A lot of things around Windows Virtual Desktop are improved since the release of the ARM-based version as part of the spring 2020 updates. The complete implementation process has been simplified (read more here) and a lot of extra management capabilities are added.

One important component of a virtual desktop environment is user experience. To ensure every user is happy, it is very common to shadow users to walk them through steps to solve problems with a little help from the helpdesk. After explaining the different options you have within Windows Virtual Desktop to one of my customers, I thought it’d be helpful to share the procedure with the community.

In this article, you will learn about the two different options of how you could remote control – shadow the user session to empower your helpdesk employees in your environment.

Note: This article works on both Windows 10 Enterprise single and multi-session.

Table of Contents

Click on the title to jump to that spot in this article:

User session management via the Azure Portal

With the new ARM-based – spring update release of Windows Virtual Desktop being available. We also have the option to do more user session troubleshooting directly from the Azure Portal. The user’s menu option gives us the option to search for users, see their active sessions, application assignment, and send them messages during maintenance work.

This allows helpdesk employees to do some first line of support for Windows Virtual Desktop from the Azure Portal. You can also easily detect the session host of the active session as well as the session ID. This is helpful for the steps explained later on in this article.

Option 1 – How to configure Remote Control sessions via Remote Assistance (MSRA)

Enable Remote Assistance on your WVD image (session host)

The following steps need to be performed on the Windows Virtual Desktop session host images.

Enable Remote Assistance as service as part of your Windows Virtual Desktop image – session host via the following setting.

You can also activate Remote Assistance (automated) via PowerShell with the command below.

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 1 /f

Configure firewall policies on your WVD image (session host)

netsh advfirewall firewall set rule group="Remote Assistance" new enable=yes

You could also configure the firewall rules via the Allowed apps and features menu

The following Windows Defender Firewall rules should show up after running the PowerShell command. Make sure to verify this before moving to the next step.

Configure Offer Remote Assistance

Pre-step: Make sure to create a custom AD Group e.g. WVD-Helpdesk-Users to enable access to Remote Assistance.

Open the Local – or domain Group Policy Management console.

Go to Computer Configuration/Policies/Software Settings/Administrative Templates/System/Remote Assistance and open the Offer Remote Assistance setting

Click on Show, and make sure to enter the users or groups you want to have permissions to offer Remote Assistance, one per line.

Click on ok to confirm.

Configure Allow UIAccess applications to prompt for elevation

Go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Make sure to enable the following GPO setting – User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop – to allow the application to open and take over the user’s session.

You can either configure the setting on domain level or via the local group policy.

Publish Remote Assistance as a Remote App (optional)

The following steps are optional as you could run Remote Assistance as well directly from your Windows 10 physical desktop and/or laptop. You only have to make sure the network of the session hosts can be reached.

Go to the Windows Virtual Desktop service in the Azure Portal

Select your Remote App – application group

Click on + Add

Make sure to add the Remote Assistance executable and perhaps a custom name that refers to helpdesk.

Click on Ok

C:\Windows\System32\msra.exe

Open the Remote Desktop client

Refresh your applications

Remote Assistance is now available – let’s test and verify the connection.

Start the Remote assistance – RemoteApp

Setup a Remote Control session with Remote Assistance – helpdesk procedure

You can run the steps below on either a Windows 10 (physical) desktop or laptop in your network – or alternatively as RemoteApp via Windows Virtual Desktop as described above.

Click on – Help someone who has invited you

Click on – Advanced connection option for help desk

Switch to the Windows Virtual Desktop service in the Azure Portal

Open the Users menu

Search for the user you want to shadow

Copy the Active VM entry

Paste the VM entry in the – Type a computer name section

Click on Next

The connection is being established…

When more users are logged on to e.g. Windows 10 Enterprise multi-session – you’ll get the following selection menu.

Select the specific user

Note: When you are the only user logged on to the session host, you won’t get this screen and Remote Assistance will automatically try to take over the session of the (only) user.

The user will see the following bar in the corner of his WVD session.

The admin will see this – and is now able to take over control and help the specific user.

By pressingRequest control – you can take over the mouse of the user.

Option 2 – How to configure shadowing sessions via Remote Desktop Connection (MSTC)

The alternative option to shadow session is via the Remote Desktop Connection (MSTSC). Remote Assistance works differently, is a bit newer as well has more capabilities to send invitations etc. You can pick what fits best to your company needs.

Configure firewall policies on your WVD image (session host)

Make sure the following three (including shadowing) firewall Groups are opened as well as Remote Desktop is opened in the Windows Defender Firewall.

netsh firewall set service type = remotedesktop mode = enable
  • Remote Desktop – Shadow (TCP-In)
  • Remote Desktop – User Mode (TCP-In)
  • Remote Desktop – User Mode (UDP-In)

Change the shadowing policy settings

The settings of shadowing sessions must be done via either local or domain policies.

Go to Computer Configuration, Administrative Templates, Windows components, Remote Desktop Services, Remote Session Host, Connections.

Note: Make sure to perform the steps in the image or allocate a GPO to the organizational unit of the session hosts.

Change the setting below to whatever aligns best with your needs.

Obviously, without the users permission means that you can shadow without getting any prompt + the approval from the end-user beforehand.

How to shadow sessions with MSTC – helpdesk procedure

First, we have to detect the session ID of the user. We can easily detect this via the new Azure Portal – users menu.

Open the Users menu

Search for the user you want to shadow

Go to Sessions to collect the right ID number.

Open the following command.

Note: After Shadow you must put the session ID we just collected.

When you prefer to setup the shadow session with (example) user notification, run.

mstsc /shadow:3 /v:WVD-MSIXDE-1.contoso.com /control

The noConsentPrompt parameter sets up the connection without consent of the user.

mstsc /shadow:3 /v:WVD-MSIXDE-1.contoso.com /control /noConsentPrompt

When everything works – the session is being shadowed. 😊

You’ve now learned the two options to remote control or shadow Windows Virtual Desktop user sessions out of the box.

Thank you.