We need the ability to remotely help windows clients. Prefer to not use things like GoToMeeting or something, especially as Microsoft appears to have something like this already. Following are the notes.

Works on anything, I think. User sends an invitation, assistance uses that to make a P2P connection

1. Open Search Box and type remote assistance
2. Select Invite someone to connect to your PC…
3. Select Invite someone you trust to help you
4. Select Use Easy Connect (first time, after that magic)
5. Follow instructions to send code to technician

1. Open Search Box and type remote assistance
2. Select Invite someone to connect to your PC…
3. Select Help someone who has invited you
4. Select Use Easy Connect (first time only)
5. Select Help someone new, or select remote user from list
6. Follow instructions (you will need the code they send you)

Best suited for a Terminal Services server, though it looks like it will work with other machines also. However, an administrator on a Terminal Services server can access other users sessions quite easily. For machines other than the one you are working on, you need network access

The first set of instructions is on the target server, to configure to allow shadowing

1. Enable RDP and Remote Assistance
2. Configure Shadow connection mode
   1. Open Group Policy Editor by running

      gpedit.msc

   2. Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Session Host | Connections
   3. Select Rules for remote control of Remote Desktop user sessions
   4. Enable and choose an option
   5. Save
3. Configure firewall
   1. allow TCP 139, 445 and RPC 49152-65535
   2. Set predefined rules
      1. File and Print Sharing (SMB-In)
      2. Remote Desktop - Shadow )TCP-In)

From the source machine, make the connection. You will need the users Session ID. If they are directly logged in (ie, not using RDP), their session is always 1.

• If remote machine, use

  qwinsta /server:PC_Name

  • Works just fine on Terminal Server, just leave the /server:PC_Name out
• If Terminal Server, logged in as an Administrator

  query user

Now, run the command

Mstsc.exe /shadow:<Session ID> /v:<DNS or IP> [/prompt] [/control|/noConsentPrompt]

• /shadow:Session ID is the users Session ID from the previous command
• /v:DNS or IP is the DNS name or IP of remote (ignore if local, or enter locahost)
• /prompt - prompt the user even if not required
• /control - explicitly set that “I want to control your system” flag
• Example connect to machine at 192.168.1.24, session ID 5, prompting and taking control

  mstsc.exe /shadow:5 /v:192.168.1.24 /prompt /control

To exit, you can press Alt+*, the remote user can press ctl+*, or you can simply close the window. Also, ctl+alt+break (from your machine) puts you in full screen mode

Note These two commands are documented, but were not available on my Windows Server 2019. I may not have installed everything.

Get-RDUserSession | ft Username, UnifiedSessionId, SessionState, HostServer, ApplicationType -GroupBy Sessionstate -Wrap
shadow {<sessionname> | <sessionID>} [/server:<servername>] [/v]

• https://support.microsoft.com/en-us/windows/solve-pc-problems-remotely-with-remote-assistance-and-easy-connect-cf384ff4-6269-d86e-bcfe-92d72ed55922
• https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shadow
• https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/remote-desktop-services-terminal-services-command-reference
• https://woshub.com/rdp-session-shadow-to-windows-10-user/ (lots of ads)
• https://social.technet.microsoft.com/wiki/contents/articles/19804.remote-desktop-services-session-shadowing.aspx
• https://social.technet.microsoft.com/Forums/en-US/ef79b328-3a91-4183-a37f-faeee86741a3/server-2019-rds-administrative-session-shadowing-works-but-shows-a-black-shadow-window

This link actually provides better instructions, I think.

• http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/

Mstsc.exe [/shadow:sessionID [/v:Servername] [/control] [/noConsentPrompt] [/prompt]]