deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-11 21:07:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
Stephanie Savell 16324db97a
Merge branch 'main' into repo_sync_working_branch
2022-11-23 10:33:10 -06:00

13 KiB
Raw Blame History

title, description, ms.collection, ms.topic, localizationpriority, ms.date, appliesto, ms.technology
title description ms.collection ms.topic localizationpriority ms.date appliesto ms.technology
Deploy certificates for remote desktop sign-in Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
ContentEngagementFY23
article medium 11/15/2022
<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
itpro-security

Deploy certificates for remote desktop (RDP) sign-in

This document describes Windows Hello for Business functionalities or scenarios that apply to:
Deployment type: hybrid
Trust type: cloud Kerberos trust, key trust
Device registration type: Azure AD join, Hybrid Azure AD join


Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for cloud Kerberos trust and key trust deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:

  • Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy
  • Deploy certificates to hybrid or Azure AD-joined devices using Intune
  • Work with third-party PKIs

Deploy certificates via Active Directory Certificate Services (AD CS)

Note

This process is applicable to hybrid Azure AD joined devices only.

To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a certificate template, and then deploy certificates based on that template.

Expand the following sections to learn more about the process.


Create a Windows Hello for Business certificate template

Follow these steps to create a certificate template:

  1. Sign in to your issuing certificate authority (CA) and open Server Manager

  2. Select Tools > Certification Authority. The Certification Authority Microsoft Management Console (MMC) opens

  3. In the MMC, expand the CA name and right-click Certificate Templates > Manage

  4. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane

  5. Right-click the Smartcard Logon template and select Duplicate Template

  6. Use the following table to configure the template:

    Tab Name Configurations
    Compatibility
    • Clear the Show resulting changes check box
    • Select Windows Server 2012 or Windows Server 2012 R2 from the Certification Authority list
    • Select Windows Server 2012 or Windows Server 2012 R2 from the Certification Recipient list
    General
    • Specify a Template display name, for example WHfB Certificate Authentication
    • Set the validity period to the desired value
    • Take note of the Template name for later, which should be the same as the Template display name minus spaces (WHfBCertificateAuthentication in this example)
    Extensions Verify the Application Policies extension includes Smart Card Logon
    Subject Name
    • Select the Build from this Active Directory information button if it isn't already selected
    • Select Fully distinguished name from the Subject name format list if Fully distinguished name isn't already selected
    • Select the User Principal Name (UPN) check box under Include this information in alternative subject name
    Request Handling
    • Set the Purpose to Signature and smartcard logon and select Yes when prompted to change the certificate purpose
    • Select the Renew with same key check box
    • Select Prompt the user during enrollment
    Cryptography
    • Set the Provider Category to Key Storage Provider
    • Set the Algorithm name to RSA
    • Set the minimum key size to 2048
    • Select Requests must use one of the following providers
    • Select Microsoft Software Key Storage Provider
    • Set the Request hash to SHA256
    Security Add the security group that you want to give Enroll access to. For example, if you want to give access to all users, select the Authenticated users group, and then select Enroll permissions for them

  7. Select OK to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates

  8. Close the Certificate Templates console

  9. Open an elevated command prompt and change to a temporary working directory

  10. Execute the following command, replacing <TemplateName> with the Template display name noted above

    certutil.exe -dstemplate <TemplateName> > <TemplateName.txt>

  11. Open the text file created by the command above.

    • Delete the last line of the output from the file that reads
      CertUtil: -dsTemplate command completed successfully.
    • Modify the line that reads
      pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider" to
      pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"

  12. Save the text file

  13. Update the certificate template by executing the following command:

    certutil.exe -dsaddtemplate <TemplateName.txt>

  14. In the Certificate Authority console, right-click Certificate Templates, select New > Certificate Template to Issue

  15. From the list of templates, select the template you previously created (WHFB Certificate Authentication) and select OK. It can take some time for the template to replicate to all servers and become available in this list

