Skip to content

Session Shadow in Windows Session Host Servers

Session Shadowing

Shadow enables server administrators to view or take control of RDP sessions. This feature can be very useful in various scenarios, such as IT administrators assisting users.

How to configure Session Shadow on Session Server

Configurations on Session Server

Access the session server through the console or a remote session using user credentials with local administrator privileges. Adjust the following settings:

Enable Session Shadow Using Local Group Policy

  1. Navigate to the Policy on Computer Configurations> Administrative Templates> Windows Components> Remote Desktop Services > Remote Desktop Session Host> Connections.

  2. Enable the rule Set rules for remote control of Remote Desktop Services user sessions and choose any of the following options:

    1. Full control with user’s permission: The administrator can interact with the session, but the user must accept the shadow request.

    2. Full control without the user’s permission: The administrator will be able to interact with the session without the user's consent.

    3. View Session with the user’s permission: The administrator will be able to view the session with the user's permission.

    4. View Session without the user’s permission: The administrator will be able to view the session without the user's permission.

  3. Save the settings and restart the server for the policies to take effect.

Enable Firewall exceptions on SHD Session Host

If you have enabled the Windows firewall on SHD session hosts, make sure to add the following firewall exceptions if it's not already been added.

  1. Remote Desktop – Shadow (TCP-In)
  2. Remote Desktop – User Mode (TCP-In)
  3. Remote Desktop – User Mode (UDP-In)

Run the following command on CMD to add the firewall rules:

Netsh firewall set service type = remote desktop mode = enable

Configurations on HyWorks Controller

Open the HyWorks Management Console on any supported browser and follow the steps below to enable session shadow on the configured session servers:

  1. Navigate to VDI > Session Servers > Servers.

  2. Under Add/ Edit Server wizard: Check the Enable Remote Control tag.

  3. Click Save to save the settings.

Taking Shadow Session from HyWorks

This section provides the steps to take a shadow session of the user from the HyWorks controller management console.

  1. In the HyWorks Management Console, navigate to Monitor > Live Sessions > Desktops.

  2. Click on the Remote control icon. The Shadow File will be downloaded.

    1. Shadow File Name v3.4-SP2 or later: Type_HostName_Username_WTSID.rdp (Type: App, ShdDsk, PrsnlDsk).

    2. Shadow File Name v3.4-SP1 or older: SessionShadow.rdp.

  3. Double-click the shadow file to launch it. When prompted, enter your credentials.

  4. Enable permissions in the user session. The connected RDP session is the shadow of the user session.

Note

We can configure the Group Policy to Control or View the RDP Session with or without the permission of the user.

Troubleshooting

Shadow Session is logged out automatically

In the latest releases, direct RDP sessions are blocked, and the system considers shadow sessions as direct RDP sessions, which can lead to logging out users. To workaround this issue, disable the feature that blocks direct RDP.

For more details on the direct RDP block feature refer to the section here.

Shadow Sessions are not connecting on Windows Servers with NLA-Enabled

If a target Windows Server has NLA enabled, session shadowing may not function properly because the current method requires credentials to be provided afterward, whereas NLA demands credential validation before launching RDP.

Workaround: Disable NLA on the server.

Alternate Method to Shadow Using Microsoft Terminal Server Client (MSTSC)

Run the following command to shadow a session:

mstsc.exe /v:xx.xx.xx.xx /shadow:x with other command line params like /control or /noConsentPrompt.

  • x.xx.xx.xx.xx indicates the server address.

  • /shadow: Indicates Terminal Session ID of the session to be shadowed.

Check and Get Terminal Session ID:

  1. Connect to the Remote Desktop Server.
  2. Open the command prompt with administrator privileges.

  3. Run the following command to view a list of sessions.

    QWINSTA

    The list of sessions will be displayed in a tabular format with columns SESSION NAME, USERNAME, ID, STATE, TYPE, and DEVICE.

  4. The Session ID of a specific user can be fetched and can be used as mentioned above.