What unattended access is
In attended mode someone at the target device must explicitly approve the connection — read out a session ID + PIN. In unattended mode the WinDesk Host runs as a permanent background service, and you can connect any time without anyone approving.
Use cases:
- Server maintenance outside office hours
- IT provider with customer devices under management
- Edge devices, Pi-based setups, build machines
- Family Mac you often help your parents with remotely
Prerequisites
- WinDesk Pro subscription (CHF 29.90/month) — Free + Light have no unattended
- Administrator rights on the target device (for service installation)
- Internet access at the target device
- 5 minutes per device
Setup on Windows
1. Install WinDesk Host as Pro user (auto-uninstalls any existing
Free variant)
2. On first start: log in with Pro account
3. In the Host window: choose "Enable unattended access"
4. Confirm UAC dialog — installs the Windows service
5. Verify in the web portal app.windesk.ch:
Devices → new row with hostname + "online"
6. Optional: assign device to a group, add a noteToken storage: TPM 2.0-encrypted under C:\ProgramData\WinDesk\.
Hardware-bound to the TPM endorsement-key ID. Copying to another
machine is useless.
Setup on macOS Apple Silicon
1. Drag WinDesk Host.app from the DMG to /Applications
2. On first start: Apple notarisation OK, no Gatekeeper drama
3. Allow Screen Recording + Accessibility (the wizard guides you)
4. Log in with Pro account in the Host window
5. "Enable unattended access" — installs launchd agent at
~/Library/LaunchAgents/ch.windesk.host.plist
6. Token is encrypted with the Secure Enclave (Apple Silicon)On Apple Silicon: token hardware-bound via Secure Enclave. Copying to another Mac → invalid.
Setup on Linux (Ubuntu/Debian)
1. sudo apt install ./WinDesk\ Host_0.5.0_amd64.deb
(postinst sets the udev rule for /dev/uinput)
2. systemctl --user enable --now windesk-host.service
3. windesk-host setup --pro --account=you@email.ch
(interactive: passkey or password)
4. Verify in the portal: Devices → hostname → onlineOn Linux with TPM 2.0: tpm2-tools binding for the token. Without TPM (e.g. Pi 4): libsecret/keyring fallback. Pi 5 has no TPM, same fallback.
Setup on Raspberry Pi (Pi 4/5)
1. sudo apt install ./WinDesk\ Host_0.5.0_arm64.deb
2. systemctl --user enable --now windesk-host.service
3. windesk-host setup
4. If the Pi should run without a display: --headless flagHeadless Pi setups are an explicit use case for makers and education labs.
Access from the client
In the client portal on the left: Devices. You see all hosts with online status. Double-click → connection is established. No session ID, no PIN required — the hardware-bound token authenticates the device.
Security configuration
By default unattended access is:
- ✅ AES-256-GCM encrypted
- ✅ Audit trail active (all connections logged)
- ✅ Token rotates automatically every 90 days
- ✅ On hardware change: token is invalidated
In the portal you can also configure:
- IP whitelist (only allowed from your office network)
- Allowed technician roles per host (Admin / Supporter / Read-only)
- Email notification on every connection (anti-scam)
- Mandatory session recording for compliance
Emergency: token compromised
If you suspect a host is compromised:
- In the portal: Devices → [hostname] → Block
- Token is immediately invalidated; active sessions are dropped
- On the host: restart WinDesk Host + re-pair
Common issues
“Host not showing online” despite the service running. Firewall question: outbound UDP traffic to *.windesk.ch:443 must be allowed. Plus, if relevant, to the Swiss TURN relay IP range.
“Token becomes invalid after reboot”. On Windows: a Bitlocker recovery reset may have invalidated TPM state. Solution: re-pair.
“Multiple hosts with the same name”. If you reinstalled a host, the old one often stays in the portal. Delete manually.
Start WinDesk Pro · Pro features in detail · For setup issues: support@windesk.ch.