Jul 24 2018 07:29 AM
In the release notes for build 17713, support was announced for logging into remote desktop sessions using biometrics via windows hello. I have a few questions I'm hoping someone can answer:
The way the blog post is worded, it's not clear whether the 'new' part of this is strictly related to biometrics, or if using Windows Hello to log into a remote desktop server is completely new. Was it previously possible to use Windows Hello with a PIN to log in to a remote desktop session? If so, is there any documentation on this available?
In the example used in the blog post, the Remote Desktop connection is from a Windows 10 client to a Windows Server 2016 server. Is Server 2016 required, or will this work with older server OS versions?
Does it matter which type of deployment (Key-Trust vs Certificate-Trust) is used for Windows Hello for business?
I've tried using this feature in my environment, to connect from a client running build 17713 to a Server 2016 server, but get an error "The client certificate does not contain a valid UPN. . . " (screenshot below)
Any idea what would cause that?
Have any Insiders out there been able to use this new feature successfully?
Jan 21 2020 07:03 PM
Jan 21 2020 07:10 PM
Jan 22 2020 12:31 AM
Feb 15 2021 04:11 PM
Feb 16 2021 01:57 AM
Feb 24 2021 01:57 AM
Feb 24 2021 08:43 AM
@Anders Gidlund you can follow the guide for using certificates with Azure AD Joined devices to enable SSO with Windows Hello for Business to on-prem (Using Certificates for AADJ On-premises Single-sign On single sign-on - Microsoft 365 Security | Mic...). For Azure AD Joined devices, AD FS cannot be used as a certificate RA so Intune and NDES have to be used to distribute certs. The method isn't unique to Azure AD Join and can be done with any modern managed device.
Mar 04 2021 04:46 AM
@Matthew_Palko sorry If I am dumb, but I just want to make this clear.
Im setting up a Key Trust because I do not and cannot use ADFS in our environment. Youre referring to a guide for a Certificate Trust setup.
Im using these guides:
Hybrid Key Trust Deployment (Windows Hello for Business) - Microsoft 365 Security | Microsoft Docs
Configure Hybrid key trust Windows Hello for Business - Microsoft 365 Security | Microsoft Docs
Do you mean that I can setup a Key Trust deployment without ADFS and then just install NDES like in the guide your linking to (starting from here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybri...) and then have functionality to login using WHfB to on-premises RDS servers?
Mar 04 2021 04:48 AM
@Anders Gidlund I think that’s what he’s saying.
this is what we’ve done and it works perfectly
Mar 04 2021 04:52 AM
Mar 09 2021 05:35 AM
Great i live the fact the Microsoft links never work
Mar 09 2021 12:24 PM
The method that has seemed to work best for us is to enable Remote Credential Guard which works directly with Windows Hello for Business to provide SSO RDP. We made our environment all RCG friendly by applying the DisableRestrictedAdmin registry item and the "Remote host allows delegation of non-exportable credentials" GPO setting at the domain level, then applied the "Restrict delegation of credentials to remote servers" just to the laptops OU. If your RDP servers access other RDP resources internally, then you may want to apply RCG settings to those too to make nested RDP SSO.
The only issue is if you have any pre-2016 RDP servers, which don't support RCG, as clients will refuse to connect to any RDP server that doesn't support RCG (wish MS had an exception list for this!). A couple work arounds for these legacy RDP servers is, 1) to use the RDWeb Web Client for those services until such time as they can be migrated to 2016/2019, 2) keep a 2016+ RDP server without RCG as a jump-off point for those services.
Apr 24 2021 10:56 AM
Apr 24 2021 11:22 AM
Aug 04 2021 12:10 PM
Aug 04 2021 12:28 PM
Dec 21 2021 12:06 AM
@BusinessFish Bro that sounds good (using NDES to get certs synced with Intune) do you have any instructions?
Jan 10 2022 12:50 AM
Jan 10 2022 07:50 AM
@Martin Lim yehea dawg I solved it.
Push this script to your devices from intune, it forces the machines to treat the certificates as smart cards and then uses them for RDP. Working like a charm for me :)
#Setting registry key to force WHfB certs to be treated as smart cards.
$RegistryLocation = "HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork"
$keyname = "UseHelloCertificatesAsSmartCardCertificates"
#Test if path exists and create if missing
if (!(Test-Path -Path $RegistryLocation)){
Write-Output "Registry location missing. Creating"
New-Item $RegistryLocation | Out-Null
}
#Force create key with value 1
New-ItemProperty -Path $RegistryLocation -Name $keyname -PropertyType DWord -Value 1 -Force | Out-Null
Write-Output "Registry key set"
Feb 02 2022 09:03 AM
@Clint Lechner I love the analogies :)