RDP into Azure VM

Question

RDP into Azure VM

testuser7 286

Hello,

one basic Q. I have put the screen shot of my Azure-AD joined VM's login screen.

As you guess, I can easily get into VM by putting my AAD username and password.

Instead of that, if I want to do WHfB authentication, can I do it from login screen ??

If yes, how to get the WHfB tile on login screen so that once clicked, through hardware redirection I finish the authentication on my physical laptop which is also with the same tenant. ??

I tried to turn ON WHfB credential provider GUIDs in registry but it did not help.

User's image

Thanks.

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-03-04T09:18:45.2133333+00:00

@testuser7 Thank you for reaching out to us, As I understand you are looking for WHFB option to login to Azure VM via RDP.

You can use Windows Hello for Business to sign in to a remote desktop session, using the redirected smart card capabilities of the Remote Desktop Protocol (RDP), more details related to this deployment can be found here - https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/rdp-sign-in?tabs=intune

Reference: https://www.youtube.com/watch?v=KS3cevyb_ws

Also, came across this post - https://medium.com/@ravibak/passwordless-rdp-to-azure-vms-bea798d5c1b7 while searching for your requirement, in this blog instead of WHFB Microsoft Authenticator as the Passwordless approach has been used to login to Azure VM - ignore this if this doesnt fits your requirement.

Let me know if you have any further questions, feel free to post back.
testuser7 286 Reputation points

2024-03-04T13:12:40.2933333+00:00

I am sorry @Givary-MSFT but your answer did NOT help atall.

I am not asking how to enroll into WHfB and how to authenticate with various trust model. I am asking a very SIMPLE question. All I wanted to know is, have you even seen or have you ever put WHfB tile on the windows login screen of VM ???

If yes, how did you do it ??

1 answer

Your answer

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-03-04T09:18:45.2133333+00:00

@testuser7 Thank you for reaching out to us, As I understand you are looking for WHFB option to login to Azure VM via RDP.

You can use Windows Hello for Business to sign in to a remote desktop session, using the redirected smart card capabilities of the Remote Desktop Protocol (RDP), more details related to this deployment can be found here - https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/rdp-sign-in?tabs=intune

Reference: https://www.youtube.com/watch?v=KS3cevyb_ws

Also, came across this post - https://medium.com/@ravibak/passwordless-rdp-to-azure-vms-bea798d5c1b7 while searching for your requirement, in this blog instead of WHFB Microsoft Authenticator as the Passwordless approach has been used to login to Azure VM - ignore this if this doesnt fits your requirement.

Let me know if you have any further questions, feel free to post back.
testuser7 286 Reputation points

2024-03-04T13:12:40.2933333+00:00

I am sorry @Givary-MSFT but your answer did NOT help atall.

I am not asking how to enroll into WHfB and how to authenticate with various trust model. I am asking a very SIMPLE question. All I wanted to know is, have you even seen or have you ever put WHfB tile on the windows login screen of VM ???

If yes, how did you do it ??

Answer 1

Nagappan Veerappan 651 Microsoft Employee

@testuser7 Hope you are doing well. It is a good question.

WHFB is not available over RDP lock screen of the remote VM. no way to show the tile on your lock screen. Sorry, Its only available to the local login of the VM (aka console login) for security reasons.

Then how can we use passwordless authentication over RDP from your base machine?.

you can split your base machine to category

A) Hybrid Entra id joined (Domain joined + Entra Joined)

use host machine authentication via smart card redirection capability to your VM
(complex to setup )
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/rdp-sign-in?tabs=intune
Enable credential guard
https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard?tabs=intune

B) Entra joined base machine

if recent release of windows . like win 11 no additional config required.

otherwise review the doc to make necessary changes to connect https://learn.microsoft.com/en-us/windows/client-management/client-tools/connect-to-remote-aadj-pc Hope this helps. Please let me know if any further questions. -Nagappan

testuser7 286 Reputation points

2024-03-04T20:06:56.9766667+00:00

Excellent @Nagappan Veerappan This is exactly I wanted to confirm from MS

So the only follow up that I can think of is, if I spin up a VM in Azure with vTPM (virtual TPM) , can I enroll into Windows-hello right form VM and configure VM to use the attached vTPM for key-creation ??

