Remote desktop software has become an essential tool for IT administrators, managed service providers, and businesses that provide technical support. While these platforms simplify remote access, they also require careful monitoring of account security, device associations, and licensing.
This case study describes a real-world investigation where an organization discovered an unknown AnyDesk Implicit Client associated with its Standard License. Despite multiple security measures—including password changes, license key reset, removal of team members, and enabling Two-Factor Authentication (2FA)—the unknown client continued to appear in the AnyDesk Management Portal and was observed initiating remote sessions.
To protect privacy, all Client IDs, names, aliases, and other identifying information have been changed.
An IT company using an AnyDesk Standard License noticed an unexpected remote connection popup on one of its support computers.
The popup disappeared almost immediately before any information about the connecting computer could be identified.
Initially, this appeared to be an ordinary unsolicited connection request.
However, further investigation revealed a much more interesting situation.
The administrator noticed:
For privacy reasons, the following values have been modified.
| Original | Replaced With |
|---|---|
| Client ID | 987654321 |
| Client Name | Office-PC-Remote |
| Own Client ID | 123123123 |
| Fingerprint | ABCDEF123456789XYZ |
| Remote IDs | 555666777 |
The administrator first verified that only one installation of AnyDesk existed.
PowerShell confirmed:
No duplicate installations were found.
The configuration files confirmed that the local workstation was using its expected Client ID and alias.
No unexpected configuration changes were detected.
The AnyDesk trace logs revealed:
Interestingly, the logs never confirmed a successful unattended session.
The administrator immediately performed several security actions.
The AnyDesk account password was changed.
The Standard License Key was reset.
2FA was enabled and tested successfully.
All additional Team Members were removed.
Permanent password authentication was disabled.
Despite all security measures:
The exported CSV report showed:
The administrator also observed their own intentional diagnostic connection attempts during testing.
These entries were expected and clearly distinguishable from the unknown client's activity.
Review of trace logs showed:
No definitive evidence indicated that the unknown client successfully gained unattended control of the administrator's workstation.
Instead, the logs suggested communication between AnyDesk services rather than successful desktop control.
The administrator additionally verified:
No hidden AnyDesk installation or duplicate Client ID was found.
The following actions were completed:
✔ Password changed multiple times
✔ License Key reset
✔ Two-Factor Authentication enabled
✔ Team Members removed
✔ Unattended Access disabled
✔ Local AnyDesk installation verified
✔ Session logs exported
✔ Trace logs analyzed
✔ Fingerprints verified
✔ Portal reports reviewed
Several interesting observations were made.
The unknown client always presented the same fingerprint.
This strongly suggested it was one genuine AnyDesk installation rather than randomly generated IDs.
The unknown client survived:
This suggested the association might not simply be caused by credential theft.
Portal reports showed that the unknown client was actively establishing remote sessions with other systems.
The client frequently remained online for many consecutive hours.
Several possibilities were considered.
A previously associated client remained linked to the account.
The client retained valid authentication tokens.
A backend licensing synchronization problem continued associating the client.
Historical licensing information remained linked after account changes.
The investigation ruled out:
Because all local troubleshooting had been completed, the issue was escalated to AnyDesk Support with:
The support request specifically asked the vendor to:
This investigation demonstrates several important security practices:
This case study illustrates that not every suspicious client association indicates a successful system compromise. Thorough log analysis, configuration verification, and systematic troubleshooting can help distinguish between local security issues and potential backend licensing or account association problems.
When a client remains associated with an account despite password changes, license resets, and 2FA, it is appropriate to escalate the case to the software vendor with comprehensive technical evidence rather than relying solely on additional local troubleshooting.