I want to setup RDP authentication using Yubikeys.
According to the guide (https://swjm.blog/the-complete-guide-to-rdp-with-yubikeys-fido2-cba-1bfc50f39b43) this should be fairly easy.
But I fail when trying to run the command
LocalGroupMember -Group "Remotedesktopbenutzer" -Member "AzureAD\lars.kusch@stbk.link"
LocalGroupMember : Der Prinzipal AzureAD\lars.kusch@stbk.link wurde nicht gefunden.
In Zeile:1 Zeichen:1
+ LocalGroupMember -Group "Remotedesktopbenutzer" -Member "AzureAD\lars ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (AzureAD\lars.kusch@stbk.link:String) [Get-LocalGroupMember], PrincipalN
otFoundException
+ FullyQualifiedErrorId : PrincipalNotFound,Microsoft.PowerShell.Commands.GetLocalGroupMemberCommand
The host is Azure-AD-Hybrid-joined:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : STBK
Device Name : vrdp501172.stbk.link
+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+
DeviceId : XXX
Thumbprint : XXX
DeviceCertificateValidity : [ 2023-07-11 10:27:44.000 UTC -- 2033-07-11 10:57:44.000 UTC ]
KeyContainerId : XXX
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
DeviceAuthStatus : SUCCESS
+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+
TenantName : Steuerberater Kusch
TenantId : c742fd56-3458-40a8-8c97-7a57e83fecb3
AuthCodeUrl : https://login.microsoftonline.com/XXX/oauth2/authorize
AccessTokenUrl : https://login.microsoftonline.com/XXX/oauth2/token
MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx
MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance
SettingsUrl :
JoinSrvVersion : 2.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/XXX/
WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/XXX/
DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : {XXX} (AzureAd)
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2023-07-13 06:19:37.000 UTC
AzureAdPrtExpiryTime : 2023-07-27 06:19:36.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/XXX
EnterprisePrt : NO
EnterprisePrtAuthority :
OnPremTgt : NO
CloudTgt : YES
KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
AadRecoveryEnabled : NO
Executing Account Name : STBK\lars.kusch, lars.kusch@stbk.link
KeySignTest : PASSED
DisplayNameUpdated : YES
OsVersionUpdated : YES
HostNameUpdated : YES
Last HostName Update : NONE
+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+
Access Type : DIRECT
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : NO
SessionIsNotRemote : NO
CertEnrollment : none
PreReqResult : WillNotProvision
For more information, please visit https://www.microsoft.com/aadjerrors
Has anyone an idea, why this fails and therefore remote RDP connection fails?
Kind regards,
Lars Kusch
