Blog Post

Core Infrastructure and Security Blog
7 MIN READ

Passwordless RDP Authentication for On-Prem Servers with Smart Cards (FIDO2 Security Key)

Farooque's avatar
Farooque
Icon for Microsoft rankMicrosoft
Apr 06, 2025

Enable secure, passwordless RDP access to on-prem servers using Smart Cards with FIDO2 Security Keys. This approach leverages Kerberos PKINIT and certificate-based authentication to enhance protection and eliminate password risks.

Hello Everyone, in my previous blog, I discussed how to use FIDO2 Security Key Passwordless Authentication with Entra or Hybrid Joined devices for Remote Desktop Connection. In this blog, we will dis...
Updated Apr 06, 2025
Version 1.0
Active Directory
Domain
fido2
passwordless
Passwordless Authentication
smartcard
mamoreau's avatar
mamoreau
Iron Contributor
Apr 08, 2025

Using "FIDO2" together with "Passwordless RDP authentication for on-prem servers" is going to bring a lot of traffic from people thinking there is a way to get FIDO2 working with Windows Server on-premises, without hybrid-join and RDS AAD authentication. There's already a lot of confusion in the industry about smartcards versus FIDO2, especially since many devices support both. You clarify it further down in the article that it's "regular" smartcards, but still use FIDO2 in the template names, etc. In fact, the article doesn't even show a path to FIDO2 support, so I wonder why it's even mentioned. A lot of IT administrators would go nuts if Microsoft suddenly supported FIDO2 truly on-premises for RDP authentication, but it's unlikely to ever happen at this point (aside from hybrid-joined systems).

Jordan Mills's avatar
Jordan Mills
Copper Contributor
Apr 11, 2025

The title keyword spam got me.  This really needs to be updated.  Or replaced by someone who understands the components involved.