deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 15:23:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
cc823ddab56a781c5d39b51475da347c64aa07e3
windows-itpro-docs/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
Paolo Matarazzo 15e5f42549 updates
2022-11-15 17:41:44 -05:00

13 KiB
Raw Blame History

title, description, ms.prod, author, ms.author, manager, ms.reviewer, ms.collection, ms.topic, localizationpriority, ms.date, appliesto, ms.technology
title description ms.prod author ms.author manager ms.reviewer ms.collection ms.topic localizationpriority ms.date appliesto ms.technology
Deploy certificates to cloud Kerberos trust and key trust users to enable RDP Learn how to deploy certificates to a cloud Kerberos trust and key trust user to enable remote desktop with supplied credentials. windows-client paolomatarazzo paoloma aaroncz erikdau
M365-identity-device-management
ContentEngagementFY23
how-to medium 11/15/2022
<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
itpro-security

Deploy certificates to cloud Kerberos trust and key trust users for RDP authentication

This document describes Windows Hello for Business functionalities or scenarios that apply to:
Deployment type: hybrid
Trust type: cloud Kerberos trust, key trust
Device registration type: Azure AD join, Hybrid Azure AD join


Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. This document discusses three approaches for cloud Kerberos trust and key trust deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:

  • Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy
  • Deploy certificates to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune
  • Work with non-Microsoft enterprise certificate authorities

Deploy certificates via Active Directory Certificate Services (AD CS)

Note

This process is applicable to hybrid Azure AD joined devices only.

To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a certificate template and then deploy certificates based on that template.

Expand the following sections to learn more about the process.


Create a Windows Hello for Business certificate template

Follow these steps to create a certificate template:

  1. Sign in to your issuing certificate authority (CA) and open Server Manager

  2. Select Tools > Certification Authority. The Certification Authority Microsoft Management Console (MMC) opens

  3. In the MMC, expand the CA name and right-click Certificate Templates > Manage

  4. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane

  5. Right-click the Smartcard Logon template and select Duplicate Template

    Duplicating Smartcard Template.

  6. On the Compatibility tab:

    1. Clear the Show resulting changes check box
    2. Select Windows Server 2012 or Windows Server 2012 R2 from the Certification Authority list
    3. Select Windows Server 2012 or Windows Server 2012 R2 from the Certification Recipient list

  7. On the General tab:

    1. Specify a Template display name, for example WHfB Certificate Authentication
    2. Set the validity period to the desired value
    3. Take note of the Template name for later, which should be the same as the Template display name minus spaces (WHfBCertificateAuthentication in this example)

  8. On the Extensions tab, verify the Application Policies extension includes Smart Card Logon

  9. On the Subject Name tab:

    1. Select the Build from this Active Directory information button if it is not already selected
    2. Select Fully distinguished name from the Subject name format list if Fully distinguished name is not already selected
    3. Select the User Principal Name (UPN) check box under Include this information in alternative subject name

  10. On the Request Handling tab:

    1. Set the Purpose to Signature and smartcard logon and select Yes when prompted to change the certificate purpose
    2. Select the Renew with same key check box
    3. Select Prompt the user during enrollment

  11. On the Cryptography tab:

    1. Set the Provider Category to Key Storage Provider
    2. Set the Algorithm name to RSA
    3. Set the minimum key size to 2048
    4. Select Requests must use one of the following providers
    5. Select Microsoft Software Key Storage Provider
    6. Set the Request hash to SHA256

  12. On the Security tab, add the security group that you want to give Enroll access to. For example, if you want to give access to all users, select the Authenticated users group, and then select Enroll permissions for them

  13. Select OK to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates

  14. Close the Certificate Templates console

  15. Open an elevated command prompt and change to a temporary working directory

  16. Execute the following command, replacing <TemplateName> with the Template name you took note of earlier in step 7c

    certutil -dstemplate <TemplateName> > <TemplateName.txt>

  17. Open the text file created by the command above.

    1. Delete the last line of the output from the file that reads
      CertUtil: -dsTemplate command completed successfully.
    2. Modify the line that reads
      pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider" to
      pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"

  18. Save the text file

  19. Update the certificate template by executing the following command:

    certutil -dsaddtemplate <TemplateName.txt>

  20. In the Certificate Authority console, right-click Certificate Templates, select New > Certificate Template to Issue

    Selecting Certificate Template to Issue.

