Hey everyone! I've been trying to set up RDP using Windows Hello for Business (WHfB) on my hybrid domain joined machine, following Microsoft's official guide. The guide is supposed to lead me through the authentication setup for RDP, but I'm only getting a biometrics prompt instead of being asked for a PIN, which I've read doesn't function properly in this setup. I can't use Credential Guard since my users connect through an RDS gateway, so I'm really stuck here. Has anyone successfully managed to get RDP working with WHfB in this configuration? Thanks!
3 Answers
Have you checked the advanced settings in the RDP client? There's an option called **Use a web account** that could be worth trying!
We managed to get this running smoothly with a Windows 11 client and a Windows 2022 RDP server using web sign-in. Just a heads up, if you consider using Remote Credential Guard, keep in mind that it disables compound authentication you'll need.
Thanks for the info! Just to confirm, your Windows 11 client was also hybrid domain joined, right?
Here's a quick breakdown for hybrid-joined machines: when you sign in with WHfB, the device gets a Primary Refresh Token (PRT) from Entra ID. While the PRT can fetch Entra ID tokens, it won't get you a Kerberos Ticket Granting Ticket (TGT) for your on-prem Active Directory. That's likely the reason behind the broken biometric prompt you're seeing.
Tried that just now, but no luck. Thanks for the suggestion!