Link to home
Create AccountLog in
Avatar of Abdul Raheem
Abdul Raheem

asked on

Remote Desktop Alt+Tab

Alt+Tab not working in windows Remote desktop. How to resolve it?
Avatar of oBdA
oBdA

Use Alt+Ins
You won't get the graphical selection view in the middle of the screen, but the applications will be put into the foreground one after the other.
You could use the following:
Alt + PageUp
or
Alt + PageDown

This will cycle through the open applications.
Keep holding the Alt after pressing PageUp or PageDown will keep the window with applications open which you can select with the mouse.

Are you in full screen mode?
Avatar of Abdul Raheem

ASKER

In full screen mode. Using Windows server 2012 RDS publishing remote desktop. Also Local Resources>Keyboard settings options. No Luck.
 
The functionality is described here.
https://docs.microsoft.com/en-us/windows/win32/termserv/terminal-services-shortcut-keys
They also mention the ALT+TAB mapping to ALT+PAGE UP and Local Resources, Apply Windows key combinations

Does the Windows key work, and if yes, on which computer is the menu opened ?
Is this a direct RDP session from a physical computer or do you maybe work with a nested RDP session ?
You could try "Shift + Alt + PageUp"

Zalazar's comment does it not work for you?
Do you use another keyboard layout , language that may alter the key combinations.
not working. Tried all ALT+Pageup or ALT+Pagedown or Shift+Alt+Pageup or ALT+Ins.
I am connecting to the jump box via rd web and the taking remote of the machine. Pressing windows key , opening in local pc.
The same is working from the Microsoft Remote desktop App from app store. But that cannot be used in RDS rdweb. 
You are double passing which seems to be your issue
Workstation => jump box => RDP final session
=> RDP sessions?

Look at VPN as an access mechanism
So you have ==> RDP final session with ==> RDP via VPN
it is Workstation==>vpn==>jumb box==> RDP final session
If you would set "Local Resources", "Apply Windows key combinations" to "On the remote computer"
Is the Windows key then still opening the menu on the local computer ?

Are you using RDP to jumpbox.
What do you need with alt tab, where looking at the task bar will not do?

Can you try to make sure that the .RDP file that will be run from your "RD Web Access" session to access the remote server, contains the following.
keyboardhook:i:1

Open in new window

This will set "Apply Windows key combinations" to "On the remote computer"

Are you using RDP to jumpbox.
Yes
What do you need with alt tab,
Toggling between applications
 where looking at the task bar will not do?
I dont understand your question
@Zalazar
Not available. It has only below.
redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
span monitors:i:1
use multimon:i:1
remoteapplicationmode:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:0
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:0
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:
alternate shell:s:||mstsc
remoteapplicationprogram:s:||mstsc
remoteapplicationname:s:Remote Desktop Connection
remoteapplicationcmdline:s:
workspace id:
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.
alternate full address:
signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,Alternate Shell,RemoteApplicationProgram,RemoteApplicationMode,RemoteApplicationName,RemoteApplicationCmdLine,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
signature:s:
Usually a jumpbox is an exposed directly to the outside using MFA to gain access.
If you have a VPn connection, why are you not going directly to the end system?
Not sure you can  map different key combos to pass through....
To avoid , direct RDP to the end system. I have the jump box. It is not advisable to go directly.

Not advisable, By whom?
The not advisable commonly is exposing multiple systems to the outside.
1) is the RDP accessible to the VPN Conncted system?
Do not attach local drives to the RDP session if that is the concern.
by me.
Jumpbox is on a DMZ.
Do you have the solution or not?

Thanks.
If you would open a registry editor (regedit) and then go to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms]
Then browse to your Collection name, Applications or RemoteDesktops and try to find the icon you click.
There should be a registry entry named: RDPFileContents
This contains all the RDP options.
Can you copy the line and paste it to a notepad and verify that it contains the same options as posted.
Important: You can not edit the line directly as it contains new line characters and binary data so it's not possible to simply add the proposed parameter at the end of the line.

In addition: The RDP file is also signed so editing is more difficult.
And I can't find the setting in the "Session Collection" parameters where you normally define these RDP parameters.

Does your VPN policy restrict your access to the DMZed system only?
You are looking to remap a key-combos on a keyboard connected to the workstation, passed to the jump box and then translated to the end system as alt-page up/down.

Consider the following question, does the office manager check in with the sevurity guard at the front entrance after entering through the employee entrance and before going to their office?


