Secure Virtual Desktop – ApexTech4TaxPros

MICROSOFT AZURE VIRTUAL DESKTOP · WISP-COMPLIANT · TAX-PROFESSIONAL GRADE

Protect Your Practice. Protect Your Clients.

Work Securely
From Anywhere.

Our fully managed, WISP-compliant Azure Virtual Desktop gives every tax professional a secure, enterprise-grade computing environment — accessible from any device, from any location, with every IRS and FTC technical security control built in and documented.

No Exposed RDP Ports

MFA Enforced

Real-Time Antivirus

Encrypted at Rest

Audit Logging Active

Defender for Cloud On

WISP Stored on Your Desktop

🔥

Reverse Connect Firewall

No inbound RDP ports exposed · Microsoft gateway active

ACTIVE

🔐

Multi-Factor Authentication

AVD + M365 · All critical apps covered

ENFORCED

🦠

Microsoft Antimalware

Real-time protection · Weekly scheduled scans

🔑

OS Disk Encryption

Platform-managed keys · Data at rest protected

ENCRYPTED

🛡️

Trusted Launch vTPM

Secure Boot · Anti-rootkit · Kernel protection

ENABLED

⏱️

Session Controls

Idle timeout · Screen lock · USB/clipboard restricted

CONFIGURED

📊

Audit Logging

Diagnostic settings enabled · Activity logs forwarded

ACTIVE

🔭

Defender for Cloud

Onboarded · Secure Score active · Continuous monitoring

ACTIVE

📋

Customized WISP Document

Stored on your AVD · Accessible anytime

INCLUDED

🚨

Incident Response Plan

Included in your WISP · IRS reporting contacts

INCLUDED

🎓

Employee Security Training

Available add-on · Cybersecurity awareness training

ADD-ON

100% WISP score

Current AVD WISP Compliance Posture — Fully Compliant

100%

Firewall Protection

100%

Multi-Factor Authentication

100%

Antivirus Protection

100%

Encryption at Rest

100%

Session / Access Controls

100%

Patch Management

100%

Audit Logging & Monitoring

100%

Continuous Monitoring

100%

Incident Response Plan

100%

Customized WISP on AVD

IRS Pub 4557 · FTC Safeguards Rule Audit

Every WISP Technical Requirement — Met & Documented in Your AVD

Your Azure Virtual Desktop is fully configured to meet every IRS and FTC technical control requirement. Below is a complete mapping of each WISP element to the specific control active in your environment — with your customized WISP document stored directly on your desktop for easy access any time you need it.

🔥

Firewall Protection

✓ IRS Pub 4557 · FTC §314.4(c)(1) · WISP: "Use a Firewall"

✓ MET

Microsoft-managed Reverse Connect is active on your AVD host pool. This means no inbound RDP ports are exposed to the public internet — the most common attack vector for remote desktop environments. All connections route through Microsoft's secure gateway infrastructure.

🛡️ How it's met: Public access is enabled via Microsoft-managed gateways with Reverse Connect confirmed active. Zero exposed RDP ports = reduced attack surface = WISP firewall requirement satisfied.

🔐

Multi-Factor Authentication

✓ FTC §314.4(c)(4) · WISP: "Two-Factor Authentication"

✓ MET

MFA is enforced for all AVD logins and Microsoft 365 applications containing client data. Logs confirm full coverage across critical applications, ensuring no one can access the virtual desktop or client data with a password alone.

🔐 How it's met: Conditional Access policies enforce MFA on AVD and M365. Both Windows login and customer data access are covered.

⚠️ One user account (administrative) has MFA disabled by request. This exception should be documented in your WISP as an approved exception with compensating controls.

🦠

Antivirus Software

✓ IRS Pub 4557 · WISP: "Activate Antivirus Software"

✓ MET

Microsoft Antimalware extension is deployed on the AVD session host VM with real-time protection active and scheduled quick scans configured to run every Sunday.

🦠 How it's met: Real-time protection + periodic scheduled scans = layered malware defense. Endpoint protection is centrally managed.

To verify inside your VM: Windows Security → Virus & Threat Protection → Confirm real-time protection is On → Scan Options.