If yes, then there is NO dependency on physical laptop and secondly in this case probably I need WHfB tile on the login screen of VM
Nagappan Veerappan 651 Reputation points Microsoft Employee

2024-03-05T16:49:52.9533333+00:00

Yes, you can use vTPM. but setup WHFB policy "Not to demand hardware security device or TPM" to store the WHFB keys.

Then you would be able meet WHFB Pre-req on the VM. once you successfully configure WHFB and then you lock the screen. you will see Password and PIN on the local login session for you to unlock (not the RDP).
testuser7 286 Reputation points

2024-03-05T22:20:58.2833333+00:00

This is great @Nagappan Veerappan !!!

So once I meet the WHFB Pre-req on the VM, I can see PIN on the local login session. So basically I use RDP to get upto the VM's lock screen but then I will perform local WHfB authentication with vTPM

Can you point me the doc where I find more around vTPM configuration as I did not find where to set WHfB policy "Not to demand hardware security device or TPM"

And secondly, PIN based authentication looks straight forward. However, can I do finger-print based authentication ?? Of course now I need help of physical device where I will have FP-sensor. Is it a feasible design with vTPM based WHfB ??
testuser7 286 Reputation points

2024-03-08T14:09:12.28+00:00

Hi @Nagappan Veerappan Any update before we close this thread as satisfactorily answered ?
Nagappan Veerappan 651 Reputation points Microsoft Employee

2024-03-08T16:57:34.1333333+00:00

Yes, you can find the below settings doc. there is no dedicated doc for setting up on VM. you simply turn off this one settings at the policy. you would be left with PIN login for those VMs with vTPM. Yes , finger print /Bio you need hardware. you won't be able to use that on a VM.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/policy-settings?tabs=feature#use-a-hardware-security-device
testuser7 286 Reputation points

2024-03-08T18:01:10.07+00:00

Sounds good !!! @Nagappan Veerappan just one thing. Do you know the actual registry setting for this CSP ./Device/Vendor/MSFT/PassportForWork/{TenantId}/Policies/RequireSecurityDevice

I want to directly update the registry and not wait for Intune.

Thanks.
Nagappan Veerappan 651 Reputation points Microsoft Employee

2024-03-08T18:15:25.0933333+00:00

you can find at the below registry path if its Intune

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork<TenantID>\Device\Policies
Dword - RequireSecurityDevice -value 1 or 0

1 -for physical device with TPM

0- for VMs
Nagappan Veerappan 651 Reputation points Microsoft Employee

2024-03-08T18:15:54.1933333+00:00

you can find at the below registry path if its Intune

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork<TenantID>\Device\Policies Dword - RequireSecurityDevice -value 1 or 0

1 -for physical device with TPM

0- for VMs
testuser7 286 Reputation points

2024-03-08T18:31:41.64+00:00

Got it. Thanks @Nagappan Veerappan Let me try it out.
testuser7 286 Reputation points

2024-03-11T14:52:33.8+00:00

No @Nagappan Veerappan I guess you are wrong.

I could not see Windows-Hello tile even after I updated the registry of VM at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\RequireSecurityDevice to zero

This VM is spun up with vTPM
Nagappan Veerappan 651 Reputation points Microsoft Employee

2024-03-11T14:58:44.19+00:00

The settings , I gave is only a piece related to security hardware.
If you need to deploy WHFB to the VM. please follow our deployment doc

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/cloud-only?tabs=intune

For pre-req and license requirements. please check the below doc

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/
testuser7 286 Reputation points

2024-03-11T15:09:47.54+00:00

@Nagappan Veerappan I have gone through these docs several times and stood up the physical env too.

But now we are specifically focusing VM and vTPM

From VM--> settings --> signin options, I just want to see the menu items as shown below. However, that itself is missing.
Nagappan Veerappan 651 Reputation points Microsoft Employee

2024-03-11T16:17:38.72+00:00

dsregcmd is your great friend to check what pre-requisites you are missing to see those options. check the below doc

You may not be meeting the requirements to configure the WHFB. post provision WHFB PIN. you will see that available in you VMs.

https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-device-dsregcmd#ngc-prerequisites-check
testuser7 286 Reputation points

2024-03-12T17:03:39.88+00:00

Hi @Nagappan Veerappan

I checked dsregcmd either on this VM after login with my AAD-account. Everything looks clean. This is pure AAD join device.

Still can not see PIN menu on Settings.

Tried to turn it ON from registry as shown below and can not modify registry though I am ADMIN of the VM

Share via

RDP into Azure VM

1 answer

Your answer