Blog Post

Core Infrastructure and Security Blog

4 MIN READ

Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection

Farooque

Microsoft

Mar 28, 2025

This blog talks about how to go passwordless when authenticating with Remote Desktop.

Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection Hello Everyone, in this blog, we will explore how to use a FIDO2 security key to access a device using Remote Deskt...

Updated Mar 28, 2025

Version 2.0

Microsoft

Joined October 24, 2020

View Profile

Core Infrastructure and Security Blog

Follow this blog board to get notified when there's new activity

igorscoff

Copper Contributor

Mar 29, 2025

I have been trying to explore this solution but encountered a Challenge. How can we authenticate on RDP for High Privileged Accounts from Onpremise AD? Such as Domain Admins. the WHFB does not work for such type of accounts because the password hash is not synced to Azure. Do you have any idea how to deal with this?

Rafal_Fitt
Steel Contributor
Apr 04, 2025
igorscoff

The Denied RODC Password Replication Group plays a critical role in securing both traditional Read-Only Domain Controllers (RODCs) and Azure AD Kerberos environments. ;-)

https://wiki.winadmins.io/en/active-directory/whfb-cloud-kerberos-trust

https://0xdeaddood.rocks/2021/11/11/the-kerberos-key-list-attack-the-return-of-the-read-only-domain-controllers/
Farooque
Microsoft
Mar 29, 2025
Heyigorscoff WHFB works for privileged accounts like domain admins. You can go for dual enrollment. However there are changes required to be done at Active Directory from permission perspective because these accounts are protected by AdminSDholder container.