Remote Desktop And Login With AzureAD Account


If you join a Windows 10 PC to Azure AD and then try and login to that PC over remote desktop you are in for a barrel of laughs! Or not!

The way to get it to work is as follows:

  1. Ensure that Windows 10 PC is running Version 1511 or later (type WinVer from the Run dialog)
  2. Ensure the target PC is enabled for Remote Desktop
  3. Ensure the Network Level Authentication is disabled
  4. Run MSTSC on your PC (the source) and enter the target PN name, your username (email address) and click Save As (which you will find under “Show Options”):
    image
  5. Close the Remote Desktop Connection window without connecting.
  6. Open the saved RDP file in Notepad
  7. Add the following to the bottom of the text in Notepad as shows:

enablecredsspsupport:i:0

  1. In Notepad this appears as:
    image
  2. Save the RDP file and then double-click it to connect. You will now be able to login with your AzureAD account over Remote Desktop
  3. If you cannot login, check the alternative name that your device uses for your user account. On the AzureAD joined computer, logged in as the target user, run “whoami” from the command line. It will report something like AzureAD\firstlast. You could try that value (both AzureAD and the name) as your username.

Posted

in

,

by

Tags:

Comments

3 responses to “Remote Desktop And Login With AzureAD Account”

  1. Peter van der Kleij avatar
    Peter van der Kleij

    (Windows 10, 1903)
    I have MFA enabled, following needs to be added to support that.

    I needed to change a Registry:
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\
    REG_DWORD: Security Layer: from 2 to 0
    (Setting it to 1, fails the password, because of MFA i guess)

    Also needed to add “AzureAd\” before the username/E-mail address: AzureAd\user@company.com

    Thanks for your Blog, it helped me!

    1. Brian Reid avatar

      SO I have not tried this, but I know that changing “Security Layer” from 2 to 0 reduces the security of the connection. Setting it to 1 would fail the password generally. You are not usually required your MFA prompt when logging into your Windows Device, so suprised that this broke this. Though this original article was written in 2015 and 7 or 8 versions of Windows 10 ago – so anything is up for grabs regarding change.

  2. SM avatar
    SM

    amazing – thank you so much for posting this! it worked for me 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.