Microsoft
MicrosoftThis is a great guide on how to set up smartcard authentication for RDP, but how is this FIDO2? The type of authentication shown here leverages WinSCard APIs, not WebAuthn APIs, you can only get true FIDO2 with RDS AAD authentication
MicrosoftHey mamoreau you are right, the mechanism behind the scene is scmart card. Since many people are now a days using FIDO2 Security keys, and some vendor are also supporting PIV feature to store certificate, so in order to make use of this PIV feature, I used word FIDO2 in title. If you go through my blog, I specifically mentioned that its smart card certificate based authentication and FIDO2 security key is just a holder.
Using "FIDO2" together with "Passwordless RDP authentication for on-prem servers" is going to bring a lot of traffic from people thinking there is a way to get FIDO2 working with Windows Server on-premises, without hybrid-join and RDS AAD authentication. There's already a lot of confusion in the industry about smartcards versus FIDO2, especially since many devices support both. You clarify it further down in the article that it's "regular" smartcards, but still use FIDO2 in the template names, etc. In fact, the article doesn't even show a path to FIDO2 support, so I wonder why it's even mentioned. A lot of IT administrators would go nuts if Microsoft suddenly supported FIDO2 truly on-premises for RDP authentication, but it's unlikely to ever happen at this point (aside from hybrid-joined systems).
The title keyword spam got me. This really needs to be updated. Or replaced by someone who understands the components involved.
