Skip to content

Shared Windows Debug Machine

Home / Infrastructure / Shared Windows Debug Machine

Setup Guide

Setup and configuration guide for a shared Windows machine used for ModuleWorks debugging and headless CI.

A shared Windows machine running ModuleWorks debugging tools, accessible to the team via Remote Desktop. The machine stays always-on and doubles as a headless CI runner for automated tests.

Architecture

graph LR
    subgraph Team Devices
        A[Windows Laptop]
        B[macOS Laptop]
        C[Linux Workstation]
    end

    subgraph Tailscale VPN
        T[Encrypted WireGuard Mesh]
    end

    subgraph Windows Debug Machine
        RDP[RDP Host - Win 11 Pro]
        MW[ModuleWorks Tools]
        CI[CI Agent - Windows Service]
    end

    A -->|mstsc.exe| T
    B -->|Windows App| T
    C -->|Remmina / xfreerdp| T
    T --> RDP
    RDP --- MW
    CI --- MW

Key constraints:

  • One interactive RDP session at a time (Windows Pro limitation)
  • Team members coordinate access via a shared Slack channel or calendar
  • Automated tests run as a headless Windows service — no conflict with RDP sessions

Licensing

Item Cost Notes
Windows 11 Pro upgrade ~$199 one-time (retail) Upgrade in-place from Home — no reset, existing accounts preserved
Windows Enterprise E3 ~$7/user/month Required for users connecting from macOS or Linux (provides VDA rights)
Tailscale Free Free tier covers up to 100 devices

Why Enterprise E3? The Windows Pro license requires connecting devices to run Windows Pro or higher. macOS and Linux devices don't qualify, so each non-Windows user needs a Windows Enterprise E3 subscription (~$7/user/month) for compliant VDA (Virtual Desktop Access) rights.

The Pro upgrade itself is additive — no need to wipe the machine or remove existing user accounts. Go to Settings > System > Activation > Upgrade your edition of Windows, enter the Pro key, and existing accounts, files, and software are preserved.

Setup Guide

Phase 1: Windows Pro Upgrade

  1. Open Settings > System > Activation
  2. Select Upgrade your edition of Windows
  3. Enter the Windows 11 Pro product key
  4. The machine reboots and upgrades in-place — all user accounts, files, and installed software are preserved

Phase 2: Create User Accounts

Create individual local accounts instead of a shared Microsoft account. This gives each person their own profile, credentials, and audit trail.

  1. Open Settings > Accounts > Other users
  2. Click Add account
  3. Select I don't have this person's sign-in information
  4. Select Add a user without a Microsoft account
  5. Enter a username and password
  6. Repeat for each team member
net user <username> <password> /add

For each account, add it to the Remote Desktop Users group:

net localgroup "Remote Desktop Users" <username> /add

Why not a shared Microsoft account?

A shared account means no audit trail (all actions look like one user), shared desktop/settings/browser profiles, and a password that must be redistributed whenever someone leaves. Individual local accounts avoid all of these problems.

Phase 3: Enable Remote Desktop

  1. Open Settings > System > Remote Desktop
  2. Toggle Enable Remote Desktop to On
  3. Confirm the prompt
  4. Verify Network Level Authentication (NLA) is enabled (it should be by default) — this requires authentication before a full session is established

Phase 4: Install and Configure Tailscale

Never expose RDP (port 3389) directly to the internet

RDP is one of the most commonly attacked protocols. Always access it through a VPN.

  1. Download and install Tailscale from tailscale.com/download
  2. Sign in with the team's Tailscale account
  3. Note the machine's Tailscale IP (shown in the Tailscale tray icon, format 100.x.x.x)
  4. Install Tailscale on each team member's device and sign in to the same Tailnet
  5. Team members connect to the Tailscale IP — no port forwarding or firewall rules needed

Verify a direct connection (not relayed) with:

tailscale status

Direct connections have near-zero added latency. Relayed connections (via DERP servers) add noticeable lag above ~100-150ms round-trip.

