Early in its development, HashiCorp Boundary transformed Linux access security with SSH credential injection, which enables a passwordless user experience. After seeing the ease and speed of this workflow, Windows customers have expressed interest in having the same passwordless, secure access experience for remote desktop protocol (RDP) connections.
Today, HashiCorp Boundary 0.20 brings credential injection to Windows users. Boundary 0.20 introduces our public beta of RDP credential injection — extending Boundary's passwordless, secure access capabilities to Windows Server environments. This feature drastically mitigates credential exposure risks for RDP connections while providing the same, snappy user experience that has made SSH credential injection so popular.
Example shows the RDP client on a Windows OS with the user name omitted from the connection information. Boundary will inject the username and password on behalf of the user.
This post explores the problem that RDP credential injection solves, how this feature works, and why this beta represents a major step forward in securing Windows infrastructure.
»The Windows credential challenge
Organizations with significant Windows infrastructure face a persistent security challenge. Traditional RDP workflows force users to manually handle credentials — copying passwords from password managers, typing usernames and domains, or storing credentials in insecure locations. This manual handling creates multiple attack vectors:
- When users copy and paste RDP credentials, those credentials are temporarily stored in clipboard memory where malware, keyloggers, or screen scrapers can capture them. Even brief exposure can lead to credential theft and unauthorized access.
- Windows environments often rely on long-lived, shared service accounts that are difficult to rotate due to their widespread use. These static credentials become attractive targets for attackers and create compliance headaches for security teams.
- The current workflow for RDP credentials in Boundary requires users to juggle authentication, retrieve brokered credentials, then manually enter them into RDP clients.
According to Verizon's 2025 Data Breach Investigations Report, 88% of attacks targeting web applications involved compromised credentials, with stolen credentials responsible for approximately one-third of breaches over the last decade. For Windows-heavy organizations, this manual credential handling represents a huge security gap, and protecting credentials for the hundreds or thousands of resources in the network is not a capability offered by VPNs or jump boxes.
»Seamless Windows access without credential exposure
RDP credential injection in Boundary transforms Windows access by completely eliminating user interaction with credentials. Here's how it works:
- Identity-based authentication: Users authenticate to Boundary once using their existing identity provider (Okta, Azure Entra ID, IBM Verify Identity, etc.) or Boundary's built-in authentication methods.
- Automatic credential injection: When users connect to Windows targets, Boundary workers automatically inject the appropriate credentials into the RDP authentication process. Users never see usernames, passwords, or domain information.
- Protocol-aware proxying: Boundary understands the RDP protocol deeply, intercepting authentication flows and seamlessly injecting credentials using the same enterprise-grade security protocols that your Windows domain expects: Kerberos and NTLMv2.
The user experience is simple. After authenticating to Boundary, users can connect to Windows servers using their familiar RDP clients, whether that's the native Microsoft Remote Desktop client on Windows or macOS. Boundary handles all credential management behind the scenes.
»Beta release: Tested configurations and growing support
The Boundary 0.20 GA release of the beta RDP credential injection focuses on proven, well-tested configurations that provide immediate value for Windows environments:
- Supported platforms: Windows Server 2019 and newer versions with common enterprise configurations. More server/client combinations tested daily.
- Client compatibility: Native Microsoft RDP clients on Windows 10+ and macOS 10.15+
- Authentication mechanisms: Kerberos user-to-user authentication for domain-joined targets with automatic NTLMv2 fallback, plus local account authentication for standalone servers.
- Credential sources: Integration with Boundary's static credential store or Vault’s KV secrets engine is supported on the initial 0.20 release. Vault's LDAP secrets engine for dynamic credentials will be supported in a fast follow-up version 0.20.1, with the new Username-Password-Domain credential type for domain environments.
As a beta feature, RDP credential injection in 0.20 includes some important considerations:
- Self-signed certificates will require manual acceptance in RDP clients.
- Our initial focus is on core Windows Server authentication scenarios: Kerberos and NTLMv2 fallback. This release will not support native EntraID/AzureID authentication.
»The path to GA (and beyond!)
The RDP credential injection beta in 0.20 lays the groundwork for Boundary’s comprehensive coverage of Windows PAM needs. Based on beta feedback and continued development, we're targeting general availability with Boundary 0.21 in early 2026.
Planned GA enhancements:
- Expanded client and server compatibility testing
- Enhanced error handling and troubleshooting capabilities
- Additional authentication protocol support to Entra ID
»Getting started with RDP credential injection
The RDP credential injection beta is available now in Boundary Enterprise and HCP Boundary as part of the 0.21 release. The feature requires no changes to existing Windows infrastructure and works with your current RDP clients in supported configurations. Organizations interested in participating in the beta can start evaluating RDP credential injection now with supported configurations, helping shape the final GA release while beginning to secure their Windows infrastructure.
To get started with the beta:
-
Upgrade your Boundary cluster to 0.20: Download the latest release or upgrade your HCP Boundary cluster.
-
Review supported configurations: Ensure your Windows targets and RDP clients match the tested configurations outlined in our documentation.
-
Configure RDP targets: Create RDP target resources in your Boundary configuration, specifying the Windows servers you want to protect.
-
Set up credential sources: Configure static credentials in Boundary.
-
Test the workflow: Install the latest Boundary client, authenticate to Boundary, and connect to your Windows targets using supported RDP client tools.
The beta includes comprehensive documentation to help you get started. We're actively collecting feedback to ensure the GA release meets enterprise requirements.
For organizations ready to begin eliminating credential exposure from their Windows infrastructure, RDP credential injection beta provides a secure foundation to build upon. While this is a beta release with focused scope, it represents a significant step toward making Windows access as secure and seamless as SSH environments.
To learn more about the RDP credential injection beta:
- Read our RDP credential injection documentation
- Try it yourself with a free HCP Boundary account
- Join our community forum or share beta feedback
For more HashiConf 2025 Security Lifecycle Management news, read our blog: Strengthen security with Vault, Boundary, and Radar features at HashiConf 2025.