  21. From the list of templates, select the template you previously created (WHFB Certificate Authentication) and select OK. It can take some time for the template to replicate to all servers and become available in this list.

  22. After the template replicates, in the MMC, right-click in the Certification Authority list, select All Tasks > Stop Service. Right-click the name of the CA again, select All Tasks > Start Service


Request a certificate

  1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA

  2. Open the Certificates - Current User Microsoft Management Console (MMC) - %windir%\system32\certmgr.msc

  3. In the left pane of the MMC, right-click Personal > All Tasks > Request New Certificate…

    Request a new certificate.

  4. On the Certificate Enrollment screen, select Next

  5. Under Select Certificate Enrollment Policy, select Active Directory Enrollment Policy > Next

  6. Under Request Certificates, select the check-box for the certificate template you created in the previous section (WHfB Certificate Authentication) and then select Enroll

  7. After a successful certificate request, select Finish on the Certificate Installation Results screen

Deploy certificates via Microsoft Intune

Note

This process is applicable to both Azure AD joined and hybrid Azure AD joined devices that are managed via Intune.

Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PFX via Intune. For guidance deploying the required infrastructure, refer to Configure infrastructure to support SCEP certificate profiles with Microsoft Intune.

Next you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD Joined Devices using a Trusted root certificate profile with Intune. For guidance, refer to Create trusted certificate profiles in Microsoft Intune.

Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.


Create a SCEP profile in Intune

Proceed as follows:

  1. Sign in to the Microsoft Endpoint Manager admin center
  2. Navigate to Devices > Configuration Profiles > Create profile
  3. Enter the following properties:
    1. For Platform, select Windows 10 and later
    2. For Profile, select SCEP Certificate
    3. Click Create
  4. In Basics, enter the following parameters:
    1. Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company
    2. Description: Enter a description for the profile. This setting is optional, but recommended
    3. Select Next
  5. In the Configuration settings, complete the following:

    1. For Certificate Type, choose User

    2. For Subject name format, set it to CN={{UserPrincipalName}}

    3. Under Subject alternative name, select User principal name (UPN) from the drop-down menu and set the value to CN={{UserPrincipalName}}

    4. For Certificate validity period, set a value of your choosing

    5. For Key storage provider (KSP), choose Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)

    6. For Key usage, choose Digital Signature

    7. For Key size (bits), choose 2048

    8. For Hash algorithm, choose SHA-2

    9. Under Root Certificate, click +Root Certificate and select the trusted certificate profile you created earlier for the Root CA Certificate.

    10. Under Extended key usage, add the following:

      Name Object Identifier Predefined Values
      Smart Card Logon 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
      Client Authentication 1.3.6.1.5.5.7.3.2 Client Authentication

    11. For Renewal threshold (%), set a value of your choosing.

    12. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure.

    13. Click Next

  6. In Assignments, target the devices or users who should receive a certificate and click Next
  7. In Applicability Rules, provide additional issuance restrictions if required and click Next
  8. In Review + create, click Create

Request a certificate Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps:
  1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc)
  2. In the left pane of the MMC, expand Personal and select Certificates
  3. In the right-hand pane of the MMC, check for the new certificate

Note

This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid Azure Active Directory-Joined devices using Intune Policies.

Using non-Microsoft Enterprise Certificate Authorities

If you are using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to Use third-party certification authorities (CA) with SCEP in Microsoft Intune.

As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the Generate-CertificateRequest PowerShell commandlet.

The Generate-CertificateRequest commandlet will generate an .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file, which can be submitted to your PKI for a certificate.

RDP Sign-in with Windows Hello for Business Certificate Authentication

After adding the certificate using an approach from any of the previous sections, you can RDP to any Windows device or server in the same Forest as the user's Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server.

  1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the client where the authentication certificate has been deployed
  2. Attempt an RDP session to a target server
  3. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate