry location missing. Creating"
New-Item $RegistryLocation | Out-Null
}

#Force create key with value 1
New-ItemProperty -Path $RegistryLocation -Name $keyname -PropertyType DWord -Value 1 -Force | Out-Null
Write-Output "Registry key set"

@Clint Lechner  I love the analogies :)