During our session last week during the “Microsoft meets Community : Windows Virtual Desktop – second edition:” event, I briefly mentioned the possibilities of shadowing an active user session in Windows Virtual Desktop, if you are interested, you can watch the demo over here.
In this blog I want to go into more detail about which steps are required before you can shadow an active user session in Windows Virtual Desktop.
This blog is divided into the following steps;
- Configure the Windows Defender Firewall with Group Policies
- Configure the rules for remote connection with Group Policies
- Shadow an active user in windows Virtual Desktop
Step 1 : Configure the Windows Defender Firewall with Group Policies
The first step is to enable Remote Desktop in the Windows Defender Firewall. Therefor open the Group Policy Management Editor and open or create a new GPO. Of course you need to make sure that this GPO will be applied on the OU were the Sessions Hosts servers are located.
Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Inbound Rules
Right click Inbound Rules, and click New Rule..
Select Predefined and select Remote Desktop. Click Next
Make sure all three rules are selected and click Next
Select Allow the connection and click Finish
The rules as shown in the screenshot above are now created.
Step 2 : Configure the rules for remote connection with Group Policies
In this second step the rules for remote control of Remote Desktop Services user sessions will be configured.
Within the GPO, navigate to Computer Configuration > Policies > Administrative templates > Windows components > Remote desktop services > Remote desktop session host > Connections
Open the Set rules for remote control of Remote Desktop Service user sessions
Select Enabled and select the permissions you want (or what is allowed within your organization) during a remote shadow connection and if the user’s permission is required. In this case I will select Full Control without user’s permissions. In the next step I will show you that you still can ask for the user’s permission with a command line parameter.
Step 3 : Shadow an active user in Windows Virtual Desktop
To shadow an active user session in Windows Virtual Desktop, we first need to collect some information about the current session. Therefor go to the Windows Virtual Desktop portal and open the Users blade.
Search for the user, and click on his/her name.
For setting up the shadow session, we need to know the Session ID and the Active VM (Session Host server that is hosting the user session).
Make sure you run the following commando’s from a “Jump Server” or from an “IT Admin Host pool” or at least a VM that have direct access to the Session Host VMs.
To setup a Shadow session WITH user permission run the following command:
mstsc.exe /shadow:<session ID> /v:<Session Host VM FQDN> /control
So, in this case it will be:
mstsc.exe /shadow:3 /v:WVD-OWGPU-0.futureworkplace.it /control
This command will display the dialog screen as displayed in the screenshot above in the user’s session, asking for permission for shadowing the session.
If you want to shadow the session without requesting control, run the following command:
mstsc.exe /shadow:<session ID> /v:<Session Host VM FQDN> /control /noConsentPrompt
So, in this case it will be:
mstsc.exe /shadow:3 /v:WVD-OWGPU-0.futureworkplace.it / control /noConsentPrompt
After running this command, the user shadow session will be established without requesting for permission.