Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/gravitational/teleport/llms.txt

Use this file to discover all available pages before exploring further.

Teleport Desktop Access lets engineers connect to Windows desktops and servers directly from a browser — no RDP client, no VPN, and no passwords required. The Teleport Desktop Service converts browser-based sessions into RDP traffic, authenticates users with short-lived certificates, and records every desktop session to the audit log. Both domain-joined machines (via Active Directory) and standalone Windows hosts (local users) are supported.

How Teleport proxies RDP connections

The Teleport Desktop Service runs on a Linux host inside your private network. It maintains a reverse tunnel to the Teleport Proxy Service and converts incoming Teleport Desktop Protocol (TDP) sessions from browsers into RDP connections directed at Windows hosts: 
[Browser (TDP)] ──► [Proxy Service] ──► [Desktop Service (Linux)] ──► [Windows Host (RDP)]

                      [Auth Service]
                      Validates cert,
                      enforces roles
Teleport authenticates to the Windows host by presenting a virtual smart card backed by a short-lived X.509 certificate. No passwords are ever involved in the connection handshake. Key properties:
  • No RDP client needed — the browser session uses Teleport’s own desktop protocol.
  • No inbound firewall rules — the Desktop Service calls out to the Proxy via a reverse tunnel.
  • Certificate-based authentication — short-lived certs replace passwords entirely.
  • Session recording — every mouse click, keystroke, and screen change is recorded and replayable.

Supported deployment modes

ModeHow it worksBest for
Active DirectoryTeleport integrates with LDAP/AD for automatic host discovery and uses Group Policy to distribute trust.Large domain-joined environments
Local usersTeleport installs a Windows auth package on each host; no domain required.Standalone hosts, up to 5 desktops in Community Edition

Prerequisites

  • A running Teleport cluster. See Deploy a Cluster.
  • A Linux server to run the Teleport Desktop Service (can be an existing Teleport agent host).
  • One or more Windows hosts with Remote Desktop enabled and RDP port 3389 open from the Desktop Service host.
  • tctl authenticated to your Teleport cluster.

Enrolling Windows desktops (local users)

The steps below walk through enrolling a standalone Windows host for local-user access. For Active Directory domain enrollment, see the Active Directory guide.
1

Prepare the Windows host

On the Windows host you want to enroll, open a Command Prompt (cmd.exe) and download the Teleport CA certificate and Windows authentication package:
# Download the Teleport CA certificate (replace with your cluster address)
curl.exe -fo teleport.cer https://teleport.example.com/webapi/auth/export?type=windows

# Download the Teleport Windows Auth Setup program
curl.exe -fo teleport-windows-auth-setup.exe `
  https://cdn.teleport.dev/teleport-windows-auth-setup-v(=teleport.version=)-amd64.exe
Double-click teleport-windows-auth-setup.exe and follow the installer prompts, selecting the teleport.cer certificate you downloaded. The installer will:
  • Trust the Teleport certificate authority on this host.
  • Install the Teleport authentication DLL.
  • Disable Network Level Authentication (NLA) for the remote desktop service.
  • Enable RemoteFX compression for better performance.
Restart the Windows host after the installer completes.
For automated (unattended) installation, run the installer from an administrative PowerShell console:
.\teleport-windows-auth-setup.exe install --cert=teleport.cer -r
The -r flag triggers an automatic reboot after installation.
2

Generate a join token and configure the Desktop Service

On your administrative workstation, generate a join token:
tctl tokens add --type=windowsdesktop
# The invite token: <token-value>
# This token will expire in 60 minutes.
Save the token to a file on the Linux host that will run the Desktop Service:
# On the Linux host
echo "<token-value>" > /tmp/token
Install Teleport on the Linux host if it isn’t already installed:
curl https://goteleport.com/static/install.sh | bash -s (=teleport.version=)
Create /etc/teleport.yaml on the Linux host:
version: v3
teleport:
  nodename: desktop-service.teleport.example.com
  proxy_server: teleport.example.com:443
  auth_token: /tmp/token

windows_desktop_service:
  enabled: true
  static_hosts:
    - name: workstation-01
      ad: false                # local users (not AD)
      addr: 192.0.2.100
      labels:
        env: production
        os: windows
    - name: dev-vm
      ad: false
      addr: 192.0.2.101
      labels:
        env: development

auth_service:
  enabled: false
proxy_service:
  enabled: false
ssh_service:
  enabled: false
Set ad: true if the host is domain-joined and you want to use Active Directory authentication. In that case, also configure the ldap block with your domain controller address and credentials.
3

Start the Desktop Service

sudo systemctl enable teleport
sudo systemctl start teleport
Verify the Desktop Service is running and the hosts appear in Teleport:
sudo systemctl status teleport
tctl get windows_desktops
4

Create a role for desktop access

Define a role that grants access to Windows desktops by label:
kind: role
version: v6
metadata:
  name: windows-desktop-admins
spec:
  allow:
    windows_desktop_labels:
      '*': '*'
    windows_desktop_logins:
      - Administrator
      - alice
  deny: {}

tctl create -f windows-desktop-admins.yaml
tctl users update alice --set-roles=access,windows-desktop-admins
The windows_desktop_logins list controls which Windows user accounts a Teleport user is permitted to log in as. Teleport can optionally create these local accounts automatically — see Automatic User Creation.
5

Connect to a Windows desktop from the browser

  1. Sign in to the Teleport Web UI at your cluster address.
  2. Click Resources in the left navigation.
  3. Click the Type filter and select Desktops.
  4. Click Connect on the desktop you want to access.
  5. Select the Windows login to use (e.g., Administrator).
Teleport opens a full-resolution remote desktop session directly in your browser. No RDP client is required.When you are finished, click the menu in the session toolbar and select Disconnect.
You can also connect from Teleport Connect, the desktop GUI client, which provides an integrated terminal and desktop access experience.

Active Directory integration

For domain-joined environments, Teleport integrates with Active Directory over LDAPS to:
  • Automatically discover Windows hosts in the domain via LDAP queries.
  • Issue certificates trusted by domain-level Group Policy, eliminating per-host configuration.
  • Apply LDAP labels to discovered hosts (e.g., department, location) for RBAC targeting.
The key teleport.yaml additions for AD mode are: 
windows_desktop_service:
  enabled: true
  ldap:
    addr: dc.example.com:636          # Domain controller LDAPS address
    domain: example.com
    username: 'EXAMPLE\svc-teleport'  # Service account SAM name
    sid: S-1-5-21-...-1113            # Service account SID
    ldap_ca_cert: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
  discovery_configs:
    - base_dn: '*'                    # Search the entire domain
Use tctl desktop bootstrap to generate a PowerShell script that automates the AD configuration (creating the service account, configuring GPOs, and exporting the LDAP CA certificate): 
tctl desktop bootstrap > configure-ad.ps1
# Transfer configure-ad.ps1 to a domain controller and run it as a domain admin

Session recording and audit

Every desktop session is recorded and stored in the Teleport audit backend. Recordings capture all visual activity and are replayable in the Teleport Web UI:
  1. Navigate to Audit → Session Recordings.
  2. Filter by resource type Desktop.
  3. Click the play button to replay any session.
Clipboard and directory sharing events are also logged, giving administrators a complete picture of data movement during a desktop session.

RBAC for desktops

Fine-grained access control uses three role fields:
FieldPurpose
windows_desktop_labelsWhich desktops the role grants access to, by label
windows_desktop_loginsWhich Windows user accounts may be used
Example: restrict a contractor to a single Windows VM in the staging environment: 
kind: role
version: v6
metadata:
  name: contractor-desktop
spec:
  allow:
    windows_desktop_labels:
      env: staging
    windows_desktop_logins:
      - contractor
  deny: {}

Next steps

Active Directory Setup

Full walkthrough for connecting Teleport to an Active Directory domain with GPO-based certificate trust.

Access Controls & RBAC

Build fine-grained roles that control who can log into which Windows hosts.

MFA for Desktop Sessions

Require a hardware key or TOTP touch before any RDP session opens.

Device Trust

Gate desktop access on the enrollment and compliance status of the connecting device.

Build docs developers (and LLMs) love

Get started for freeTalk to us