Certificate Based Authentication for RDP
You can use SCEPman to issue Smart Card Login certificates to your users. By enrolling them to Windows Hello for Business (Microsoft Passport Key Storage Provider) they can use these certificates to authenticate to on premises resources using their Hello PIN or biometric options.
This will allow users for example to connect to other clients over the Remote Desktop Protocol (RDP) using their Windows Hello for Business credentials.
Setup Active Directory
Requirements
SCEPman's CA certificate must be published in the NTAuth store to authenticate users to Active Directory
Domain Controllers need to have a domain controller certificate to authenticate smartcard users
Domain Controllers and target machines need to trust SCEPmans Root CA
Follow our guide on Domain Controller certificates to publish the SCEPman Root CA certificate to the NTAuth store and issue certificates to your domain controllers:
Domain Controller CertificatesYou can create a Group Policy Object to handle the distribution of the root certificate to the involved machines: To distribute certificates to client computers by using Group Policy
The certificate needs to be deployed to all Domain Controllers handling the authentications and all target machines that users want to connect to using this method.
Please be aware that once SCEPmans root certificate is published in the NTAuth store, users who can influence the content of certificates issued by SCEPman (e.g. Intune administrators) are able to impersonate any Active Directory principal.
Deploy the Smart Card Certificates using Intune
Trusted Certificate Profile
Your clients will need to trust the root certificate of SCEPman.
If you already use SCEPman to deploy certificates to your clients you will already have this profile in place.
Smart Card Certificate
Create a profile for Windows 10 and later with type SCEP certificate in Microsoft Intune and configure the profile as described:
Use Windows Hello for Business to connect to remote hosts
With the certificate deployed to the authenticating client, just connect to the remote host and select the configured Windows Hello for Business credential provider.

Last updated
Was this helpful?