This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello!
There is a working model of Windows Hello for Business Hybrid keys, everything works fine! Kerberos via on-premises AD, PRT via Azure AD. But I really want pin-code authorization (SSO) and with RDP to work. Now everything is implemented through the beautiful Azure AD Connector. The main task is to provide WHfB users in the local network, i.e. Hybrid computers.
Question: How do I make the Windows Hello for Business infrastructure correctly without adding extra services (without ADFS)? Who in the local environment should issue clients the certificate (the CA itself)?) and how to configure it correctly?
There is an example of configuring a hybrid environment using ADFS certificates, but the presence of ADFS does not suit: hello-hybrid-cert-whfb-settings-pki
It looks like you need an Azure AD joined scheme based on certificates, but Intune and NDES are used here, and Intune is not available for hybrid computers, and NDES seems redundant hello-hybrid-aadj-sso-cert
For example, if i make a WHFB Authentication certificate template, create a group policy that specifies the requirement to use the certificate in Windows Hello and additionally specifies automatic certificate registration on hybrid clients, but why can't this work? Why does the error occur even when manually creating the "No enterprise sso" certificate, the installation of Azure AD Connect was with the "password synchronization" and "enable single sign-on"parameters? What does "enable single sign-on" mean? SCP in the local AD? Why can't a hybrid client request and get a certificate for WHfB itself? 
The question can probably be considered closed
Windows Hello (Hybrid) + Key + RDP = Windows Defender Remote Credential Guard
This information is modestly mentioned in the article when planning Windows Hello
hello-planning-guide
Need it on every page Windows Hello (Hybrid) Key Trust remind about Windows Defender Remote Credential Guard :)
remote-credential-guard
Many thanks to @Pierre Audonnet - MSFT for his note about assigning rights - You just need regular RDP permissions (or example by being a member of the Remote Desktop Users local group of the target)
you can deploy Hybrid certificate trust without ADFS. But you need Intune and NDES as far as I know.
ADFS act as a Registration authority (RA) and NDES covers that.. however to get you enrolled into WHFB container. you need Intune SCEP connector
Which is defined in setup 11 on below doc
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert
--> 11. Select Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later) from the Key storage provider (KSP) list.
I don't know if any other way to skip that part without Intune.
Hi!
But if you logically look at the picture - what prevents the Hybrid client from asking for a certificate from the CA itself, giving the public part to Azure, it will write it down and then Azure AD Connector will synchronize with the local msDS-KeyCredentialLink field in AD? As far as I understand, the difference between keys and certificates is in the technology of making certificates (self-signed or certified)? If I'm right, how do I set this up correctly for hybrid?
Smart and competent Microsoft employee can comment on our thoughts? :)
There are different elements on your question.
The enable Single Sign On option in the Azure AD Connect wizard refers to the Seamless Single Sign On feature which as nothing to do with Windows Hello for Business. Ref: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
The error message you are getting when you try to get your certificate is the because the template has the
msPKI-Private-Key-Flag set with the flag CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY. Which in a nutshell tells that the template can only be asked through the Registration Agent process through ADFS.
Also users on Azure AD Joined machines will always the Key Trust model when authenticating with Azure AD. They can however also request a smartcard certificate (through the Intune connector) if you wich to extend the SSO to on-prem resources. Basically, your users will do some sort of smartcard logon when attempting to reach on-prem resources.
Hello @Pierre Audonnet - MSFT ! Thank you for leaving useful comments as always! :)
Basically, your users will do some sort of smart card logon when attempting to reach on-prem resources.
Yes, I want to!!! (After this local login, then when they try to open an RDP terminal session, they will be able to pass through authorization using a pin code?! - this is the main purpose of certificates)
Azure AD Joined users are a secondary task, the main task is Hybrid Azure AD users.
Maybe ... the best solution is to create NDES and all users (Azure AD Joined (external) and Hybrid Azure AD (local)) via the Internet using Intune to register, issue certificates via an intermediate NDES?!
Is it correct that hybrid devices can simultaneously be managed by both local AD group policies and AAD policies from Intune? No problems registering Windows Hello devices?!
You can use Key Trust and have SSO with RDP connections using the /remoteGuard of mstsc. Ref: https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard#remote-credential-guard-requirements
Hello ...
Yes ... I think this is what we need ... and certificates for RDP are not needed ...
Checked, everything works, thank you! But ...
mstsc.exe /remoteGuard
"The user must be part of administrators group." And this spoils the whole festive mood ... Because the terminal servers are accessed by non-super-privileged employees.
And the restriction is more than two years old :'( ... 0c54bc20f0e61006c6e73d0212930d3829770c7a
Of course, many thanks to Microsoft for having @Pierre Audonnet - MSFT (a smart employee)! :)
Thank you for your advices!
But maybe You have more ideas on how to make everything work together: SSO & WHfB Hybrid (Keys) & RDP & Azure AD Connector ?
"The user must be part of administrators group." is incorrect. You just need regular RDP permissions (or example by being a member of the Remote Desktop Users local group of the target).
I have requested an update of the documentation.
Good afternoon!
Everything worked successfully on the server!
Windows Server 2019 Datacenter (OsVersion:10.0.17763, OsBuildNumber:17763)
Clients with Windows 10 20H2 and Windows 10 1809 used mstsc.exe /remoteGuard
But if we use the server
Windows Server 2016 Standard (OsVersion:10.0.14393, OsBuildNumber:14393)
Without local administrator rights, an error occurs! "The requested session access is denied"
p.s. perhaps the problem is unique to our case ...
Thanks for the tip! This is very good news for us!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 36%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
So I fought this for the past three years, and 6 months ago or so I found the answer. I don't know why Microsoft feels the need to bury this stuff when its completely unnecessary. Key trust creates a simple key pair, but that private key in TPM(hw) or software can sign CSR's, which is how cert trust is really just an enlightened state of key trust. The problem is for most folks its a pretty ridiculous burden to add all this extra stuff, nevermind how active they are discouraging federation. Anyways your solution template can be found by looking at the code here (https://www.powershellgallery.com/packages/Generate-CertificateRequest/1.0) I have used it to essentially enlighten a .req with the appropriate template (the only reason you cant request certificate with same key in gui mmc is because it has no template on it) and pull directly from CEP/ADCS. Works on a pure AAD device too :). There is the smallest little snippet in the docs that lead me to this, they publish it under the guise of if you have a 3rd party CA, but its just goofy. https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs#using-non-microsoft-enterprise-certificate-authorities
There whole guide on adding a cert to key trust is just garbage too as it just adds a cert to the 'smart card' not in slot 0, so none of the biometric factors work against it, it is never default at auth prompts so you have to tell the user to select there UPN, but only the right one (there will be two that can be unlocked with pin...) and then they can RDP with it. My method supplants the public key in slot 0 and allows for the true upgrade to cert trust without adfs.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 61%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPH%3C/text%3E%3C/svg%3E)
Hello @Sean Kenny ,
and allows for the true upgrade to cert trust without adfs : By this you mean you have configured WHFB certificate trust without ADFS !??
I am working on the same scenario but got stuck in Intune connector error and WH provisioning. I raised the case with MS support from long time and they are saying that ADFS is required for this kind of scenario.
Please share your inputs, it will be helpful. you can check my query on https://learn.microsoft.com/en-us/answers/questions/774887/issue-with-new-intune-certificate-connecotr-instal.html
TIA