Feature request: MS-RDPEWA channel support (FIDO2/WebAuthn redirection)

Post a reply

Smilies
:D :) :( :o :shock: :? 8) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :wink: :!: :?: :idea: :arrow: :| :mrgreen:
BBCode is OFF
Smilies are ON
Topic review
   

Expand view Topic review: Feature request: MS-RDPEWA channel support (FIDO2/WebAuthn redirection)

Feature request: MS-RDPEWA channel support (FIDO2/WebAuthn redirection)

by sgiardi.ali » Sun May 17, 2026 2:24 pm

Hello,
I would like to request support for the MS-RDPEWA channel (WebAuthn/FIDO2 redirection over RDP) in a future WTware release.
Background and use case
We are running a hybrid Active Directory environment (Windows Server 2019 AD DS + Azure AD Connect + Microsoft 365) with an RDS farm on Windows Server 2022. We are deploying FIDO2 biometric security keys (OneSpan Digipass FX1 BIO) for passwordless authentication across our organization.
The deployment works well on Windows 11 workstations (Hybrid AADJ), where users can authenticate to both Windows login and RDS sessions using the FIDO2 key via the RDPAAD protocol. However, our WTware x86 thin clients cannot participate in this passwordless flow, since WTware’s RDP client does not currently implement the MS-RDPEWA virtual channel.
Technical reference
The relevant Microsoft protocol specification is:
https://learn.microsoft.com/en-us/opens ... ms-rdpewa/
This virtual channel (MS-RDPEWA) is what enables the client-side CTAP2/WebAuthn stack to relay FIDO2 authentication tokens through the RDP connection to the Windows login screen on the remote server.
For reference, FreeRDP has just implemented this channel in version 3.25.0 (released April 2026):
https://github.com/FreeRDP/FreeRDP/releases/tag/3.25.0
Our environment
• WTware thin clients: x86 hardware (planning to expand to Raspberry Pi 4 in the future)
• RDS target: Windows Server 2022, Hybrid Azure AD Joined
• FIDO2 device: OneSpan Digipass FX1 BIO (USB-C, biometric, FIDO2.1/CTAP2.1)
• Goal: passwordless RDS session login using biometric FIDO2 key from WTware thin clients
Request
Would it be possible to add MS-RDPEWA channel support to WTware’s RDP client? This would allow WTware thin clients to relay WebAuthn/FIDO2 authentication to the RDS session login screen, enabling fully passwordless authentication from thin client endpoints.
We understand there may be no fixed timeline — as with previous feature additions (e.g. MS-RDPECAM), we are happy to wait and assist with testing if needed.
Thank you for the excellent product and for your continued responsiveness to the community.
Best regards

Top