It's possible to specify custom properties on the Session Collection.
https://docs.microsoft.com/en-us/powershell/module/remotedesktop/set-rdsessioncollectionconfiguration?view=win10-ps
-CustomRdpProperty
Specifies Remote Desktop Protocol (RDP) settings to include in the .rdp files for all Windows Server 2012 RemoteApp programs and remote desktops published in this collection.

Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty "keyboardhook:i:1"

Open in new window


Before setting it you could first check if the parameter already contains a value via:
Get-RDSessionCollectionConfiguration -CollectionName QuickSessionCollection | Select -ExpandProperty CustomRdpProperty

Open in new window


@zalazar
Is keyboardhook:i:1 alone sufficient for lt+tab? I have added this via poweshell as you mentioned. But still no luck.
One good news is Ithat I am able to do ALT+TAB by connecting to Jump box using the below RDP file and from there remote to end system. ALT+TAB is working fine.But if I go with RDS rdweb remote only it is not working.

screen mode id:i:2
use multimon:i:0
desktopwidth:i:1366
desktopheight:i:768
session bpp:i:32
winposstr:s:0,1,12,45,1366,728
compression:i:1
keyboardhook:i:1
audiocapturemode:i:0
videoplaybackmode:i:1
connection type:i:7
networkautodetect:i:1
bandwidthautodetect:i:1
displayconnectionbar:i:1
enableworkspacereconnect:i:0
disable wallpaper:i:0
allow font smoothing:i:0
allow desktop composition:i:0
disable full window drag:i:1
disable menu anims:i:1
disable themes:i:0
disable cursor setting:i:0
bitmapcachepersistenable:i:1
full address:s:...
audiomode:i:0
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
redirectclipboard:i:1
redirectposdevices:i:0
autoreconnection enabled:i:1
authentication level:i:2
prompt for credentials:i:0
negotiate security layer:i:1
remoteapplicationmode:i:0
alternate shell:s:
shell working directory:s:
gatewayhostname:s:
gatewayusagemethod:i:4
gatewaycredentialssource:i:4
gatewayprofileusagemethod:i:0
promptcredentialonce:i:0
gatewaybrokeringtype:i:0
use redirection server name:i:0
rdgiskdcproxy:i:0
kdcproxyname:s:
drivestoredirect:s:


Registry content

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\Server\Applications\mstsc]
"Name"="Remote Desktop Connection"
"SecurityDescriptor"=""
"Path"="C:\\Windows\\system32\\mstsc.exe"
"VPath"="%SYSTEMDRIVE%\\Windows\\system32\\mstsc.exe"
"CommandLineSetting"=dword:00000000
"RequiredCommandLine"=""
"ShowInPortal"=dword:00000001
"Folders"=hex(7):2f,00,00,00,00,00
"RDPFileContents"="redirectclipboard:i:0

redirectprinters:i:1

redirectcomports:i:0

redirectsmartcards:i:1

devicestoredirect:s:*

drivestoredirect:s:

session bpp:i:32

prompt for credentials on client:i:1

span monitors:i:1

use multimon:i:1

remoteapplicationmode:i:1

server port:i:3389

allow font smoothing:i:1

promptcredentialonce:i:0

videoplaybackmode:i:1

audiocapturemode:i:1

gatewayusagemethod:i:0

gatewayprofileusagemethod:i:1

gatewaycredentialssource:i:0

full address:s:

alternate shell:s:||mstsc

remoteapplicationprogram:s:||mstsc

remoteapplicationname:s:Remote Desktop Connection

remoteapplicationcmdline:s:

screen mode id:i:2

workspace id:s:....

use redirection server name:i:1

loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1......

alternate full address:s:...

signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,Alternate Shell,RemoteApplicationProgram,RemoteApplicationMode,RemoteApplicationName,RemoteApplicationCmdLine,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo

signature:s:AQABAAEAAAD4EAAAMIIQ9AYJKoZIhvcNAQcCoIIQ5TCCEOECAQExCzAJBgUrDgMC  0dHA6Ly9jZXJ0cy5n
What you are trying to achieve is
Key-combo on workstation
Through RDP session
The key-combo has to be ignored, and passed on
Through second RDP session
Interpreted as alt-tab
The issue is whether you when you establish the first RDP you declare/define a session key map translation
Establish the second RDP and do the same to handle the keystrokes being passed from the original key board.
If you make registry changes, you will run into issues when there are internal direct access to the RDP.
I dont understand.

