We are currently testing fido2 auth against Entra ID with security keys for RDP, on a single on-premise remote desktop session host with rd web and rd broker roles. 

The particular client we are testing in is running Win 11 23H2, while the server is running Win Srv 2022. Both client and server are hybrid-joined to Entra ID and have all the latest windows updates.

Login with regular remote desktop client and the usage of web account for auth is working good. We are able to authenticate successfully against Entra ID with our security key and login. SSO for O365 services in the RDP sessions works flawlessly.

But when publishing the applications on the server as remoteapps, we lose the authentication option shown in the above screenshot. 

Adding one -or both 'enablerdsaadauth:i:1' and 'redirectwebauthn:i:1' in the custom rdp properties for remoteapps makes no difference. The remoteapps do not get this property after updating the remoteapp connection on the client computers.

Checking "CustomRDPSettings" under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\<session collection name>\DeploymentSettings", the properties are indeed set.

But when checking "RDPFileContents" under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\<session collection name>\RemoteDesktops\<session collection name>", the properties are missing. Adding mentioned rdp properties to this setting, either manually through the registry or through powershell, works fine. But the remoteapps are still not updated with this property on the client side. And everytime we remove/publish a remoteapp or make any changes on the session collection configuration, "RDPFileContents" is reset.

Halp?