If you are enrolled with Windows Hello for Business on the client system, Windows Hello for Business with certificate authentication is supported for the Log In as Current User feature on Horizon Client for Windows. Windows Hello for Business is supported only for VMware Blast display protocol.

Note: If True SSO is enabled on Horizon Connection Server, it will take precedence over Windows Hello for Business.


Your system must meet the following requirements for authentication with Windows Hello for Business:
  • Log In as Current User must be enabled on the broker and on Horizon Client.
  • Your client system must be enrolled with a Windows Hello for Business deployment which supports Certificate Trust. For details on supported deployment models including Certificate Trust, see https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-guide.
  • You must be logged in to the system where Horizon Client is installed using Windows Hello for Business credentials.
  • If Unified Access Gateway is used, it must be in Pass-through mode.
  • System hardware requirements are as follows:
    • Horizon Connection Server and Horizon Agent version 8.6 or later.
    • Horizon Client for Windows version 2206 or later.
    • Windows Server 2019 or later if Horizon Agent is installed on Windows server.

Use Cases Not Supported

Windows Hello for Business is not supported for the following scenarios:
  • Unified Access Gateway in non-pass through mode
  • Unified Access Gateway with two factor authentication or SAML enabled
  • Desktop Apps
  • Environment where Horizon Agent and Horizon Client are installed on the same system and used in a nested environment
  • Direct Agent Connect
  • The client system (where Horizon Client is being launched) is enrolled using Windows Hello for Business using any other method except Certificate trust.
  • Remote desktop machines that have the Local Security Authority Subsystem Service (LSASS) running in protected mode. By default, Windows 11 machines have LSASS running in protected mode.

Share Windows Hello for Business Certificate with Third Party Applications

You can use the CertStoreIntercept library to share the Windows Hello For Business certificate used for SSO with third party applications for user authentication. This library can be configured via the Windows Hello For Business Certificate Redirection GPO setting. For more information, see VMware View Agent Configuration ADMX Template Settings in the Horizon Remote Desktop Features and GPOs document.


Logging for Windows Hello for Business certificate redirection is disabled by default. Administrators can enable logging via registry key HKM\SOFTWARE\VMware, Inc.\VMware VDM\Whfb\IsCertInterceptLoggerEnabled.

On the Horizon Agent, Windows Hello for Business logs are saved in the Agent debug logs. On the Horizon Client, they are saved in the debug log file in %LOCALAPPDATA%\VMware\VDM\logs.