  16. After the template replicates, in the MMC, right-click in the Certification Authority list, select All Tasks > Stop Service. Right-click the name of the CA again, select All Tasks > Start Service


Request a certificate
  1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA
  2. Open the Certificates - Current User Microsoft Management Console (MMC). To do so, you can execute the command certmgr.msc
  3. In the left pane of the MMC, right-click Personal > All Tasks > Request New Certificate…
  4. On the Certificate Enrollment screen, select Next
  5. Under Select Certificate Enrollment Policy, select Active Directory Enrollment Policy > Next
  6. Under Request Certificates, select the check-box for the certificate template you created in the previous section (WHfB Certificate Authentication) and then select Enroll
  7. After a successful certificate request, select Finish on the Certificate Installation Results screen

Deploy certificates via Intune

Note

This process is applicable to both Azure AD joined and hybrid Azure AD joined devices that are managed via Intune.

Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to:

Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD joined Devices using a Trusted root certificate policy with Intune. For guidance, refer to Create trusted certificate profiles in Microsoft Intune.

Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.


Create a policy in Intune

This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy.

  1. Go to the Microsoft Endpoint Manager admin center

  2. Select Devices > Configuration profiles > Create profile

  3. Select Platform > Windows 10 and later and Profile type > Templates > SCEP Certificate

  4. Select Create

  5. In the Basics panel, provide a Name and, optionally, a Description > Next

  6. In the Configuration settings panel, use the following table to configure the policy:

    Setting Configurations
    Certificate Type User
    Subject name format CN={{UserPrincipalName}}
    Subject alternative name From the dropdown, select User principal name (UPN) with a value of {{UserPrincipalName}}
    Certificate validity period Configure a value of your choosing
    Key storage provider (KSP) Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)
    Key usage Digital Signature
    Key size (bits) 2048
    For Hash algorithm SHA-2
    Root Certificate Select +Root Certificate and select the trusted certificate profile created earlier for the Root CA Certificate
    Extended key usage
    • Name: Smart Card Logon
    • Object Identifier: 1.3.6.1.4.1.311.20.2.2
    • Predefined Values: Smart Card Logon

    • Name: Client Authentication
    • Object Identifier: 1.3.6.1.5.5.7.3.2
    • Predefined Values: Client Authentication
    Renewal threshold (%) Configure a value of your choosing
    SCEP Server URLs Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure

  7. Select Next

  8. In the Assignments panel, assign the policy to a security group that contains as members the devices or users that you want to configure and select Next

  9. In the Applicability Rules panel, configure issuance restrictions, if needed, and select Next

  10. In the Review + create panel, review the policy configuration and select Create

For more information how to configure SCEP policies, see Configure SCEP certificate profiles in Intune. To configure PKCS policies, see Configure and use PKCS certificate with Intune.


Request a certificate Once the Intune policy is created, targeted clients will request a certificate during their next policy refresh cycle. To validate that the certificate is present in the user store, follow these steps:
  1. Sign in to a client targeted by the Intune policy
  2. Open the Certificates - Current User Microsoft Management Console (MMC). To do so, you can execute the command certmgr.msc
  3. In the left pane of the MMC, expand Personal and select Certificates
  4. In the right-hand pane of the MMC, check for the new certificate

Use third-party certification authorities

If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to Use third-party certification authorities (CA) with SCEP in Microsoft Intune.

As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the Generate-CertificateRequest PowerShell commandlet.

The Generate-CertificateRequest commandlet will generate an .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file, which can be submitted to your PKI for a certificate.

RDP sign-in with Windows Hello for Business certificate authentication

After obtaining a certificate, users can RDP to any Windows devices in the same Active Directory forest as the user's Active Directory account.

Note

The certificate chain of the issuing CA must be trusted by the target server.

  1. Open the Remote Desktop Client (mstsc.exe) on the client where the authentication certificate has been deployed
  2. Attempt an RDP session to a target server
  3. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate