====== Remote Assistance via Terminal Services ====== We need the ability to remotely help windows clients. Prefer to not use things like GoToMeeting or something, especially as Microsoft appears to have something like this already. Following are the notes. ===== Remote Assistance ===== Works on anything, I think. User sends an invitation, assistance uses that to make a P2P connection ==== On user workstation ==== - Open Search Box and type //remote assistance// - Select //Invite someone to connect to your PC...// - Select //Invite someone you trust to help you// - Select //Use Easy Connect// (first time, after that magic) - Follow instructions to send code to technician ==== On Tech workstation ==== - Open Search Box and type //remote assistance// - Select //Invite someone to connect to your PC...// - Select //Help someone who has invited you// - Select //Use Easy Connect// (first time only) - Select //Help someone new//, or select remote user from list - Follow instructions (you will need the code they send you) ===== Session Shadowing ===== Best suited for a Terminal Services server, though it looks like it will work with other machines also. However, an **administrator** on a Terminal Services server can access other users sessions quite easily. For machines other than the one you are working on, you need network access The first set of instructions is on the target server, to configure to allow shadowing - Enable RDP and Remote Assistance - Configure Shadow connection mode - Open Group Policy Editor by running gpedit.msc - Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Session Host | Connections - Select Rules for remote control of Remote Desktop user sessions - Enable and choose an option - Save - Configure firewall - allow TCP 139, 445 and RPC 49152-65535 - Set predefined rules - File and Print Sharing (SMB-In) - Remote Desktop - Shadow )TCP-In) From the source machine, make the connection. You will need the users Session ID. If they are directly logged in (ie, not using RDP), their session is always 1. * If remote machine, use qwinsta /server:PC_Name * Works just fine on Terminal Server, just leave the /server:PC_Name out * If Terminal Server, logged in as an Administratorquery user Now, run the command Mstsc.exe /shadow: /v: [/prompt] [/control|/noConsentPrompt] * /shadow:**Session ID** is the users Session ID from the previous command * /v:**DNS or IP** is the DNS name or IP of remote (ignore if local, or enter //locahost//) * /prompt - prompt the user even if not required * /control - explicitly set that "I want to control your system" flag * **Example** connect to machine at 192.168.1.24, session ID 5, prompting and taking controlmstsc.exe /shadow:5 /v:192.168.1.24 /prompt /control To exit, you can press Alt+*, the remote user can press ctl+*, or you can simply close the window. Also, ctl+alt+break (from your machine) puts you in full screen mode **Note** These two commands are documented, but were not available on my Windows Server 2019. I may not have installed everything. Get-RDUserSession | ft Username, UnifiedSessionId, SessionState, HostServer, ApplicationType -GroupBy Sessionstate -Wrap shadow { | } [/server:] [/v] ===== Links ===== * https://support.microsoft.com/en-us/windows/solve-pc-problems-remotely-with-remote-assistance-and-easy-connect-cf384ff4-6269-d86e-bcfe-92d72ed55922 * https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shadow * https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/remote-desktop-services-terminal-services-command-reference * https://woshub.com/rdp-session-shadow-to-windows-10-user/ (lots of ads) * https://social.technet.microsoft.com/wiki/contents/articles/19804.remote-desktop-services-session-shadowing.aspx * https://social.technet.microsoft.com/Forums/en-US/ef79b328-3a91-4183-a37f-faeee86741a3/server-2019-rds-administrative-session-shadowing-works-but-shows-a-black-shadow-window This link actually provides better instructions, I think. * http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ Mstsc.exe [/shadow:sessionID [/v:Servername] [/control] [/noConsentPrompt] [/prompt]]