Accessing a Remote Desktop

Using HYPR Passwordless: Windows

HYPR’s Remote Desktop feature allows domain-joined users to authenticate passwordlessly using the HYPR Mobile App when remotely accessing a Windows machine via the Microsoft Remote Desktop (RDP) client.

Logging In to a Remote Desktop

To access a Windows remote desktop with HYPR, the user can choose to initiate the authentication from their mobile device or can scan a QR code on the workstation.

πŸ“˜

Accounts and Permissions

The account used to log in to the remote machine doesn’t have to be the same as the one used to log in to the local machine. However, it must have the necessary access permissions on the remote machine to successfully connect.

It's also not necessary for the HYPR Passwordless client to be installed on the remote machine.

Device-initiated Authentication

If the account being used to connect to the remote machine has previously been paired with the local machine (see Pairing with the HYPR Mobile App), the user may initiate the authentication from the HYPR Mobile App.

  1. Open the Remote Desktop Connection application.
304
  1. Enter the address of the remote computer and click Connect to show the Enter Your Credentials dialog.
342
  1. WITHOUT CLICKING OK, initiate an authentication in the HYPR Mobile App by pressing the relevant computer icon as if logging in locally.
347
  1. Wait for the connection to be established and accept the certificate-based authentication warning if necessary. (Check the Don't ask me again for connections to this computer box to skip this warning in future.)
294
  1. Wait for the Remote Desktop session to finish authenticating.

Scan QR to Log In

As an alternative to device-initiated authorization, the user can also scan a QR code on the local machine to unlock the remote machine.

πŸ“˜

Control Center Settings

The Scan QR to Log In feature is only available if Roaming Users is enabled in Control Center Workstation Settings. Roaming Users is disabled by default.

  1. Open the Remote Desktop Connection application.
304
  1. Enter the address of the remote computer and click Connect to show the Enter Your Credentials dialog.
342
  1. Click More choices then click Scan QR to Login to expand the choices on the credentials screen.
342
  1. Use Click here to expand QR code to reveal a larger scannable copy of the QR code.
  2. In the HYPR Mobile App, press the Scan to Unlock button and scan the QR code to log in.
337
  1. If there’s more than one domain-joined account stored on the mobile device, the HYPR Mobile App prompts the user to choose before presenting the identity authorization screen.
335
  1. Wait for the Remote Desktop session to finish authenticating.

HYPR Passwordless for RDP Remote Sessions

To configure and enable HYPR Passwordless via RDP, follow the steps described here:

  • Enable Remote sessions on the HYPR client software of the target system.
    On the HYPR Passwordless client machine, the registry key Remote Sessions Enabled must be configured with a value of 1 for HYPR to be enabled on remote sessions.
  • Disable Network Level Authentication (NLA) on the target system.
    This can be achieved by configuring the policy, Require user authentication for remote connections by using Network Level Authentication. Refer to Microsoft’s UserAuthentication article for this step.
  • Disable CredSSP support and Network Level Authentication (NLA) in the RDP client.
    This can be done in the Advanced tab of the RDP client or with a enablecredsspsupport:i:0 setting in the RDP file. Refer to Microsoft’s Supported RDP properties with Remote Desktop Services article for this step.

Security Considerations

HYPR recommends performing a risk assessment and evaluating the scenario before enabling HYPR for RDP remote sessions. We recommend to only enable it in the presence of additional compensating controls. Examples might include the following:

  • Network access control solutions where the network connectivity from the client to the target system is only enabled after an explicit authentication and authorization of the involved parties
  • Audit and log events are generated and security stored in a central location as part of a review process

Frequently Asked Questions

Q: Can the user make an RDP connection from the same session as their initial device registration, or do they need to reboot?

A: The RDP connection is available in the same session, no reboot needed.

Q: Does the HYPR Passwordless client need to be installed on both the local and remote machines?

A: No, it only needs to be installed on the local machine.

Q: When the RDP connection is established, why does the user see a login screen instead of being logged in to the account?

A: Ensure that smart card login is enabled in the Remote Desktop Connection app before establishing the connection. Go to the Local Resources tab, click More... under Local devices and resources, and make sure Smart cards or Windows Hello for Business is checked.

455

Q: Why does the remote login fail with a β€œYou cannot log on because the logon method you are using is not allowed on this computer. Please see you network administrator for more details” error?

A: The login account doesn’t have the necessary access privileges on the remote machine. On the remote machine, open the Local Group Policy Editor (gpedit.msc), expand Computer Configuration\\Windows Settings\\Security Settings\\Local Policies, and make sure the user account belongs to one of the groups listed for β€œAllow log on locally” under User Rights Assignment.

562