Configure WebAuthn redirection over the Remote Desktop Protocol

Tip

This article is shared for services and products that use the Remote Desktop Protocol (RDP) to provide remote access to Windows desktops and apps.

Select a product using the buttons at the top of this article to show the relevant content.

You can configure the redirection behavior of WebAuthn requests from a remote session to a local device over the Remote Desktop Protocol (RDP). WebAuthn redirection enables in-session passwordless authentication using Windows Hello for Business or security devices like FIDO keys.

For Azure Virtual Desktop, we recommend you enable WebAuthn redirection on your session hosts using Microsoft Intune or Group Policy, then control redirection using the host pool RDP properties.

For Windows 365, you can configure your Cloud PCs using Microsoft Intune or Group Policy.

For Microsoft Dev Box, you can configure your dev boxes using Microsoft Intune or Group Policy.

This article provides information about the supported redirection methods and how to configure the redirection behavior for WebAuthn requests. To learn more about how redirection works, see Redirection over the Remote Desktop Protocol.

Prerequisites

Before you can configure WebAuthn redirection, you need:

  • An existing Cloud PC.
  • An existing dev box.
  • A local Windows device with Windows Hello for Business or a security device like a FIDO USB key already configured.

  • To configure Microsoft Intune, you need:

    • Microsoft Entra ID account that is assigned the Policy and Profile manager built-in RBAC role.
    • A group containing the devices you want to configure.
  • To configure Group Policy, you need:

    • A domain account that has permission to create or edit Group Policy objects.
    • A security group or organizational unit (OU) containing the devices you want to configure.
  • You need to connect to a remote session from a supported app and platform. To view redirection support in Windows App and the Remote Desktop app, see Compare Windows App features across platforms and devices and Compare Remote Desktop app features across platforms and devices.

WebAuthn redirection

Configuration of a session host using Microsoft Intune or Group Policy, or setting an RDP property on a host pool governs the ability to redirect WebAuthn requests from a remote session to a local device, which is subject to a priority order.

The default configuration is:

  • Windows operating system: WebAuthn requests aren't blocked.
  • Azure Virtual Desktop host pool RDP properties: WebAuthn requests in the remote session are redirected to the local computer.

Important

Take care when configuring redirection settings as the most restrictive setting is the resultant behavior. For example, if you disable WebAuthn redirection on a session host with Microsoft Intune or Group Policy, but enable it with the host pool RDP property, redirection is disabled.

Configuration of a Cloud PC governs the ability to redirect WebAuthn requests between the remote session and the local device, and is set using Microsoft Intune or Group Policy.

The default configuration is:

  • Windows operating system: WebAuthn requests aren't blocked. Windows 365 enables WebAuthn redirection.

Configuration of a dev box governs the ability to redirect WebAuthn requests between the remote session and the local device, and is set using Microsoft Intune or Group Policy.

The default configuration is:

  • Windows operating system: WebAuthn requests aren't blocked. Windows 365 enables WebAuthn redirection.

Configure WebAuthn redirection using host pool RDP properties

The Azure Virtual Desktop host pool setting WebAuthn redirection controls whether to redirect WebAuthn requests between the remote session and the local device. The corresponding RDP property is redirectwebauthn:i:<value>. For more information, see Supported RDP properties.

To configure WebAuthn redirection using host pool RDP properties:

  1. Sign in to the Azure portal.

  2. In the search bar, type Azure Virtual Desktop and select the matching service entry.

  3. Select Host pools, then select the host pool you want to configure.

  4. Select RDP Properties, then select Device redirection.

    A screenshot showing the host pool device redirection tab in the Azure portal.

  5. For WebAuthn redirection, select the drop-down list, then select one of the following options:

    • WebAuthn requests in the remote session are not redirected to the local computer
    • WebAuthn requests in the remote session are redirected to the local computer (default)
    • Not configured
  6. Select Save.

  7. To test the configuration, follow the steps in Test WebAuthn redirection.

Configure WebAuthn redirection using Microsoft Intune or Group Policy

Configure WebAuthn redirection using Microsoft Intune or Group Policy

Select the relevant tab for your scenario.

To allow or disable WebAuthn redirection using Microsoft Intune:

  1. Sign in to the Microsoft Intune admin center.

  2. Create or edit a configuration profile for Windows 10 and later devices, with the Settings catalog profile type.

  3. In the settings picker, browse to Administrative templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection.

    A screenshot showing the device and resource redirection options in the Microsoft Intune portal.

  4. Check the box for Do not allow WebAuthn redirection, then close the settings picker.

  5. Expand the Administrative templates category, then toggle the switch for Do not allow WebAuthn redirection to Enabled or Disabled, depending on your requirements:

    • To allow WebAuthn redirection, toggle the switch to Disabled.

    • To disable WebAuthn redirection, toggle the switch to Enabled.

  6. Select Next.

  7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For more information about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.

  8. On the Assignments tab, select the group containing the computers providing a remote session you want to configure, then select Next.

  9. On the Review + create tab, review the settings, then select Create.

  10. Once the policy applies to the computers providing a remote session, restart them for the settings to take effect.

Test WebAuthn redirection

Once you enable WebAuthn redirection, to test it:

  1. If you're using a USB security key, make sure it's plugged in first.

  2. Connect to a remote session using Window App or the Remote Desktop app on a platform that supports WebAuthn redirection. For more information, see Compare Windows App features across platforms and devices and Compare Remote Desktop app features across platforms and devices.

  3. In the remote session, open a website in an InPrivate window that uses WebAuthn authentication, such as Windows App for web browsers at https://windows.cloud.microsoft/.

  4. Follow the sign-in process. When the authentication comes to use Windows Hello for Business or the security key, you should see a Windows Security prompt to complete the authentication, as shown in the following image when using a Windows local device.

    The Windows Security prompt is on the local device and overlays the remote session, indicating that WebAuthn redirection is working.

    A screenshot showing a WebAuthn request from the remote session to the local device.