From a175640025285629b0d34dc237dab4386e73b9a8 Mon Sep 17 00:00:00 2001
From: gpotter2 <10530980+gpotter2@users.noreply.github.com>
Date: Tue, 6 May 2025 22:08:53 +0200
Subject: [PATCH] Support non-RDP security when shadow server running as
 Hyper-V console

---
 libfreerdp/core/connection.c  | 6 +++++-
 server/shadow/cli/shadow.c    | 2 ++
 server/shadow/shadow_server.c | 8 +++++++-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/libfreerdp/core/connection.c b/libfreerdp/core/connection.c
index 6cef4d3ce..e0d4bc623 100644
--- a/libfreerdp/core/connection.c
+++ b/libfreerdp/core/connection.c
@@ -1525,7 +1525,11 @@ BOOL rdp_server_accept_nego(rdpRdp* rdp, wStream* s)
 	SelectedProtocol = nego_get_selected_protocol(nego);
 	status = FALSE;
 
-	if (SelectedProtocol & PROTOCOL_RDSTLS)
+	if (freerdp_settings_get_bool(rdp->settings, FreeRDP_VmConnectMode) &&
+	    SelectedProtocol != PROTOCOL_RDP)
+		/* When behind a Hyper-V proxy, security != RDP is handled by the host. */
+		status = TRUE;
+	else if (SelectedProtocol & PROTOCOL_RDSTLS)
 		status = transport_accept_rdstls(rdp->transport);
 	else if (SelectedProtocol & PROTOCOL_HYBRID)
 		status = transport_accept_nla(rdp->transport);
diff --git a/server/shadow/cli/shadow.c b/server/shadow/cli/shadow.c
index ecff80286..8fa1778be 100644
--- a/server/shadow/cli/shadow.c
+++ b/server/shadow/cli/shadow.c
@@ -64,6 +64,8 @@ int main(int argc, char** argv)
 		  "Remote credential guard" },
 		{ "restricted-admin", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL,
 		  "Restricted Admin" },
+		{ "vmconnect", COMMAND_LINE_VALUE_FLAG | COMMAND_LINE_VALUE_BOOL, NULL, BoolValueFalse,
+		  NULL, -1, NULL, "Hyper-V console server (bind on vsock://1)" },
 		{ "may-view", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL,
 		  "Clients may view without prompt" },
 		{ "may-interact", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL,
diff --git a/server/shadow/shadow_server.c b/server/shadow/shadow_server.c
index b9a07fe92..9cbddb017 100644
--- a/server/shadow/shadow_server.c
+++ b/server/shadow/shadow_server.c
@@ -395,6 +395,12 @@ int shadow_server_parse_command_line(rdpShadowServer* server, int argc, char** a
 			                               arg->Value ? TRUE : FALSE))
 				return fail_at(arg, COMMAND_LINE_ERROR);
 		}
+		CommandLineSwitchCase(arg, "vmconnect")
+		{
+			if (!freerdp_settings_set_bool(settings, FreeRDP_VmConnectMode,
+			                               arg->Value ? TRUE : FALSE))
+				return fail_at(arg, COMMAND_LINE_ERROR);
+		}
 		CommandLineSwitchCase(arg, "sec")
 		{
 			if (strcmp("rdp", arg->Value) == 0) /* Standard RDP */
@@ -597,7 +603,7 @@ int shadow_server_parse_command_line(rdpShadowServer* server, int argc, char** a
 	/* If we want to disable authentication we need to ensure that NLA security
 	 * is not activated. Only TLS and RDP security allow anonymous login.
 	 */
-	if (!server->authentication)
+	if (!server->authentication && !freerdp_settings_get_bool(settings, FreeRDP_VmConnectMode))
 	{
 		if (!freerdp_settings_set_bool(settings, FreeRDP_NlaSecurity, FALSE))
 			return COMMAND_LINE_ERROR;