🔑

Encrypt Sensitive Data at Rest

✓ FTC §314.4(c)(1) · WISP: "Encrypt Sensitive Data"

✓ MET

The OS disk is protected with Azure server-side encryption using platform-managed keys. All client data stored in the virtual environment is encrypted at rest.

🔑 How it's met: Azure platform-managed encryption is active and verified. Client data at rest is protected.

🛡️

Protect Against Malicious Software

✓ IRS Pub 4557 · WISP: "Protect Against Malicious Software"

✓ MET — EXCEEDS

Your VM is configured as a Trusted Launch virtual machine with vTPM enabled — providing secure boot and advanced protections against rootkits, bootkits, and kernel-level malware.

✅ How it's met (and exceeded): Secure Boot + vTPM + Microsoft Antimalware = three-layer malicious software protection.

⏱️

Limit / Disable Access to Stored Client Data

✓ FTC §314.4(c)(1) · WISP: "Limit Access to Client Data"

✓ MET

Idle timeout and automatic screen lock are configured to prevent unauthorized access during unattended sessions. Clipboard, USB, and drive redirection are restricted.

⏱️ How it's met: Inactive sessions auto-lock and data transfer channels are restricted, satisfying the WISP requirement.

📊

Audit Logging & Activity Monitoring

✓ FTC §314.4(d) · IRS Pub 4557 · Compliance Evidence Activated

✓ ACTIVE

Diagnostic settings are now enabled and fully active. Activity Logs and user sign-in events are forwarded to Log Analytics Workspace for retention and review. Every login, every access event, and every security action in your AVD environment is now captured and stored — providing the audit trail that regulators and insurers require.

📊 How it's met: Diagnostic settings enabled → Activity Logs and sign-in events forwarded to Log Analytics → minimum 12-month retention active. In an FTC audit or post-breach investigation, you now have documented evidence that MFA, firewall, and antivirus controls were actively enforced during any specific period.

🔭

Continuous Monitoring & Patch Management

✓ FTC §314.4(d) · IRS Pub 4557 · WISP: "Patch Management"

✓ ACTIVE

Microsoft Defender for Cloud is now fully onboarded and active. Secure Score is enabled, vulnerability management is running, and compliance monitoring provides continuous real-time validation that all security controls are functioning as required. Azure Update Manager periodic assessment is configured with automated update deployment scheduling — ensuring every patch is applied, centrally tracked, and documented.

🔭 How it's met: Defender for Cloud active → Secure Score + vulnerability management + compliance monitoring running continuously. Azure Update Manager enforces periodic patch assessment with centralized reporting. FTC §314.4(d) monitoring and testing requirements are now fully satisfied with automated, ongoing evidence collection.

🚨

Incident Response Plan

✓ FTC §314.4(h) · IRS Pub 4557 · Included in Your WISP Document

✓ INCLUDED

Your customized WISP document — stored directly on your AVD for instant access — includes a complete, pre-filled Incident Response Plan. This covers detection triggers, containment steps, the IRS e-Services reporting URL (24-hour reporting window), FTC notification requirements, client notification procedures, and post-incident review steps. You will never scramble during a breach trying to remember what to do or who to call.

🚨 How it's met: Your WISP (stored on your AVD desktop) includes a fully written IRP with the IRS 24-hour reporting obligation, specific contact information, and step-by-step breach response procedures — satisfying FTC §314.4(h) and IRS Publication 4557 requirements. Your WISP is always one click away, right on your secure desktop.

🎓

Employee Security Training

✦ FTC §314.4(f) · IRS Pub 4557 · Available as Add-On

ADD-ON

The FTC Safeguards Rule requires documented employee training with signed acknowledgments on file. Technical controls protect the environment — but human error remains the #1 cause of tax office breaches. A phishing email clicked by one staff member can expose thousands of client files that your AVD security controls were designed to protect.

Apex Tech 4 Tax Pros offers certified Cybersecurity Awareness Training as an add-on service. Courses run up to 90 minutes, include a phishing simulator to test your team, generate completion certificates and LinkedIn badges, and produce the signed training records that satisfy FTC §314.4(f).

🎓 How to add this: Employee Security Training is available for an additional fee. Visit our Cybersecurity page to enroll your team and complete the final WISP compliance element.

