-->
Nov 08, 2018 My system is set up to logon with Windows PIN and Fingerprint and I am able to logon and unlock successfully with either PIN or Fingerprint. Prior to upgrading to 1809, whenever I was presented with the 'Windows Security' dialog (like when opening remote destkop) I had both the PIN and Fingerprint options along with the password when I selected. Mar 26, 2021 To set up a remote desktop in Windows 10, go to Settings System Remote Desktop. Then turn on the slider for Enable Remote Desktop. Next, search Settings for Allow an app through Windows firewall and enable the Remote Desktop app for Private and Public.
Remote Desktop Using Pin
Requirements
- Windows 10
- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with Windows Defender Remote Credential Guard.
Microsoft continues to investigate supporting using keys trust for supplied credentials in a future release.
Remote Desktop with Biometrics
Requirements
- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
- Biometric enrollments
- Windows 10, version 1809
Users using earlier versions of Windows 10 could remote desktop to using Windows Hello for Business but were limited to the using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
How does it work
Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key).
This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN.
Compatibility
Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a MDM URI exist to help you revert to the previous behavior for those users who need it.
Important
The remote desktop with biometric feature does not work with Dual Enrollment feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
Related topics
Install Citrix Workspace
1. From the Citrix website (https://www.citrix.com/downloads/workspace-app/windows/workspace-app-for-windows-latest.html ),
2. When prompted, click Run. If only prompted with download, install the application after the saving the file.
3. Follow the on screen directions for the Citrix Workspace to complete the installation.
……….
Remote Access from Windows 10 using Internet Explorer (steps are similar for using Google Chrome, images may be different)
1. Insert your Common Access Card (CAC) into the reader and navigate to:
- West Users: https://mydesktopwest.nga.mil/
- All Users: https://mydesktop.nga.mil
Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN.
Compatibility
Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a MDM URI exist to help you revert to the previous behavior for those users who need it.
Important
The remote desktop with biometric feature does not work with Dual Enrollment feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
Related topics
Install Citrix Workspace
1. From the Citrix website (https://www.citrix.com/downloads/workspace-app/windows/workspace-app-for-windows-latest.html ),
2. When prompted, click Run. If only prompted with download, install the application after the saving the file.
3. Follow the on screen directions for the Citrix Workspace to complete the installation.
……….
Remote Access from Windows 10 using Internet Explorer (steps are similar for using Google Chrome, images may be different)
1. Insert your Common Access Card (CAC) into the reader and navigate to:
- West Users: https://mydesktopwest.nga.mil/
- All Users: https://mydesktop.nga.mil
2. If you have been migrated to the PIV certificate select it. If you have not been migrated, select the Email Certificate to login to the storefront. NOTE: You may be prompted to enter your PIN multiple times.
Rdp Windows Hello For Business
3. Next, select the Desktop icon to launch the Citrix session. Please note that a file may appear at the bottom of your browser (similar to a downloaded file) that would need to be opened to access the remote session.
4. Once the Citrix session launches, you will be prompted to select a certificate again. You will have to select between the multiple smart card options. If you have been migrated to the PIV certificate select it. If you have not been migrated select the ID certificate. ***For the PIV cert it will be a 16 digit number followed by @mil***
If you receive the error message, 'The smart card cannot perform the requested operation' or 'The operation requires a different smart card' please complete Step 1 – Setting Up Your CAC Reader again. If this does not fix the issue please contact the Enterprise Service Center (800) 455-0899 ext 75555.
When you are prompted which certificate to select if you have been migrated to the PIV certificate select it. If you have not been migrated please select the other certificate.
5. To end your session, from the drop down select Ctrl+Alt+Del and sign out.
Clearing Browser Cache:
Adobe flash player osx. Microsoft Internet Explorer
- Open Internet Explorer.
- Click Tools (Alt + X)
- Select Internet Options.
- On the General tab, under Browsing History, select Settings.
- Select View Files.
- Select all files using Ctrl + A, and press Delete on your keyboard.
- Close out the browser completely and then reopen.
Google Chrome
- Open Chrome.
- Select Menu (three vertical dots on upper right side).
- Click More Tools.
- Click Clear Browsing Data.
- From the Basic tab Change the Time range to clear to 'All time' and checkmark all available boxes.
- Select Clear Data.
Clearing Browser SSL State:
Microsoft Internet Explorer
- Click 'Tools'.
- Click the Content tab.
- Click Clear SSL state, and then click OK.
Google Chrome
- Click the Settings icon, and then click Settings.
- Click Show advanced settings.
- Under Network, click Change proxy settings. The Internet Properties dialog box appears.
- Click the Content tab.
- Click Clear SSL state, and then click OK.
Support
Recommended CAC reader hardware:
- SCR3310v2.0
- uTrust SmartFold SCR3500
- OMNIKEY 312
- OMNIKEY 3021
- F1DN005U
- F1DN008U
