This little guide will show how you can authenticate with Windows Hello for Business and FIDO2 security key in a RDP session. Let’s get rid of those passwords !
Content
- Demo Video of Authentication with WHfB and FIDO in RDP session
- Windows Client with FIDO passkey (picture)
- Supported Platforms
- How to enable with Remote Desktop Connection (MSTSC) or similar remote connection tool
- How to enable on Azure Virtual Desktop – AVD (Microsoft Learn article)
- How to enable on Windows 365 (Microsoft Learn article)
- How to enable on Microsoft Dev Box (Microsoft Learn article)
Demo Video of Authentication with WHfB and FIDO in RDP session
Setup is based on Azure VM (AD hybrid-joined Windows Server 2022), which I’m accessing from my home computer (Windows 11, Entra ID-Joined) using RDP session. I’m using Windows Hello for Business Kerberos Trust and FIDO2 security key in the demo to sign-in.
Windows Client with FIDO passkey (picture)
Supported Platforms
| Support / Platform | Windows Clients | Windows Servers |
| Supported | Windows 11 22H2 and higher Windows 10 22H2 and higher | Windows 2025 Windows 2022 |
| Unsupported | Windows 2019 Windows 2016 Windows 2012 R2 |
How to enable feature with Remote Desktop Connection (MSTSC) or similar remote connection tool
You just have to enable Web Authentication in both the RDP Session Host (Windows Server/Client acting as host/target) and Client (guest, which you are connecting with/source).
Below are 2 methods shown; AD Group Policy and Intune.
AD Group Policy
If you don’t see all below policies, download Windows 11 24H2 Administrative Templates and copy the ADMx/ADMl files into PolicyDefinition using this guide.
Windows Client Policy via Microsoft Intune
How to enable on AVD / Windows 365 / Microsoft Dev Box
How to enable on Azure Virtual Desktop – AVD (Microsoft Learn article)
How to enable on Windows 365 (Microsoft Learn article)
How to enable on Microsoft Dev Box (Microsoft Learn article)
Are you a local admin in the windows server when signing in using web auth? Or just a user in the ‘remote desktop group’.
User
Hi Morten,
Sorry but am I blind? I cannot see where you do the RDP session to a server using either WHfB or FIDO2. What I do see is, you logging on to a Microsoft website using MFA.
Am I overlooking something?
Thanks,
Jørgen
Fair enough, I didn’t show that on the demo but you can signin with it as well. Traditionally whfb/fido hasn’t worked in a rdp session and that was the core of this demo
OK. Understood. But bummer! 🙁
Because that is what I really hoped to see. And I figured that, since the post was very recent, some new, previously unknown features would be shown! It’s interesting for me, because we are struggling with a requirement that ALL logins must happen with MFA, and we don’t yet have a PAM implementation in place to cover servers and other privileged accesses.
Hi you can now use FIDO or any other auth method configured in Entra ID when signing in to an RDP session. That is doable, did it this week with Windows 11 client and Windows Server 2025 🙂 you just need to enable web sign in on the advanced tab of the mstsc client and make sure the account you use to sign in is seen in the cloud (synced) and by the server (which must also be hybrid joined) and has some mfa methods configured to test it
Hi Morten, do you know if there is documentation from Microsoft on this? The only WHfB model I’ve read that supports RDP is Cert Trust. Sounds like this all works because of WebAuth option for rdp, but would like to find documentation on this. Thanks.