Shadow a WVD/AVD user with least privileges
WVD allows local administrators to shadow user sessions. You can do this easily with WVDAdmin or using the command-line like this:
>mstsc /v:WVD-DESIGN-404 /control /shadow:2 /prompt
In most companies, a help desk agent supports users using applications. For that, local admin privileges are not necessary and not recommended. To allow help desk agents shadowing users in WVD, you have to give these users (or better: a user group) only the needed permission. To do this, execute the following command in an administrative cmd:
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName like 'RDP-sxs%') CALL AddAccount 'ITPROCLOUD\ADM_WVD-Shadowing',2
Please also configure the local or group policy: Computer -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Hosts -> Connections -> Set riles for remote control … to “2” (Allow control with user consent)
This gives the users of the group ITPROCLOUD\ADM_WVD-Shadowing the needed permission directly on the RDP-SXS stack (you need to reboot the session host).
Run this configuration after the deployment and installation of the AVD agent and ensure to run it maybe again, if the RDP-SXS stack is updated.
Hint: You can reset this setting with:
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName like 'RDP-sxs%') CALL RestoreDefaults