Enable Passwordless Authentication with FIDO Security Key for Remote Desktop Connection

By /

Listen to this Post

Passwordless authentication using FIDO2 security keys enhances security for Remote Desktop Protocol (RDP) by eliminating password-based attacks. This guide covers configuration for both Entra ID-joined and hybrid environments.

Remote Desktop Connection Configuration

1. Launch `mstsc.exe` (Remote Desktop Connection).

2. Navigate to the Advanced tab.

  1. Under User Authentication, select “Use a web account to sign in”.
  2. Enter the remote device name and your Entra ID credentials.
  3. When prompted, choose Security Key as the authentication method.
  4. Insert your FIDO2 key, enter the PIN, and touch the key to authenticate.
  5. Approve the RDP consent prompt to start the session.

PowerShell Command to Verify RDP Settings

Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fAllowToGetHelp"

Hybrid Entra ID-Joined Devices Setup

For hybrid environments, follow these steps:

  1. Create an AzureADKerberos RODC object in Entra ID (not linked to on-prem AD).

2. Register the object using PowerShell:

New-AzureADKerberosServer -DomainName "yourdomain.com" -ComputerName "SERVERNAME"

3. Verify the object in Active Directory Users and Computers.
4. Follow the same RDP steps as for Entra ID-joined devices.

Enable Kerberos Authentication

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\AzureADAccount" -Name "EnableKerbAuth" -Value 1

Conditional Access for RDP Security

  1. Go to Entra ID Portal → Security > Conditional Access.
  2. Assign users/groups and select Microsoft Remote Desktop as the app.

3. Under Grant, require Phishing-resistant authentication (FIDO2).

4. Save and enable the policy.

Check Conditional Access Policies

Get-AzureADMSConditionalAccessPolicy

Important Notes for Hybrid Join

  • Avoid using domain admin or high-privilege AD accounts—partial TGT won’t be issued.
  • Ensure FIDO2 keys are registered in Entra ID before use.

You Should Know:

Linux Alternative: SSH with FIDO2

For Linux-based remote access, use SSH with FIDO2:

ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_sk

Add the key to the SSH agent:

ssh-add ~/.ssh/id_ed25519_sk

Windows Command to Test RDP Connectivity

Test-NetConnection -ComputerName <RemotePC> -Port 3389

Check FIDO2 Key Registration Status

Get-AzureADUserRegisteredDevice -ObjectId <UserID>

What Undercode Say

FIDO2-based passwordless authentication significantly improves security for RDP by mitigating phishing and brute-force attacks. Hybrid environments require additional Kerberos configuration, while Entra ID-joined devices streamline the process. Always enforce Conditional Access to restrict unauthorized logins.

For Linux admins, FIDO2-backed SSH keys offer similar security benefits. Windows admins should audit RDP settings regularly and disable legacy protocols like NTLM.

Expected Output:

  • Secure, passwordless RDP access via FIDO2.
  • Verified PowerShell and Linux commands for setup.
  • Conditional Access policies enforcing phishing-resistant auth.
  • Hybrid environment compatibility with AzureADKerberos.

References:

Reported By: Shamseer Siddiqui – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: