# Zero-Trust Desktop Access 1. [Home](https://www.agilicus.com/) 2. Zero-Trust Desktop Access ![remote-desktop-style](https://www.agilicus.com/www/39ffd582-remote-desktop-style.svg)VIA Zero Trust --- ## **Microsoft Remote Desktop** If you have Windows servers (or desktops) you need to access from any user, on any device, from anywhere... This is what you need [CONTACT](/contact-us/) ## **Microsoft Remote Desktop** https://youtu.be/IkLKMvx22UM Most of your applications are now modern, responsive web apps. However, you still have some native Desktop applications. You need to be able to access them remotely, safely, simply. You need to be able to grant access to specific Desktops to specific users, but, they may not work for you. Your Desktop may run in a site without a public IP, or a configurable firewall allowing safe inbound access. Perhaps your house, perhaps a branch office. In 10 minutes you can have 1-click remote access to that Desktop. With no configuration onsite, no change to the Desktop or the firewall. Via Remote Desktop Protocol, or via VNC. Via a Native Client, or via a web interface. ## Desktop Access Setup [![zero-trust-remote-desktop-access](https://www.agilicus.com/www/c4228795-zero-trust-desktop-access.embed_.svg)](https://www.agilicus.com/www/c4228795-zero-trust-desktop-access.embed_.svg)Note: you can use a site-to-site VPN via IPSEC, or use the onsite Agilicus Connector for each pool of servers. These instructions assume the latter. ### 1. CREATE ORGANISATION Your Organisation lets you setup your identity providers, your DNS name (CNAME), and control your users. See [SIGNUP](https://www.agilicus.com/anyx-guide/signup/) ### 2. SETUP IDENTITY You can enable Google, Apple, LinkedIn as check box items. You may also wish to enable [Azure Active Directory](https://www.agilicus.com/anyx-guide/azure-active-directory/) Also setup initial users and group membership. ### 3. CREATE CONNECTOR PER SITE Each pool of servers needs a method to reach it. This can be a site-to-site VPN, or an on-site connector. [Install](https://www.agilicus.com/anyx-guide/agilicus-connector/) a connector now, this may be on each SSH server, on 1 of the servers that can reach the others, on a machine in the same network, its up to you. ### 4. CREATE DESKTOP RESOURCE Each Desktop host will require a Desktop Resource to provide the coordinates. This will include a name, and hostname/IP. The Hostname/IP will be in the internal coordinates. ### 5. ASSIGN PERMISSIONS We must now assign ‘Owner’ permission to each user or group that should be able to connect. See “[Resource Permissions](https://www.agilicus.com/anyx-guide/permissions/)” for more information. ### 6. CONNECT From https://profile.\_\_MYDOMAIN\_\_, you may open the Remote Desktop. By default this will launch your native remote desktop client (e.g. mstsc). You may also install the Launcher from the Profile, will give you an icon on your regular operating system start menu. ## Detailed Desktop Creation [![Zero Trust Desktop Access with AnyX: Securely connect to your desktop from anywhere, ensuring enhanced security and compliance through identity-based access and continuous authorization. Learn how AnyX enables seamless and protected remote desktop access for a modern workforce.](https://www.agilicus.com/www/87da6413-image.png)](https://www.agilicus.com/www/87da6413-image.png)The 'Desktops/New' asks 3 questions: 1. Connector. This you will have [already](https://www.agilicus.com/anyx-guide/agilicus-connector/) setup, you need 1 per site (or more if you wish, e.g. 1 per host) 2. Name. This will be the 'name' you assign permission to, it will show in the audit, the end-user will see it 3. Hostname/IP. This is how you would address the Desktop within the (private) site. Once you have completed these steps, as an Administrator you will be offered the opportunity to download an RDP file. This will open in your native Remote Desktop application (on all platforms). The Desktop will become available approximately 1-2 minutes after you apply the config. (This is to test the configuration) You may now assign permissions (by group, or by user). Each user who has access will see, in https://profile.MYDOMAIN, an icon for the same Remote Desktop. They may also install the Agilicus Launcher which will create start menu icons automatically. The detailed steps and screen shots are shown below. ![Zero Trust Desktop Access with AnyX: Securely access your desktop applications from anywhere with multi-factor authentication, device posture checks, and granular access control. Agilicus AnyX ensures enhanced security and compliance for remote desktop access, protecting sensitive data and preventing unauthorized access. Learn how to implement a zero trust architecture for your desktops.](https://www.agilicus.com/www/78ab24d4-image.png) ![Zero Trust Desktop Access with AnyX: Securely connect to your desktop from anywhere with identity-based authentication and granular access control. Learn how AnyX enhances security and simplifies remote desktop access.](https://www.agilicus.com/www/09a8adb9-image.png) ![Zero Trust Desktop Access Architecture: Securely connect to your desktop from anywhere with AnyX. This diagram illustrates a zero trust architecture for desktop access, emphasizing secure authentication, continuous authorization, and network segmentation to protect against unauthorized access.](https://www.agilicus.com/www/57509de2-image.png) ![](https://www.agilicus.com/www/b8e657e9-image-1024x922.png) Once complete you may use the Resource/Desktops/Overview link to view/edit/update your newly configured desktop. ❗ Some versions of Microsoft Windows (e.g. Windows 10 Home) do not support Remote Desktop Server. You may try a different OS, you may try [VNC](/anyx-guide/vnc-desktop/), or, there are some [workarounds](https://www.helpwire.app/blog/remote-desktop-for-windows-10-home/ "workarounds"). ## Administrative Parameter Override The administrator may override parameters in the Remote Desktop file, changing the behaviour of the client. These parameters in turn may have [variable expansion](/anyx-guide/variable-expansion/), making them dynamic per user ![](https://www.agilicus.com/www/87e3b9be-image-1024x341.png) You may also configure a [RemoteApp](#microsoft-remoteapp-single-application-no-desktop-kiosk-mode) (so that the desktop will launch a specific application, full-screen, and not have access to e.g. the Start menu) ## Connection Parameter Override ![](https://www.agilicus.com/www/6303f42c-image-1024x867.png) End users may wish to configure specific overrides regarding their local displays, resolution, clipboard, etc. The configuration options are found in their Profile (https://profile.\_\_MYDOMAIN\_\_), under their account icon. Users may choose to passthrough their microphone or audio output, clipboard (cut and paste), usb devices. Some remote desktop servers have multiple displays, these can be passed through if desired. The user may select dynamic resolution (e.g. they can resize the current window and it will resize the remote), or a specific dimension. ## NOTE: You may need to change the Network Level Authentication on the server If it is common that your end users are using machines that are not on your domain, you will need to disable "require" Network Level Authentication (NLA) on your server. Agilicus AnyX will work with Network Level Authentication (NLA), but, it becomes a question of whether the ultimate end client will support it. [![Disabling-and-Re-Enabling-NLA-Settings-Via-System-Settings](https://www.agilicus.com/www/851c15d4-disabling-and-re-enabling-nla-settings-via-system-settings.png)](https://www.agilicus.com/www/851c15d4-disabling-and-re-enabling-nla-settings-via-system-settings.png)1. Press **Win + R** to open the Run command dialog box. 2. Type **sysdm.cpl** and press **Enter** to open the **System Properties** window. 3. Navigate to the **Remote** tab. 4. Uncheck the **Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)** box. 5. Press **Apply** and then press **OK**. From there, restart your PC to save these changes. ## Microsoft RemoteApp (single application, no desktop, kiosk-mode) You may wish to expose a single application, without the entire desktop (e.g. no start menu). This is called '[RemoteApp](https://learn.microsoft.com/en-us/azure/virtual-desktop/publish-applications-stream-remoteapp?tabs=portal)'. You may use this with any windows desktop or server, but the number of concurrent may be limited by Microsoft licensing. To configure this, select the 'My remote desktop is restricted to a single application'. From here, put the path in to your specific application (and optionally, arguments and start directory). Once you have done that, go to the Desktops/Overview, select the action button (3-vertical dots), and download the configuration file and run it on the server (one time, this is a setup only step, the user does not need to take any action). This will create a new registry key allowing the RemoteApp. ![](https://www.agilicus.com/www/036188e7-image-1024x617.png) ![](https://www.agilicus.com/www/c499fd04-image-1024x362.png) At this stage, assign permissions to the desktop and try it from your profile (https://profile.\_\_MYDOMAIN\_\_). The desktop icon should launch a single application, with no other desktop access. ❗ The RemoteApp feature does not work reliably with the Citrix Workspace app. Remove Citrix from the RDP host to use the feature.