Establish the second RDP and do the same to handle the keystrokes being passed from the original key board.
Is it possible to use the same commands in second RDP with session key mappping?
Keystrokes are received and interpreted on a session by session basis.
The RDP session to the jumpbox is effectively have to pass the keystrokes from the keyboard on the workstation amd not interpret it,
I.e. If you establish an RDP session to the jumpbox.
You the. Establish an RDP session from tHe jumpbox To the end system.
When you hit ctrl-alt-end is seen by the jumpbox and acted accordingly by presenting the options on the jumpbox RDP
You are trying to pass a key-combo from the workstation all the way through the two RDP sessions and have the last system act on that key combo.

There is a powershell cmdlet taht deals with setting session parameters.

My prior statement dealing with the existence of the VPN connection which effectively places the workstation wihtin the most secure  limit.
Having passed the security barrier, going through seemingly unnecessary step of going through a jump box to then RDP again to the final destination.

The same way you are trying to translate the keystrokes through RDP session from the workstation through the jumpbox to the end system, you can translate and attach the local harddrive and resources through the RDP session to the jumpbox to the end system via that RDP session.

Registry changes are commonly permanent..
Is there a resolution?
What is the issue with direct access once the vpn is setup?

Is the jumbos runs as RDS? Does the end system res? Or remote administration ?
No resolution provided
An approach you refuse to use is not the same as no resolution. You are requiring a specific option.
and the only way to achieve what you want is to handle keystroke remaping through each RDP session.

https://www.nextofwindows.com/how-to-use-the-same-win-key-combinations-on-remote-desktop

note you need to try to pass this from workstaion to jump box and then from the jumpbox to the end system


@Arnold. Have some wide thinking when you look at a problem.
I already conveyed that I am able to achieve Alt+Tab successfully via RDP to Jumpb box and then the end machine. Only when I go via RDWEB , the problem arises. Now tell me the reason. 
Note the last link to see whether you can use the options displayed where you would setup the respective connection, potentially when full screen mode is used, that the keystrokes from the workstations will pass through the intermediate RDP session, to the end session.

I am uncertain I understand the circumstances that your setup is making you so rigid.

A jumpbox is a system with an MFA that is Internet facing. Once accessed provides access to other internal systems.

A VPN with or without an X-user and an MFA is providing access to the Office LAN.

You are insisting even though you are already on the LAN to use the JUMPBOX which is situated in a more restrictive zone that the system on which your keyboard/screen interface is.

I can not understand the scenario under which conditions you are envisioning a one to one access.
Anything you can attach directly, you can pass through the jumpbox
A GPO can restrict what resources can be attached to the individual server on LAN as applied to the JUMPBOX if any. I.e. You are currently applying a GPO to the JUMOBOX to deny users attachment of local DRIVES, printers, etc.
This same restriction can be imposed on all servers.

Are you familiar with ssh tunnels?

what it seems from here.
1) you have a highly secured environment
2) you have a secure number which you can use to call for the outside and then connect, make other choices to contact different individuals.
3) the phone system was upgraded such that it made it possible for your phine to register with the phine system after an establishment of a VPN connection.
4) even with your phone being directly connected to the phone system you are still insisting on calling the external number through which you dial other people.

This is what I do not understand.
There is no need of a VPN to have access to entire LAN. It can be restricted only to the jump box. There is no rule to have a jump box to face the internet directly. A jump box can be accessed via a secure VPN. You are keep on deviating from my question. 
I am trying to get a picture of the environment.

In your setup, VPN required to access a jumpbox from which other things are accessiblle.

Over the VPN are you connecting to the jump box in full screen mode, or used the option as illustrated in the link while not connecting the RDP session in full screen mode?
The RDP session from the jumpbox to the end system, which mode of the options are you using, full screen mode to try and see whether that will create a passthrough of the keystrokes from the workstation to the final destination system?

Does the jumpbox agave ssh server options?
Ssh tunnel through the jumpbox to the final destination?
ASKER CERTIFIED SOLUTION
Avatar of zalazar
zalazar

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
@Zalazar

You are great man. Your first method works. But I could use only ALT+Pageup or Pagedown.
Any chance of using ALT_TAB?
Thanks and great to hear it's working !
I could not find a way to use ALT-TAB unfortunately.
Only the alternative key combinations work.

There is a possibility but you would need an external RDP program named Royal TS for this.
By saving and importing the RDP file and setting the option "Advanced |Input |Windows Keys Passthrough: Enabled" for the connection.
Then ALT-TAB within the RDP session works fine.
Thanks Zalazar. Its a great help from you. Please suggest any open source of RDS if you aware of.
mRemoteNG is open source and has a possiblity to set
Redirect |Key Combinations: Yes
but the software is not capable to run the RDP session via the published application.
I couldn't find any other open source or free RDP program which is capable to run the session via the published application and passthrough ALT-TAB in combination with this setup.