FIDO2 key redirection not working with embedded session

Hi,

First, do you intend to use RemoteFX USB redirection, or FIDO2 / WebAuthn API redirection? Remoting FIDO2 keys over USB redirection has historically been a hack which requires adding registry keys to force-enable them to be listed in mstsc. We've tried replicating the same kind of USB device filtering in RDM but I'd have to double-check if we're also checking the same keys to allow specific devices that would normally be filtered out by mstsc.

In order to get the FIDO2 key listed in mstsc, did you have to create additional registry keys, or was it also filtered out by mstsc by default?

Best regards,

My intention is just WebAuthN redirection so I can leverage security keys/windows hello on the remote session with an embedded session. Within MSTSC if I just have WebAuthn (Windows Hello or security Keys) selected it works without issue. I didn't have to make any changes whatsoever to registry or settings. MSTSC works as expected with my FIDO2 key (both alone and if I select external for the connection in RDM) but it does not work within the embedded connection of RDM. It does not redirect to my local machine and is only prompted from within the remote session.

I only changed my local group policy option to enabled RemoteFX USB support to see if that made a difference with RDM. After that change I could see the devices listed under the RemoteFX section in MSTSC and then saw they did not make from within RDM.

Hi,

I found a problem with the way RDM loads the WebAuthn.dll virtual channel plugin in the RDP ActiveX to mimic how mstsc.exe enables WebAuthn API redirection, and made a fix which should be available in the next build (2024.1.26). When WebAuthn API redirection came out, Microsoft added registry keys to register C:\Windows\System32\WebAuthn.dll as an RDP virtual channel plugin to load, and we've used those to detect the path to the plugin. We had noticed that this plugin registration was a bit problematic as it caused WebAuthn API redirection to always be enabled in mstsc, regardless of the "redirectwebauthn:i:0" .RDP file setting.

It looks like Microsoft noticed their mistake and removed the registry keys in recent Windows builds, which unfortunately broke our path detection to WebAuthn.dll. Since the latest mstsc.exe now only checks for C:\Windows\System32\WebAuthn.dll to add it to the list of plugins to load based on the "redirectwebauthn" value, I've updated our code to do the same, without using the registry keys which are now gone.

I included a .reg file to restore the registry keys in this reply if you want to make it work with the current version of RDM, without waiting for the new RDM build.

When using the FIDO2 key from mstsc, is this the kind of prompt you see on the client?



From RDM, if enabled, it should look like this with the embedded mode:



Best regards,

Yes those are the differences in the prompts I receive. I also confirmed the registry change allows the security key to work from within RDM with embedded session. Thank you!