→ View Employee Security Training

📋

Customized WISP Document — Stored on Your AVD

✓ IRS Pub 4557 · FTC Safeguards Rule · All Required Components Included

✓ INCLUDED FREE

Every AT4TP subscriber receives a fully customized, IRS-compliant WISP document written specifically for their firm. Your WISP documents every required component of the FTC Safeguards Rule and IRS Publication 4557.

✓ Always Accessible — Stored directly on your desktop.

✓ Fully Customized — Written specifically for your firm.

✓ English & Spanish Available.

✓ Annual Review reminders included.

🤝

Vendor / Service Provider Oversight

✓ FTC §314.4(f) · Documented in Your WISP

✓ DOCUMENTED

Your customized WISP includes a vendor inventory section documenting all service providers with access to client data.

🤝 Vendor oversight and accountability documentation included for compliance reviews.

👤

Designated Qualified Individual

✓ FTC §314.4(a) · Named in Your WISP Document

✓ DOCUMENTED

Your customized WISP names your Qualified Individual and defines responsibility for overseeing your information security program.

👤 The Qualified Individual is named and documented in your WISP, satisfying FTC requirements.

Inside Your Secure Desktop

Enterprise Security. Built for Tax Offices.

Every security layer in your Azure Virtual Desktop was selected and configured specifically to meet the technical controls that IRS Publication 4557 and the FTC Safeguards Rule require — and documented so your WISP accurately reflects your actual security posture.

🔥

Reverse Connect — Zero Exposed Ports

Traditional remote desktop software exposes inbound network ports — giving attackers a direct target. Your Azure Virtual Desktop uses Microsoft's Reverse Connect architecture. All connections are initiated outbound from within the VM to Microsoft's gateway. No inbound RDP ports are exposed to the internet.

✓ WISP "Use a Firewall"

🔐

Multi-Factor Authentication — All Apps

MFA is enforced through Azure Conditional Access policies on both your AVD login and all Microsoft 365 applications that hold client data. This means compromised passwords alone cannot access your client files, email, or desktop.

✓ FTC §314.4(c)(4) Mandatory MFA

🦠

Microsoft Antimalware — Real-Time + Scheduled

The Microsoft Antimalware extension is deployed centrally on your session host VM. Real-time protection detects and blocks threats. Scheduled quick scans run every Sunday providing systematic, periodic detection of threats.

✓ WISP "Activate Antivirus Software"

🔑

Encryption at Rest — Platform-Managed Keys

Your OS disk and all data stored in the Azure Virtual Desktop environment is encrypted using Azure server-side encryption with platform-managed keys. This protection is automatic, mandatory, and cannot be disabled.

✓ FTC §314.4(c)(1) Encrypt Customer Data

🛡️

Trusted Launch VM with vTPM — Secure Boot

Your virtual machine is configured as a Trusted Launch VM with Virtual Trusted Platform Module (vTPM) enabled. This is enterprise grade protection that prevents malware from loading at startup and protects operating system integrity.

✓ WISP "Protect Against Malicious Software"

⏱️

Session Controls — Idle Timeout + Restricted Transfer

Idle timeout and automatic session lock prevent unauthorized access when a session is left unattended. Clipboard, USB and drive redirection are restricted to prevent data exfiltration.

✓ FTC §314.4(c)(1) Limit Access to Data

🔄

Windows Automatic Updates — Patch Management

Windows automatic updates are active on your VM ensuring security patches for the operating system, Defender AV signatures and Microsoft components are applied without manual intervention.

✓ WISP "Patch Management"

✉️

Secure Business Email — Included

A professional encrypted business email account is included with your subscription. Using a dedicated business address helps protect client communications and keeps sensitive data separate from personal accounts.

✓ FTC Protect Data In Transit

🗂️

Secure Cloud Drive + Password Manager — Included

Encrypted cloud storage keeps client files protected and backed up. A password manager stores and secures your credentials using strong encryption eliminating credential reuse and weak passwords.

✓ FTC §314.4(g) Access Controls

Inside Your Secure Desktop

Enterprise Security. Built for Tax Offices.

Traditional tax office setups store everything on a local computer: client files, software licenses, prior-year returns, bank product records. If that computer is stolen, crashes, or is hit by ransomware, your practice is exposed — and potentially destroyed. The AT4TP Secure Virtual Desktop changes this entirely.

