Microsoft is currently running at breakneck speed to get Windows Virtual Desktop out the door and into general availability. One big gap that they have right now within WVD is the management piece, including shadowing. Fortunately, they are partnering with third party vendors – my company RDPSoft included – to bridge this gap as WVD comes to market.
Can I Shadow User Sessions in WVD?
A current challenge with Windows Virtual Desktop is how to provide shadowing, management, and remote assistance to users running on Windows 10 Multi Session hosts in Azure. As you may have read in my previous blog post, the WVD Gateway sets up a reverse proxy with the VMs in the host pool and the inbound WVD clients, so there is no access via port 3389 to these hosts. That’s great for security, but complicates management. Now, you COULD turn on port 3389 for a limited time, using the “Just-in-time” feature of Security Center in Azure, to access a specific host in the host pool directly; but Security Center, even at their Standard Pricing tier, costs $15 per VM per month. Yikes!
The Solution – Publish Your WVD Management Tools as RemoteApps in a Single VM Host Pool
I’m excited to announce that I’ve engineered a much more elegant solution that solves all of these issues AND keeps things secure. I ran a proof of concept setup in my Windows Virtual Desktop environment this week, and it works great. I’ve even attached a small video demonstrating how it works below. Here’s what I did:
- I created a single VM host pool in my WVD environment using the host pool provisioning wizard in Azure. Then, I loaded up our RDS Management Software, RDPSoft Remote Desktop Commander, on this single VM. In other words, this single VM will serve as a WVD “Management Application Hub” where all my WVD management tools will live. Do keep in mind the number of admins/help desk users that will be connecting to this VM to run management/remote assistance tools, so you can size it appropriately in terms of vCPUs and Memory.
- When I provisioned this WVD management host pool, I connected it to the same VNet in Azure that houses my other WVD host pools and AAD-linked Active Directory VM. Doing so allows the internal traffic necessary to support management, monitoring, and shadowing between my WVD management server running Remote Desktop Commander, and the other VMs in the host pools.
- To facilitate management and shadowing with Remote Desktop Commander, I enabled the Remote Registry Service on all Windows 10 Multi Session VMs that I planned to manage. I also turned on the Remote Service Management exception in the Windows Firewall on each host, and verified that the Remote Desktop and Remote Assistance firewall exceptions were already enabled.
- I then ran the RDS Management Delegation Wizard in Remote Desktop Commander to delegate specific RDS/WVD management rights (like shadowing) to non-admin accounts in my AAD-linked domain.
- Finally, I installed and imported the Windows Virtual Desktop Management Powershell Library (Microsoft.Rdinfra.Rdpowershell.Dll) in order to publish Remote Desktop Commander as a RemoteApp on my single VM WVD Management Hub. Here are the cmdlets I ran:
Powershell Cmdlets I Used to Set Up a Windows Virtual Desktop Shadowing RemoteApp
New-RDSAppGroup MyTenantName MyHostPoolName RemoteDesktopCommander -ResourceType “RemoteApp”
This created a new App Group called RemoteDesktopCommander for all of my RDPSoft WVD Management Tools. Then, I ran:
Get-RDSStartMenuApp MyTenantName MyHostPoolName RemoteDesktopCommander
in order to list all of the installed applications on my virtual machine, so I could find Remote Desktop Commander in the list. Once I wrote down its alias name, I ran:
New-RdsRemoteApp MyTenantName MyHostPoolName RemoteDesktopCommander -Name “Remote Desktop Commander” -AppAlias rdpsoftremotedesktopcommander
…which published Remote Desktop Commander as a RemoteApp in my RDS Management Tools AppGroup. Finally, I ran:
Add-RDSAppGroupUser MyTenantName MyHostPoolName RemoteDesktopCommander -UserPrincipalName firstname.lastname@example.org
once for each admin and help desk user whom I wanted to have access to Remote Desktop Commander for WVD management and shadowing tasks.
The results? Well, see for yourself in this demo. I launch the WVD client, start the Remote Desktop Commander published RemoteApp, review all of the hosts in the various host pools that I imported from Active Directory, and then start shadowing WVD sessions from within my RemoteApp program using Remote Desktop Commander’s awesome SuperShadow feature, all without opening up a single external port to any of my WVD hosts running Windows 10 Multi Session. Amazing stuff – and the only costs are the monthly infrastructure costs associated with this new VM, plus my Premium Management Features license for Remote Desktop Commander.