I recently read an article on Mashable.com related to Microsoft’s plan to make Windows 11 use its “Passwordless” authentication.  That’s great, right? You know, for security.  Philosophically, and maybe on paper, it’s good, but like so many things in reality, there are issues.

---

---

Once I saw this headline, I quickly reminisced about a previous problem I had with the Microsoft “Passwordless” authentication function which had no solution – at least a solution which would have maintained all the original security, benefits, and ease of using “Passwordless” authentication.  I’ll get to that in a sec.

It’s important I get this out of the way early to understand expectations. “IT” is my profession and my hobby.  I run my own quasi-enterprise system using Azure and Office 365 for personal use. One reason is to maintain my knowledge of new systems and services to stay abreast of new technologies and to stay fresh on current and existing technologies in case I found myself in a period of “down-time.”  I also utilize it to a degree to provide some “family-level” IT security monitoring and management for my extended family. 

So, I wouldn’t say I’m the “run-of-the-mill,” average Microsoft home user or consumer. My problem might be one that a majority of Microsoft home users won’t face. 

Now back to the task at hand.  I was interested in the benefits of Microsoft’s Passwordless authentication method.  So, I decided to try it out.  Before I made the plunge, I read through the material Microsoft provided about it which generally warns about possible compatibility issues with other services or older applications.  So having done so, I thought I was making an educated decision (at least within my own educated mind) to try out Microsoft Passwordless. 

Not long after setting it all up I quickly learned about one service not mentioned in the Microsoft warning documentation.  Astonishingly, this service which wasn’t working with the Passwordless authentication was one of Microsoft’s own systems and applications – Remote Desktop. 

At first I just thought it was just me since most people may not utilize Remote Desktop outside of work.  Also, maybe if I was really within an Enterprise level network it wouldn’t be much of a problem.  So, I turned to the all-powerful tool for answers when faced with an IT issue that isn’t covered under normal “help documentation” – I “Googled it.”

It turned out that I was not alone.  More surprisingly, I discovered the ultimate answer to my problem was quite easy to find and quite straightforward.  Quite simply, Microsoft Remote Desktop does not support Microsoft Passwordless authentication.  “Say what!”  Granted, I have not reached out to Microsoft directly to get a formal response.  Mainly because I know I’d never get a formal, succinct answer from Microsoft support even after months of back and forth.  I got the next best thing, through Microsoft Answers.  This service/site does have the most Microsoft knowledgeable people outside of the company itself participating to help user issues and questions. 

I found multiple Answer feeds that did confirm that Remote Desktop couldn’t use Passwordless. 

---

---

One or two offered possible “workarounds,” but after looking at them it was evident that these were ways to “trick the system” rather than provide a viable solution.  I’ll provide them below if you are in a bind, but as my public service announcement, these are not secure nor do they come close to maintaining any of the security or efficiency benefits of Microsoft Passwordless. In all honesty, some would make the system even less secure than using the normal username and password from before enabling the Passwordless function.

---

• https://learn.microsoft.com/en-us/answers/questions/594630/remote-desktop-via-microsoft-account-with-no-passw
• https://superuser.com/questions/1693017/using-rdp-with-a-passwordless-microsoft-account
• https://superuser.com/questions/1715525/how-to-login-windows-remote-desktop-rdp-in-windows-11-when-microsoft-account-a
• https://www.reddit.com/r/WindowsHelp/comments/pybi7l/microsoft_remote_desktop_app_on_passwordless/?rdt=56354

---

Like anyone else who has or still works in IT, it is no surprise that Microsoft would implement a service or application that doesn’t actually work with its current offerings.  There have been many times in Microsoft’s past that the “Right-hand didn’t know what the Left-hand was doing.” Obviously with respect to a corporation as large as Microsoft, this can happen.

However, if Microsoft were to push this “service” before it had a fix, it would be a BIG problem for all companies.  Even if a company doesn’t utilize Remote Desktop for its employees, there is no IT department that could manage all its IT systems without utilizing Remote Desktop to some degree. 

In my continued effort to figure this all out, I came across Microsoft Entra (https://www.microsoft.com/en-us/security/business/microsoft-entra) which is also a relatively new service.  I’m no expert on it, but it too is a good service for Microsoft to offer.  I thought it might be a solution for the Passwordless/Remote Desktop debacle Microsoft is about to find themselves tangled up in.  In a nutshell, Entra is an “Identity Verification Service” (I’m pretty sure) which securely allows employees to use their work account/email address for Single-Sign-On (SSO) to access different services and applications across the Internet.  However, from what I’ve read, it sadly is not a fix – or at least not anytime soon.  It certainly could be a fix, but unfortunately, a lot of other things would have to be in place for it to work, and I don’t think Microsoft has thought that far ahead.  I won’t go into all the details about how it could be a solution and how much work it would take to make it THE solution.  It would entail setting up Remote Desktop to reach out to the Internet to Entra to verify authentication as well as a system of certificate distribution, encryption, and automatic syncing.  All these things do exist in the world, but those are mostly newer services and applications which have been created with this type of technology in mind.  To make it happen for Microsoft Remote Desktop, it would need to be hardcoded into the Remote Desktop and Windows platforms.  Although, if not implemented correctly, it could bring the whole ship down.

I certainly hope that I’m wrong, and maybe it is my own laziness for not uncovering that Microsoft has prepared for this.  Let me know if anyone else comes across anything.  While Microsoft has mistakenly, or intentionally, left out mention of the Remote Desktop issue in its Passwordless brochure, I’m sure Microsoft wouldn’t be bashful to advertise that the services work well together and just swept the issue under the rug as if it never happened.

All I have to say is, “Buyer Beware.”  It may not affect most people or situations.  However, if you are an organization which has employees utilizing Microsoft Remote Desktop in the “remote-workforce” world and if your organization has a competent IT department that does leverage Remote Desktop management, I think I’d “Ease up on the reigns” a bit.  Other than that, continue to utilize Multi-factor Authentication and VPNs to keep your network and workforce secure.