Your tax software, your client files, your secure email, and your cloud storage all live inside Azure’s secure infrastructure — not on any physical device you own. You access them through a browser window. Close the browser and nothing remains on your local device. No cached files. No stored credentials. No exposed data.

This architecture is why hospitals, banks, and law firms use virtual desktop environments to protect the most sensitive data imaginable. Now it is available to your tax practice — at a fraction of enterprise cost.

💻 Windows PC or Laptop

Open a browser, log in with MFA, and your secure desktop is ready in seconds.

🍎 Mac or MacBook

No Windows license required. The virtual desktop runs in any modern browser on macOS.

📱iPad or Android Tablet

Prepare returns from a tablet at your kitchen table, a coffee shop, or your car — fully secured.

🏠 Home Office / Second Location

Multi-location access with one secure environment. No VPN tunnels to configure. No sync issues.

🔒 Data Never Lives on Your Device

When you close the browser session, nothing is left on your personal computer or tablet. Client data stays in Azure’s encrypted infrastructure — not your Downloads folder.

🔑 MFA Required at Every Login

Every time you access your virtual desktop — from any device, any location — multi-factor authentication is required. A stolen laptop cannot be used to access your client data without your second factor.

⚡ No Installation. No Updates. No IT.

Software runs in the cloud. Security patches apply automatically. No annual software upgrades to purchase. No IT professional needed to maintain it.

📋 Your WISP Lives On Your Desktop — Always One Click Away

Your customized WISP document is stored directly on your secure Azure Virtual Desktop. At PTIN renewal, during an FTC inquiry, or the moment a security incident occurs — your complete compliance document is right there, not buried in email or sitting in a filing cabinet. No scrambling. No hunting. Your WISP is where you work.

🌐 Bilingual Support — EN/ES

Full English and Spanish support for setup, training, and ongoing assistance. Your team can work confidently in either language.

🆘 24-Hour IRS Breach Reporting Window

The IRS requires breach notification within 24 hours of discovery. Your WISP includes pre-filled IRS reporting contacts and procedures so you can act immediately — not scramble during a crisis.

🌐 Escritorio virtual seguro — disponible con soporte en español

Configuración, capacitación y soporte técnico completo en inglés y español para todos los preparadores de impuestos.

🇺🇸 🤝 🇲🇽

Simple, Transparent Pricing

Full Protection. One Flat Price.

Both plans include the complete secure virtual desktop, all security tools, and your customized WISP document — free. No per-user fees. No hidden costs.

APEX WISP Seasonal

Virtual PC for Seasonal Tax Professionals

~~Was $1000~~

$649.99

January through April · 4 months

APEX WISP Yearly

Virtual PC for Year-Round Tax Professionals

~~Was $1500~~

$1,099.99

Full 12 months · Year-round protection

🎁 Customized WISP — Free ($500 value) - Stored on Your AVD

Azure Virtual Desktop — secure cloud computer
Reverse Connect firewall · No exposed RDP ports
MFA enforcement on AVD + Microsoft 365
Microsoft Antimalware — real-time + scheduled scans
OS disk encryption — data at rest protected
Trusted Launch vTPM — Secure Boot
Session idle timeout + restricted USB/clipboard
Defender for Cloud — continuous monitoring active
Secure email · Secure cloud drive · Password manager
Customized WISP + Incident Response Plan on your AVD
+ Employee Training — available add-on (see Cybersecurity page)

~~Was $1000~~

🎁 Customized WISP — Free ($500 value) - Stored on Your AVD

Everything in Seasonal — year-round protection
Audit Logging + Defender for Cloud — active all year
Azure Update Manager — centralized patch management
Anti-spyware, anti-phishing, spam filters, firewall
Secure file transfer — encrypted data in transit
Customized WISP + IRP stored on AVD · Annual review
Off-season data protection — client records safe year-round
Bilingual support — English and Spanish
WISP available in English or Spanish on your desktop C
+ Employee Training — available add-on (see Cybersecurity page)

~~Was $1000~~

Questions Answered

Virtual Desktop FAQs

Everything tax professionals ask before subscribing.

Does the Vitual Desktop work with my current software?

▾

Yes. The Azure Virtual Desktop is a full Windows computing environment — compatible with TaxSlayer ProWeb (accessed through a browser), TaxSlayer Desktop, Drake, Lacerte, UltraTax, and virtually all professional tax preparation software. You install or access your existing tax software inside the virtual desktop just as you would on a regular Windows computer. Contact us to confirm compatibility with your specific software before subscribing.

What happens to my client's data if my computer is stolen or lost?

▾

Nothing — because your client data is not stored on your physical computer. Everything lives in Microsoft Azure's encrypted cloud infrastructure. If your laptop is stolen, the thief gets a browser with no cached data, no stored credentials (MFA is required at every login), and no access to anything. Your client files remain safely encrypted in Azure, accessible only by you through MFA authentication from any other device.

Does the Virtual desktop fully satisfy my WISP requirements?

▾

Yes — your AT4TP Azure Virtual Desktop now meets 100% of the core WISP technical controls required by IRS Publication 4557 and the FTC Safeguards Rule. This includes: firewall protection (Reverse Connect, no exposed RDP ports), multi-factor authentication, antivirus (Microsoft Antimalware with real-time and scheduled scans), encryption at rest (platform-managed keys), malicious software protection (Trusted Launch vTPM with Secure Boot), session controls (idle timeout, USB/clipboard restrictions), patch management (Windows auto-updates + Azure Update Manager), audit logging (diagnostic settings enabled, Activity Logs forwarded to Log Analytics), and continuous monitoring (Microsoft Defender for Cloud onboarded with Secure Score and vulnerability management active). Your customized WISP document — which documents all of these controls — is stored directly on your AVD desktop for instant access. An Incident Response Plan is included in your WISP. Employee Security Training is available as an add-on.

Can my staff or multiple preparers use the same virtual desktop?

▾

Each subscription is configured for one user. For multi-user offices or teams with multiple preparers, contact us to discuss a multi-seat configuration. Multi-user setups can be documented in your WISP with individual access roles, separated credentials, and the session controls that are already in place — satisfying the FTC's access control and personnel separation requirements.

What is the difference between seasonal and yearly plan?

▾

The Seasonal plan runs from January through April — covering your active filing season at $649.99. The Yearly plan runs 12 full months at $1,099.99. While you may not be actively preparing returns from May to December, client data stored in your system is at risk year-round — and your WISP must be active and current at PTIN renewal in December. The Yearly plan also includes additional security tools (anti-spyware, spam filters, secure file transfer) and year-round bilingual support.

Is Setup Complicated? How quickly can I be up and running?

▾

Setup is handled by Apex Tech 4 Tax Pros — you do not need to be an IT professional. After subscribing, we configure your Azure Virtual Desktop, set up your secure email, provision your cloud storage, and install your required applications. We then provide a 1-on-1 onboarding session (in English or Spanish) to walk you through logging in, using MFA, and confirming all security controls are working. Most clients are fully operational within a few business days of subscribing.

Get Protected Today

Secure, Compliant, and

Ready to Work From Anywhere.

One subscription covers your virtual desktop, your cybersecurity stack, and your WISP document — everything the IRS and FTC require, fully configured and documented for your tax practice.

Protect Your Practice. Protect Your Clients.

Work SecurelyFrom Anywhere.

Current AVD WISP Compliance Posture — Fully Compliant

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

Every WISP Technical Requirement — Met & Documented in Your AVD

Enterprise Security. Built for Tax Offices.

Enterprise Security. Built for Tax Offices.

💻 Windows PC or Laptop

🍎 Mac or MacBook

📱iPad or Android Tablet

🏠 Home Office / Second Location

🔒 Data Never Lives on Your Device

🔑 MFA Required at Every Login

⚡ No Installation. No Updates. No IT.

📋 Your WISP Lives On Your Desktop — Always One Click Away

🌐 Bilingual Support — EN/ES

🆘 24-Hour IRS Breach Reporting Window

🌐 Escritorio virtual seguro — disponible con soporte en español

🇺🇸 🤝 🇲🇽

Full Protection. One Flat Price.

APEX WISP Seasonal

$649.99

APEX WISP Yearly

$1,099.99

Virtual Desktop FAQs

Secure, Compliant, and

Ready to Work From Anywhere.

Work Securely
From Anywhere.