Configure WebAuthn redirection over the Remote Desktop Protocol
Tip
This article is shared for services and products that use the Remote Desktop Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant content.
You can configure the redirection behavior of WebAuthn requests from a remote session to a local device over the Remote Desktop Protocol (RDP). WebAuthn redirection enables in-session passwordless authentication using Windows Hello for Business or security devices like FIDO keys.
For Azure Virtual Desktop, we recommend you enable WebAuthn redirection on your session hosts using Group Policy, then control redirection using the host pool RDP properties.
For Windows 365, you can configure your Cloud PCs using Group Policy.
For Microsoft Dev Box, you can configure your dev boxes using Group Policy.
This article provides information about the supported redirection methods and how to configure the redirection behavior for WebAuthn requests. To learn more about how redirection works, see Redirection over the Remote Desktop Protocol.
Prerequisites
Before you can configure WebAuthn redirection, you need:
An existing host pool with session hosts.
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool Contributor built-in role-based access control (RBAC) roles on the host pool as a minimum.
- An existing Cloud PC.
- An existing dev box.
A local Windows device with Windows Hello for Business or a security device like a FIDO USB key already configured.
To configure Group Policy, you need:
- A domain account that has permission to create or edit Group Policy objects.
- A security group or organizational unit (OU) containing the devices you want to configure.
You need to connect to a remote session from a supported app and platform. To view redirection support in Windows App and the Remote Desktop app, see Compare Windows App features across platforms and devices and Compare Remote Desktop app features across platforms and devices.
WebAuthn redirection
Configuration of a session host using Group Policy, or setting an RDP property on a host pool governs the ability to redirect WebAuthn requests from a remote session to a local device, which is subject to a priority order.
The default configuration is:
- Windows operating system: WebAuthn requests aren't blocked.
- Azure Virtual Desktop host pool RDP properties: WebAuthn requests in the remote session are redirected to the local computer.
Important
Take care when configuring redirection settings as the most restrictive setting is the resultant behavior. For example, if you disable WebAuthn redirection on a session host with Group Policy, but enable it with the host pool RDP property, redirection is disabled.
Configuration of a Cloud PC governs the ability to redirect WebAuthn requests between the remote session and the local device, and is set using Group Policy.
The default configuration is:
- Windows operating system: WebAuthn requests aren't blocked. Windows 365 enables WebAuthn redirection.
Configuration of a dev box governs the ability to redirect WebAuthn requests between the remote session and the local device, and is set using Group Policy.
The default configuration is:
- Windows operating system: WebAuthn requests aren't blocked. Windows 365 enables WebAuthn redirection.
Configure WebAuthn redirection using host pool RDP properties
The Azure Virtual Desktop host pool setting WebAuthn redirection controls whether to redirect WebAuthn requests between the remote session and the local device. The corresponding RDP property is redirectwebauthn:i:<value>
. For more information, see Supported RDP properties.
To configure WebAuthn redirection using host pool RDP properties:
Sign in to the Azure portal.
In the search bar, type Azure Virtual Desktop and select the matching service entry.
Select Host pools, then select the host pool you want to configure.
Select RDP Properties, then select Device redirection.
For WebAuthn redirection, select the drop-down list, then select one of the following options:
- WebAuthn requests in the remote session are not redirected to the local computer
- WebAuthn requests in the remote session are redirected to the local computer (default)
- Not configured
Select Save.
To test the configuration, follow the steps in Test WebAuthn redirection.
Configure WebAuthn redirection using Group Policy
Configure WebAuthn redirection using Group Policy
Select the relevant tab for your scenario.
To allow or disable WebAuthn redirection using Group Policy:
Open the Group Policy Management console on device you use to manage the Active Directory domain.
Create or edit a policy that targets the computers providing a remote session you want to configure.
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection.
Double-click the policy setting Do not allow WebAuthn redirection to open it.
To allow WebAuthn redirection, select Disabled or Not configured, then select OK.
To disable WebAuthn redirection, select Enabled, then select OK.
Ensure the policy is applied to the computers providing a remote session, then restart them for the settings to take effect.
Test WebAuthn redirection
Once you enable WebAuthn redirection, to test it:
If you're using a USB security key, make sure it's plugged in first.
Connect to a remote session using Window App or the Remote Desktop app on a platform that supports WebAuthn redirection. For more information, see Compare Windows App features across platforms and devices and Compare Remote Desktop app features across platforms and devices.
In the remote session, open a website in an InPrivate window that uses WebAuthn authentication, such as Windows App for web browsers at https://windows.cloud.microsoft/.
Follow the sign-in process. When the authentication comes to use Windows Hello for Business or the security key, you should see a Windows Security prompt to complete the authentication, as shown in the following image when using a Windows local device.
The Windows Security prompt is on the local device and overlays the remote session, indicating that WebAuthn redirection is working.