Overview
Conditional Access is a security feature that ensures your client device meets specific security requirements before you can connect to a remote computer. Think of it as a health check for your client device — if the device passes all the required checks, the remote session proceeds normally. If it fails, access will be blocked until the issues are resolved.
| 📌 Note: In the current release (Gateway v3.40.3), Conditional Access checks are only supported on Windows devices running the Splashtop On-Prem app version 3.8.0.7 or higher. |
How it works
When you attempt to start a remote session, the Splashtop On-Prem app automatically checks your device against the Conditional Access policy assigned to your account. This happens in the background — you don't need to do anything manually.
- Your device is checked against a set of security rules defined by your IT admin.
- If all checks pass, your remote session will connect as normal.
- If one or more checks fail, the session will be blocked, and you will see an error message describing what needs to be fixed.
- If your device’s check data is being refreshed, the connection will briefly wait and retry automatically.
Key points
Your IT administrator configures which of the following items are included in your team’s Conditional Access policy. Only the items your admin has enabled will be checked.
Antivirus
| Check Item | What It Checks |
| Running Antivirus | Verifies that an antivirus program is actively running on your device. Your admin may require any antivirus software, or a specific one (e.g., Windows Defender, CrowdStrike Falcon). |
| Antivirus Up to Date | Verifies that your antivirus software’s virus definitions (signatures) are current. Outdated definitions may leave your device vulnerable. |
Windows Security Center
These checks use the Windows Security Center API to verify the health status of key security components. A component must be in “Good” status to pass.
| Check Item | What It Checks |
| Firewall | Checks that the Windows Firewall (or a compatible firewall) is active and in a healthy state. |
| Antivirus | Checks that the antivirus protection monitored by Windows Security Center is in a healthy state. |
| Windows Security Center Service | Checks that the Windows Security Center service itself is running and healthy. |
Operating System
| Check Item | What It Checks |
| OS Version Rules | Checks that your Windows version meets the minimum version requirement set by your admin. Rules can apply to all devices, or be set per OS build. If your OS build has no matching rule, the check will fail. |
| Installed OS Patch | Checks that a specific Windows update (KB patch) has been installed. Your admin specifies the required KB number (e.g., KB5018890). If your OS build has no matching rule, the check will fail. |
| 📌 Note: Conditional Access posture checks are only supported on Windows 10 and later. Devices running Windows Server or older Windows versions are treated as unsupported. Your admin can choose to allow or block unsupported devices from connecting. |
[Method 1]My Devices Page
The My Devices page shows all devices logged into your account and their Conditional Access status.
- Go to My Devices in the Splashtop client or web portal.
- Look for the Conditional Access column:
| Status | Meaning |
| ✅ Pass | All required checks passed. You can connect to remote computers normally. |
| ❌ Failed | One or more checks failed. Hover over the icon to see error details. The session is blocked until resolved. |
| ⏳ Waiting for results | Check data has not been received yet, or is too old. Results update automatically — wait a moment and refresh. |
[Method 2]Session Blocked — Failed Checks
If a remote session is blocked due to a failed Conditional Access check, you will see a dialog on your Splashtop client explaining the reason. Below are the most common messages and how to resolve them.
If specific checks fail, you will see a message listing each failed item, for example:
Review each failed item and take the appropriate action:
| Check Item | What It Checks |
| Running Antivirus failed | Ensure the required antivirus software is installed and running on your device. |
| Antivirus up to date failed | Open your antivirus application and install the latest definition updates. |
| Windows Security Center — Firewall failed | Open Windows Security Center and ensure your firewall is turned on and healthy. |
| Windows Security Center — Antivirus failed | Open Windows Security Center and ensure antivirus protection is active and healthy. |
| Windows Security Center Service failed | Check that the Windows Security Center service is running. Contact your IT admin if needed. |
| OS version rules failed | Your Windows version does not meet the minimum requirement. Contact your IT admin for the required version. |
| Installed OS patch failed | Install the required Windows update (KB patch) via Windows Update, then try connecting again. |
| No rule matching for OS build | Your OS build is not covered by the policy rules. Contact your IT admin to have your device added. |
| 📌 Note: Conditional Access must be enabled in your team’s license. Contact Splashtop support if the feature is not available in your console. |
Creating a Policy
- Click Create policy.
- Enter a unique Policy Name (up to 64 characters).
- Optionally assign a Group Manager who will co-manage this policy.
- Expand the Windows section and select the check items to include.
- Configure the required parameters for each enabled item.
- Toggle Allow remote access from the devices that cannot support conditional access if needed.
- It's unchecked by default. This means your device (e.g., Windows Server or Windows older than version 10) does not support Conditional Access checks. Contact your IT administrator to discuss options.
- Click Save.
Policy List Page
The Policy List shows all policies with their names, assigned Group Managers, and last modified dates. Use the gear icon to edit, clone, or remove a policy.
Once the feature is enabled, the Conditional Access entry appears in the left navigation under Management.
- Log in to the Splashtop Admin Console.
- Go to Management > Conditional Access.
- This page lists all existing policies and allows you to create, edit, clone, or remove them.
Assigning Policies (Granular Control)
Policies can be applied at three levels. The team-level setting acts as the default; group and user-level settings override it.
Team Level
- Go to Settings > Team Settings > Security > Session Security.
- Enable Conditional Access and choose the default policy for all users.
Group Level
- Go to Users > [Group] > Gear > Granular Control.
- Under Security, set Conditional Access to On and select the policy for the group.
User Level
- Go to Users > [User] > Granular Control (via gear icon or bulk action).
- Under Security, set Conditional Access to On, Off, Follow Group, or Default for the individual user.
Viewing the results of all devices
Check the status before sessions: All Devices page
Admins and Group Managers can view compliance results across all managed devices.
- Go to Management > Conditional Access > Device list.
- Export results to CSV using the Export button.
- Clicking on a device opens a panel showing the result for each individual check item, including the last report time:
Check the session failure due to the conditional access check: Failure Logs
The Conditional Access Failure Logs record every session rejection caused by a failed check. This helps admins identify non-compliant devices and users who need remediation.
- Go to Logs > Conditional Access.
- Each log entry shows: Time, OS, Device Name, Account, Policy Name, and the specific check items that failed.
- Use filters and the Export button to export logs as a CSV file.