Skip to content

Session Shadow in Windows Session Host Servers

What is Session Shadowing?

Shadow allows server administrators to either view or take control of RDP sessions. It can be very helpful in a variety of scenarios such as IT administrators assisting users.

How to configure Session Shadow on Session Server

Configurations on Session Server

Connect to session server from console or via remote session with user credentials having local administrator privileges. Configure following settings:

Enabling Session Shadow Using Local Group Policy

  1. Navigate the policy on Computer configurations > Administrative templates > Windows components > Remote desktop services > Remote desktop session host > Connections

  2. Configure the rule Set rules for remote control of Remote Desktop Services user sessions as enabled and choose any of the following options:

    1. Full control with user’s permission: Administrator will be able to interact with the session with user must accept the shadow request.

    2. Full control without user’s permission: Administrator will be able to interact with the session without user's consent.

    3. View Session with user’s permission: Administrator will be able to view the session with user's permission.

    4. View Session without user’s permission: Administrator will be able to view the session without user's permission.

  3. Save the settings and restart the server for policies to take effect.

Enable Firewall exceptions on SHD Session Host

If you have enabled the windows firewall on SHD session hosts, make sure to add following firewall exceptions if it's not already added.

  1. Remote Desktop – Shadow (TCP-In)
  2. Remote Desktop – User Mode (TCP-In)
  3. Remote Desktop – User Mode (UDP-In)

Run the following command on CMD to add the firewall rules:

Netsh firewall set service type = remote desktop mode = enable

Configurations on HyWorks Controller

Open HyWorks management console on any supported browser and follow the below steps to enable session shadow on configured session servers:

  1. Go to to VDI > Session Servers > Servers

  2. In *Add/ Edit Server wizard

    1. Check Enable Remote Control tag.

  3. Save the settings.

Taking Shadow Session from HyWorks

This section will provide details of process to follow for taking shadow session of the user from HyWorks controller management console:

  1. In MMC, Go to Monitor > Live Sessions > Desktops.

  2. Click on Remote control icon. Shadow File will be downloaded.

  3. Double click to launch this shadow file and when prompted provide the credentials.

  4. Allow the permission in User session. The connected RDP session is shadow of the user session.

Note

We can configure the Group Policy to Control or View the RDP Session with and without permission of the user.

Troubleshooting

Shadow Session is logged-out automatically

In latest releases, direct RDP sessions are blocked and it considers shadow session as a direct RDP session and can log it out. To workaround this issue, disable the feature to block direct RDP.

More details of direct RDP block feature can be found here

Shadow Sessions are not connecting on Windows Servers with NLA Enabled

If target Windows Server are having NLA enabled, session shadow may not work as the current method requires credentials to be provided later, where as NLA will require credential validations before RDP launch.

Workaround: Disable NLA on the server.

Alternate Method to Shadow Using Microsoft Terminal Server Client (MSTSC)

Run following command to shadow a session:

mstsc.exe /v:xx.xx.xx.xx /shadow:x with other command line params like /control or /noConsentPrompt.

>   Where xx.xx.xx.xx.xx is the server address

>   /shadow: Terminal Session Id of the session to be shadowed

Check and Get Terminal Session Id:

  1. Connect to remote desktop server

  2. Open command prompt with elevated privileges

  3. Run following command to view list of sessions

QWINSTA

1.  List of sessions will be displayed in tabular format having columns SESSION NAME, USERNAME, ID, STATE, TYPE and DEVICE
  1. Session Id of specific user can be fetched and can be used as mentioned above.