Phase 5: Always-On Configuration

Power settings

  1. Open Settings > System > Power & Sleep (or Power & Battery)
  2. Set Screen and Sleep to Never when plugged in

  3. Disable hibernation (run as Administrator):

    powercfg -h off

Windows Update management

Prevent surprise reboots during work hours:

  1. Open Settings > Windows Update > Advanced Options
  2. Set Active Hours to the widest range possible (up to 18 hours)
  3. Enable Defer quality updates by 7 days

For tighter control via Group Policy (gpedit.msc):

  • Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience
  • Enable Turn off auto-restart for updates during active hours
  • Set NoAutoRebootWithLoggedOnUsers to 1 under HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

Pick a weekly maintenance window (e.g., Sunday 3 AM) for manual update checks and reboots.

Session timeout policies

Prevent stale sessions from blocking other users. Open gpedit.msc and navigate to:

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits

Policy Recommended Value
Set time limit for disconnected sessions 2 hours
Set time limit for active but idle sessions 4 hours
End session when time limits are reached Enabled

Security hardening

  • Account lockout: Open secpol.msc > Account Policies > Account Lockout Policy. Set lockout threshold to 5 attempts, lockout duration to 30 minutes.
  • Audit logon events: Open secpol.msc > Advanced Audit Policy Configuration > Logon/Logoff. Enable success and failure auditing.
  • Firewall: With Tailscale, RDP traffic flows over the encrypted WireGuard tunnel. Optionally restrict the Windows Firewall RDP rule to only accept connections from the Tailscale subnet (100.64.0.0/10).

Phase 6: Install ModuleWorks Tools

Install the ModuleWorks debugging tools under a shared location (e.g., C:\Tools\ModuleWorks) accessible to all user accounts. Ensure each local account has read and execute permissions on the install directory.

Phase 7: CI Agent for Automated Testing

Since automated tests are headless, run the CI agent as a Windows service — this avoids any conflict with interactive RDP sessions.

  1. Create a dedicated local account for the agent:

    net user ci-agent <strong-password> /add

  2. Install your CI agent (GitHub Actions runner, Azure DevOps agent, Jenkins agent, etc.) under the ci-agent account

  3. During installation, choose Run as a service when prompted
  4. The service runs in the background regardless of who is (or isn't) logged in via RDP

No conflicts with RDP

A service-mode CI agent has no desktop session. Team members can RDP in and out freely while tests run in the background. Tests can also run with nobody connected at all.

Connecting from Each OS

The best RDP experience. Built-in client, near-perfect visual quality.

  1. Press Win+R, type mstsc, press Enter
  2. Enter the machine's Tailscale IP (100.x.x.x)
  3. Click Connect, enter your credentials

Clipboard copy/paste (including files), drive redirection, audio, and multi-monitor all work out of the box.

Save a .rdp file

Click Show Options in mstsc, configure your settings, then Save As to create a one-click connection file.

Good experience with minor keyboard differences.

  1. Install Windows App from the Mac App Store (free)
  2. Go to the Devices tab, click +
  3. Enter the Tailscale IP and save
  4. Double-click to connect, enter your credentials

Clipboard and folder redirection work. Retina displays are supported. Keyboard note: Cmd maps to the Windows key — use Ctrl for Windows shortcuts (Ctrl+C, Ctrl+V, etc.).

Functional but visually rougher than Windows/macOS.

Remmina (GUI — easiest):

  1. Install: sudo apt install remmina remmina-plugin-rdp (Ubuntu/Debian) or sudo dnf install remmina remmina-plugin-rdp (Fedora)
  2. Open Remmina, click +, enter the Tailscale IP and credentials
  3. Connect

xfreerdp (CLI — more control):

xfreerdp /v:100.x.x.x /u:username +clipboard /sound:sys:pulse /drive:home,$HOME

Known issues: clipboard can be flaky on Wayland (X11 is more reliable), HiDPI scaling is a pain point, and visual quality is noticeably lower than Windows-to-Windows due to lack of Microsoft's optimized video codecs.

Access Coordination

With only one RDP session at a time, the team needs a way to coordinate:

  • Slack channel (e.g., #debug-machine) — post when you're connecting and when you're done
  • Disconnected session timeouts (configured in Phase 5) ensure stale sessions don't block others
  • If someone is connected when you try to join, they'll get a prompt asking if they want to allow you to take over their session