Remote Desktop into W10 desktops with Windows Hello 2FA enabled?

Question

A small company is exploring adding 2FA to their Windows 10 workstations by using Windows Hello, likely with fingerprint readers.

However, they also remote into their office computers via Remote Desktop through a VPN from personal home computers. Most of the home computers are likely Windows 10, but I don't know that all of them are.

Will they be able to install fingerprint readers on their home computers to log on to their office desktops with 2FA?

If someone still has a Windows 7 home computer, will they be left out in the cold?

Answer 1

Hi,

Windows Hello with two-factor authenticaiton (2FA) works with Remote Desktop. Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. For more information and configuration steps see Remote Desktop.

Reference:
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop

Windows Hello does not support Windows 7 clients, so your Windows 10 clients should work fine, as long as they are running build 1703 or later.

More information here:
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification

For the fingerprinters, you should also check the requirements of the fingerprint readers over here:
https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements

Best regards,
Leon

Answer 2

HI JeffVandervoort-1145
"As apparently it can."
yes,it can ,but your working win10 computer(at least win10(1809)) in your office need to Azure AD joined ,Hybrid AD joined,meanwhile you will use windows hello for business option( not "windows hello"option )to verify domain users' fingerprint.home computer not domain joined to remote access working win10 computer (at least win10(1809) by using fingerprint is possible.I think we need to register these home pc.like below said.
"If you want to use Windows Hello for Business with certificates, you'll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. "

Windows Hello for Business
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification

Manage Windows Hello for Business in your organization
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization

Answer 3

Hello @JRV @Leon Laude @Andy YOU ,

I have basic question. we know that

Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP.
The simple English interpretation of this line is ,

the server where I want to open the session with RDP is NOT storing my public-private key or my biometric/PIM
Basically this remote server's TPM chip is NOT used.
My local computer is where I have enrolled for WHfB

So just like I unlock my local-computer using this WHfB credential by signing the nonce and sending it to KDC , similarly when I open RDP client to log into remote-server, my local computer will send the signed nonce and certificate issued by enterprise-CA

The RDP service will validate the nonce and open the windows session for me and establish my TGT in that windows session.
Now if I hit any kerberized service on the browser on this windows session, this TGT would be helpful for SSO

Am I correct in my understanding ?

Thanks.

Answer 4

Thanks, Leon. Do the home computers need to be domain members for this to work? (They are not domain members.)