Windows Hello for Business and Azure Virtual Desktop / VDI

Question

Hi All,

We recently implemented the Microsoft Cloud Hybrid Trust method for Windows Hello for Business, this has left our AAD joined machines able to access On-Premise shares, SQL servers etc using their Windows PIN.

The final hurdle for us is to get PIN working with Remote Desktop (Universal Windows Application, not MSTSC) however, it doesn't seem very simple.

We have a functioning PKI with publicly accessibly CRL. We have IIS and NDES configured and working so Intune can push out certificates as requested but here lies the problem:

We created the certificate on our CA as per the instructions from Microsoft (https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs) but whenever Intune runs, our CA issues IPSec (Offline) and not the WHfBCertificateAuthentication certificate.

Has anyone got any ideas as I'm pulling my hair our now!

Answer 1

Hi Tom,

What is the enrollment policy for the devices? Which option you are using to request the certs is it Intune or manual? If the IPSec Cert is not required you can set the permissions to deny for autoenroll.

==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

To give an update - it's still not working but we have tried:

• Removed IPSec (Offline) from a certificate that can be published
• Removed permissions for the above certificate to be enrolled
• Set the WHfB certificate to supersede the above certificate
• Redid the Intune SCEP profile

Answer 3

Hi there,

nearly 2 years later and no solution? I would be also interested in an solution for this topic.