1. Knowledge Base
  2. Windows Logon Manager (WLM)

FIDO2 over RDP only works with older RDP clients

How to use an older RDP client with Windows 11 to enable FIDO2 over RDP. (Windows 11 21H2 Build 22000.2538 is known good.)

To run the known good .2538 version of the RDP client, pull down the files and create an ISO using UUPDump.net:

UUPDump for Windows 11 21H2 Build 22000.2538 (English version with the working RDP client): https://uupdump.net/download.php?id=5e67247e-c2a3-45ee-86c9-0712b94a01c7&pack=en-us&edition=professional

Run the appropriate .cmd file with admin rights or the .sh file with su to download the needed UUP files and process the build of the ISO.

The above will create an ISO file you can use to install an instance of Windows 11 21H2 Build 22000.2538 to then be able to retrieve the needed files, which are:

  • Mstsc.exe (from c:\windows\system32)
  • Mstscax.dll (from c:\windows\system32)
  • mstscax.dll.mui (from c:\windows\en-us)
  • mstsc.exe.mui (from c:\windows\en-us)

Put the files in a folder with the .mui files in a subfolder called en-us (for English versions).

From an elevated command prompt, change to the folder and register the .DLL using:

Regsvr32 /s mstscax.dll

Run the mstsc.exe from the temp folder and test a connection to an RDP target using FIDO2/WebAuthn for the authentication.

You can still run the native mstsc.exe from the Windows system, but don’t run from the new folder with the .2538 version if you want/need to use the newer RDP client.