Microsoft
MicrosoftSetting up a new AD Certificate Server-based PKI for a Yubikey (or similar) multi-purpose security key that supports both FIDO2 and PIV authentication can be a foolhardy undertaking for a small organization, depending on existing infrastructure. Microsoft's other solutions generally involve RD Gateways or Azure Virtual Desktop, which can both potentially be more cost-effective and easier to maintain. Azure Bastion Host is another solution, but isn't cost effective in many scenarios.
Switching over to DC certs that are fully compliant with smart card specifications is a security requirement, because key-based (cert) user authentication (via PIV) is inherently susceptible to theft and affected by employment status changes. One key consideration about using smart cards for authentication is the requirement of a highly available CRL, which can impact other domain services (including LDAPS) that may not required a highly-available CRL or full PKI to implement securely.
So, adding enough PKI resources to support this type of authentication would typically require at least 2 and potentially more additional servers to set up properly. There is also the risk of authentication outages (which would have a critical and costly business impact) if the number of qualified admins is low. In my experience, even organizations with thousands of employees may only have one to three experienced admins that can support a full-featured PKI properly.
Full-featured PKI can still be worthwhile, even for small organizations, but it's important to understand the associated costs as well as the risks, including the need for operational redundancy (and highly-trained administrators) before plunging head-first into a PKI setup to enhance RDP logon security.
