Disable Windows Hello for RDP remote credentials prompt
Our organization recently implemented Windows Hello for Business. We now use WHfB to log our local machines. When we use RDP to connect to a remote server, it prompts us for Windows Hello credentials (PIN, Security Key, etc.), but we do NOT want this. We have to select "More choices" and then select username/password authentication, every single time we connect to servers. Hundreds of times a day for some people. It's extremely frustrating.
How can we disable Windows Hello from being the default option for RDP credentials prompts but still use Windows Hello to sign in to our client machines?
Other threads have been posted for this same issue, but are now closed. The answers either did not work, or were out-of-touch, offering solutions that do not address the question that was asked.
2 answers
-
Joellen M Moyer 0 Reputation points
This works for me:
"Put microsoftaccount \ as a username followed by username @ keyman<.>com, domain\username works as well."
And the article I pulled it from has a screenshot of how it should look:
-
Aaron Halbert 120 Reputation points
microsoftaccount******@domain.com only works once. The next time I go to connect, it uses DOMAIN\username and I get the PIN prompt again. This is actually more cumbersome than the current behavior for me.
-
Joellen M Moyer 0 Reputation points
I saved my RDP connection to my desktop with the new username so that it uses it each time I reuse the desktop shortcut.
-
Aaron Halbert 120 Reputation points
Edit: see other comment
-
Aaron Halbert 120 Reputation points
That particular flavor isn't viable when you need to connect to hundreds of remote machines, but... You can actually use this workaround in RDCMan by editing the Default Group settings and setting your account to microsoftaccount******@domain.com.
Thanks Joellen!!
However, Microsoft, please still fix the original issue. This is an extremely obscure workaround.
-
Tim English 0 Reputation points
No matter my combination, the Microsoft Hello behavior kicks in when the RDP file username matches my logged in account.
With the username and domain (but not the password) in my RDP file
I will be present with the MS Hello, but
I can click on More Choices, and
then click on the domain\userid, and
then it will switch to password entry.
(at least for now!)A few extra clicks, but better than typing my username all of the time.
Sign in to comment -
-
Limitless Technology 45,241 Reputation points
Hi, I'd be happy to help you out with your question. Sorry for the inconvenience caused. To address this issue while still using Windows Hello for logging into local machines, you can follow these steps: 1. Press the Windows Key + R on your keyboard to open the Run dialog box. 2. Type "gpedit.msc" into the Run dialog box and press Enter. This will open the Local Group Policy Editor. 3. In the Local Group Policy Editor window, navigate to the following path:Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client
4. On the right-hand side of the window, locate the policy named "Do not allow passwords to be saved" and double-click on it. 5. In the policy settings window, select the "Enabled" option and click OK to save the changes. 6. If you're using a Windows Home edition that doesn't include the Local Group Policy Editor, you can use the Registry Editor instead. Press the Windows Key + R, type "regedit," and press Enter to open the Registry Editor. 7. In the Registry Editor window, navigate to the following path:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
8. Right-click on the "Terminal Services" key in the left-hand pane, select New, and choose Key. Name the new key "Client" (without quotes). 9. With the "Client" key selected, right-click on the right-hand pane, select New, and choose DWORD (32-bit) Value. Name the new value "DisablePasswordSaving" (without quotes). 10. Double-click on the "DisablePasswordSaving" value and set its data to "1." Click OK to save the changes. 11. Close the Registry Editor. By following these steps, the default credential prompt for RDP connections should now be username/password authentication, and Windows Hello should no longer be the default option. Please keep in mind that modifying Group Policy or Registry settings should be done carefully, and it's advisable to create a backup or restore point before making any changes. Note that these steps may not be applicable in certain Windows editions or versions. If you have any other questions or need assistance with anything, please don't hesitate to let me know. I'm here to help. If the reply was helpful, please donβt forget to upvote or accept as answer, thank you.-
Aaron Halbert 120 Reputation points
I appreciate the response, but this did not work for me. I set the local group policy you mentioned to Enabled, then tried connecting to a remote machine and it still prompted me for PIN.
I opened regedit and navigated to that key and verified that setting the group policy inserted that key with a value of 1. I made sure the key persisted after a reboot, too, but still same result.
Edition Windows 11 Enterprise
Version 22H2
Installed on β3/β21/β2023
OS build 22621.1702
Experience Windows Feature Experience Pack 1000.22641.1000.0
-
Aaron Halbert 120 Reputation points
Edit: oops, double post.
-
Aaron Halbert 120 Reputation points
Update: it randomly started working correctly for everyone in my organization this morning (RDP prompting for password instead of PIN/Hello, even when using Hello to log into host machine). No group policy changes were deployed recently, and no Windows Updates were applied to either the host machines or the remote servers.
Update #2: never mind. It's back to requesting PIN on RDP.
-
Joellen M Moyer 0 Reputation points
This works for me:
"Put microsoftaccount\ as a username followed by username@keyman .com, domain\username works as well."
And the article I pulled it from has a screenshot of how it should look:
Sign in to comment -