deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Add requirements for RDP sign-in with Windows

Browse Source 
Hello for Business
This commit is contained in:
Paolo Matarazzo 2023-12-08 11:38:34 -05:00
parent 2654eefc85
commit 0904ac21ce
1 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
windows/security/identity-protection/hello-for-business/rdp-sign-in.md
View File

@ -35,6 +35,18 @@ Windows Hello for Business emulates a smart card for application compatibility,
> [!NOTE] > [!NOTE]
> Remote Desktop with biometric doesn't work with [Dual Enrollment](hello-feature-dual-enrollment.md) or scenarios where the user provides alternative credentials. > Remote Desktop with biometric doesn't work with [Dual Enrollment](hello-feature-dual-enrollment.md) or scenarios where the user provides alternative credentials.
## Requirements
Here's a list of requiremets to enable RDP sign-in with Windows Hello for Business:
> [!div class="checklist"]
> * A PKI infrastructure based on AD CS or third-party
> * Windows Hello for Business deployed to the clients
> * If you plan to support Microsoft Entra joined devices, the domain controllers must have a certificate, which serves as a *root of trust* for the clients. The certificate ensures that clients don't communicate with rogue domain controllers
> * If you plan to deploy certificates using Microsoft Intune:
> * Ensure you have the required infrastructure to support either [SCEP][MEM-1] or [PKCS][MEM-2] deployments
> * Deploy the root CA certificate (and any other intermediate certificate authority certificates) to Microsoft Entra joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5]
## Create a Windows Hello for Business certificate template ## Create a Windows Hello for Business certificate template
This process is applicable to scenarios where you deploy certificates using an on-premises Active Directory Certificate Services infrastrusture, which include: This process is applicable to scenarios where you deploy certificates using an on-premises Active Directory Certificate Services infrastrusture, which include:
@ -116,8 +128,6 @@ Here are the steps to manually request a certificate using an Active Directory C
1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll** 1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll**
1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen 1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen
Alternatively, you can configure the certificate template
## Deploy certificates via Intune ## Deploy certificates via Intune
This process is applicable to both *Microsoft Entra joined* and *Microsoft Entra hybrid joined* devices that are managed via Intune. This process is applicable to both *Microsoft Entra joined* and *Microsoft Entra hybrid joined* devices that are managed via Intune.
@ -127,15 +137,6 @@ This process is applicable to both *Microsoft Entra joined* and *Microsoft Entra
> If you deploy certificates via Intune and configure Windows Hello for Business via group policy, the devices will fail to obtain a certificate, logging the error code `0x82ab0011` in the `DeviceManagement-Enterprise-Diagnostic-Provider` log.\ > If you deploy certificates via Intune and configure Windows Hello for Business via group policy, the devices will fail to obtain a certificate, logging the error code `0x82ab0011` in the `DeviceManagement-Enterprise-Diagnostic-Provider` log.\
> To avoid the error, configure Windows Hello for Business via Intune instead of group policy. > To avoid the error, configure Windows Hello for Business via Intune instead of group policy.
Deploying a certificate to Intune-managed devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) options. For guidance deploying the required infrastructure, refer to:
- [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune][MEM-1]
- [Configure and use PKCS certificates with Intune][MEM-2]
Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Microsoft Entra joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5].
Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.
### Create a policy in Intune ### Create a policy in Intune
This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy. This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy.
@ -187,6 +188,10 @@ As an alternative to using SCEP, or if none of the previously covered solutions
The `Generate-CertificateRequest` commandlet generates an `.inf` file for a pre-existing Windows Hello for Business key. The `.inf` can be used to generate a certificate request manually using `certreq.exe`. The commandlet also generates a `.req` file, which can be submitted to your PKI for a certificate. The `Generate-CertificateRequest` commandlet generates an `.inf` file for a pre-existing Windows Hello for Business key. The `.inf` can be used to generate a certificate request manually using `certreq.exe`. The commandlet also generates a `.req` file, which can be submitted to your PKI for a certificate.
## Verify that the certificate is deployed
To verify that the certificate is corretly deployed to the Windows Hello for Business container, follow these steps:
## User experience ## User experience
After the certificate is obtained, users can RDP to any Windows devices in the same Active Directory forest as the user's Active Directory account. After the certificate is obtained, users can RDP to any Windows devices in the same Active Directory forest as the user's Active Directory account.