Server settings
Service account used to read sessions on each bench (stored encrypted on this server).
RDP firewall guard (legacy)
Legacy hard-lock using remote netsh -r from the dashboard
server. Once you install the bench agent below, this is
superseded automatically — the dashboard skips it for any
bench whose agent is online and the agent enforces access locally
instead. Leave it disabled if remote netsh -r times out
in your environment.
Bench Agent (recommended)
A tiny PowerShell-only agent on each bench locally manages the "Remote Desktop Users" group and the local Windows Firewall rule on TCP 3389, based on the dashboard lock. When locked, only the lock owner's PC IP can reach 3389 on the bench — this blocks even local Administrators from RDPing directly. No Python install needed on the benches.
- Set
RDD_BENCH_AGENT_TOKEN=<long-random-string>in%LOCALAPPDATA%\RemoteDesktopDashboard\admin.envand restart the dashboard. - Configure Server settings above with a service account that is a local administrator on every bench.
- Type your admin PIN above, then click Push install next to a bench below — the dashboard uses the service account to SMB-copy the agent and register a SYSTEM scheduled task. (One-click. The bench needs SMB/445 reachable from this server.)
- Or, if a bench is unreachable for SMB, click Show install command and paste it into an elevated PowerShell on that bench yourself.
On the bench, the one-liner just downloads these two files from the dashboard: