How to shadow an active user session in Windows Virtual Desktop via Remote Desktop Connection (MSTC)

During our session last week during the “Microsoft meets Community : Windows Virtual Desktop – second edition:” event, I briefly mentioned the possibilities of shadowing an active user session in Windows Virtual Desktop, if you are interested, you can watch the demo over here.

In this blog I want to go into more detail about which steps are required before you can shadow an active user session in Windows Virtual Desktop.

This blog is divided into the following steps;

  1. Configure the Windows Defender Firewall with Group Policies
  2. Configure the rules for remote connection with Group Policies
  3. Shadow an active user in windows Virtual Desktop

Step 1 : Configure the Windows Defender Firewall with Group Policies

The first step is to enable Remote Desktop in the Windows Defender Firewall. Therefor open the Group Policy Management Editor and open or create a new GPO. Of course you need to make sure that this GPO will be applied on the OU were the Sessions Hosts servers are located.

Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Inbound Rules

Right click Inbound Rules, and click New Rule..

Select Predefined and select Remote Desktop. Click Next

Make sure all three rules are selected and click Next

Select Allow the connection and click Finish

The rules as shown in the screenshot above are now created.

Step 2 : Configure the rules for remote connection with Group Policies

In this second step the rules for remote control of Remote Desktop Services user sessions will be configured.

Within the GPO, navigate to Computer Configuration > Policies > Administrative templates > Windows components > Remote desktop services > Remote desktop session host > Connections

Open the Set rules for remote control of Remote Desktop Service user sessions

Select Enabled and select the permissions you want (or what is allowed within your organization) during a remote shadow connection and if the user’s permission is required. In this case I will select Full Control without user’s permissions. In the next step I will show you that you still can ask for the user’s permission with a command line parameter.

Step 3 : Shadow an active user in Windows Virtual Desktop

To shadow an active user session in Windows Virtual Desktop, we first need to collect some information about the current session. Therefor go to the Windows Virtual Desktop portal and open the Users blade.

Search for the user, and click on his/her name.

For setting up the shadow session, we need to know the Session ID and the Active VM (Session Host server that is hosting the user session).

Make sure you run the following commando’s from a “Jump Server” or from an “IT Admin Host pool” or at least a VM that have direct access to the Session Host VMs.

To setup a Shadow session WITH user permission run the following command:

mstsc.exe /shadow:<session ID> /v:<Session Host VM FQDN> /control

So, in this case it will be:

mstsc.exe /shadow:3 /v:WVD-OWGPU-0.futureworkplace.it /control

This command will display the dialog screen as displayed in the screenshot above in the user’s session, asking for permission for shadowing the session.

If you want to shadow the session without requesting control, run the following command:

mstsc.exe /shadow:<session ID> /v:<Session Host VM FQDN> /control /noConsentPrompt

So, in this case it will be:

mstsc.exe /shadow:3 /v:WVD-OWGPU-0.futureworkplace.it / control /noConsentPrompt

After running this command, the user shadow session will be established without requesting for permission.

2 comments

About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close