Hey everyone! I'm trying to set up RDP authentication using Windows Hello for Business (WHfB) on a hybrid domain joined endpoint, but I'm having some issues. I followed Microsoft's guide precisely, but instead of being prompted to enter a PIN, I'm getting stuck on biometrics, which according to the documentation, shouldn't work for hybrid domain joined machines. I've linked the Microsoft guide [here](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/rdp-sign-in?tabs=adcs). Has anyone successfully gotten this to work? I also want to mention that I can't use Credential Guard as my users connect through an RDS gateway, which isn't supported. Any tips would be appreciated! Thanks!
4 Answers
For hybrid-joined devices, when signing in with Windows Hello for Business, you receive a Primary Refresh Token (PRT) from Entra ID. However, this token by itself doesn't provide a Kerberos Ticket Granting Ticket (TGT) for your on-premises Active Directory. Without that TGT, RDP to domain resources using WHfB won't work, which explains the biometric prompt you're encountering.
In the RDP client, you might want to check the advanced tab and make sure the box for **Use a web account** is checked. That might help! Let me know if you try it.
Do you have a Group Policy Object (GPO) set for RDP single sign-on with NTLM? If not, that might be the issue.
I don't have one. I thought since I’m using WHfB, it wouldn't be necessary?
We managed to make this work with a Windows 11 client and a Windows 2022 RDP server. We used web sign-in, but just a heads up, using Remote Credential Guard means you might lose out on compound authentication.
Thanks for the info! Just to confirm, your Windows 11 client was hybrid domain joined, right?
Tried that just now, but unfortunately, it's still not working. Thanks for the suggestion!