I'm experiencing some issues with Windows Hello for Business (WHFB) certificate enrollments for Remote Desktop Protocol (RDP) on Entra joined devices. I've followed the official guide and have everything set up for Smartcard enrollments via SCEP, which works well for hybrid devices. However, I have a vague memory of it functioning for Entra joined devices too, but I never deployed it to them. I recall that signing in through a gateway required Network Level Authentication (NLA) to be turned off, while direct RDP connections worked fine. Now, though, I'm having trouble getting it to work again. If I enable remote guard credential delegation, I reach the Windows login screen and can use WHFB with the security device, but I'm not prompted for my PIN and it doesn't sign me in automatically. Conversely, disabling credential delegation prompts me for a PIN or biometric sign-in, but then I either run into NLA issues or the system can't find the certificate authority. Am I misremembering how this was supposed to work? While Microsoft's documentation states support for Entra joined devices, it doesn't specify any necessary client or server configurations. Any insights would be greatly appreciated!
1 Answer
It sounds like you've got the basics covered, but just to clarify a couple of things for RDP with Entra joined devices:
1. On your RDS Gateway, make sure you've set the host collection authentication to "Allow users to select an authentication method". If you're forcing password-based logins, WHFB won't work.
2. Have you set up Cloud Kerberos Trust for WHFB? This is essential for authentication with Entra joined devices.
3. Double-check that your Root CA certificate is being pushed to those devices via Intune. Without this, cert-based logins will fail.
4. Ensure that your Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) is reachable by the client during login. Sometimes it needs to be publicly accessible for devices that are purely cloud-connected.
5. For SCEP certificate enrollment, confirm that Entra devices can connect to your NDES, often done via Azure AD Application Proxy.
The docs do mention support for Entra joined devices, but they don’t discuss these real-world deployment issues like certificate trust and CRL access. Based on your description, it seems like the client might not be able to validate the certificate properly, possibly due to these trust or CRL issues.
I appreciate the breakdown!
1. Yes, it seems like the problem isn't limited to the gateway; even direct RDP is failing with similar issues.
2. I've configured Cloud Kerberos Trust.
3. The Root CA cert is being deployed without issues.
4. It's accessible online, and `certutil urlfetch` confirms that revocation checks are okay.
5. Certificates are provisioning correctly for both hybrid and Entra joined devices via SCEP.