There is a functionality that comes with Microsoft Terminal Server Connection Client, the one we all know as MSTSC, that will surprise some of you. MSTSC has functionality, it has been there for a while, that is allowing admins to shadow a session. That sounds amazing, right? That sounds like something Citrix does as well. Citrix had this same functionality back in the presentation server times but at least you had to decide if you wanted it during installation. It got removed because of privacy concerns. So even though it does sound amazing there is a little nudge to the functionality, that little nudge is what this blog is about.

Supporting users

So if we look at supporting users we see that many vendors use Microsoft Remote Assistance to support users. Citrix has its own shadow support functionality built-in. I see the occasional VNC flying around but MSRA is the most widely used option. MSTSC has had this shadow option for a while. I never heard anyone use it until I came across an article where it was explained to be used to support users. I would not be a happy user if I knew someone could sneak up and look over my virtual shoulder.

The proof of the pudding is in the tasting

As the saying goes, the proof of the pudding is in the tasting. So here is the video of me shadowing my test user. I installed a Server 2016, changed one policy setting (will show later) and got a hold of the session ID.

Demo of MSTSC /Shadow:<sessionID> /v:Server /NoConsentPrompt


Let me show how you configure this, writing about it takes longer than configuring this. To make this work you need a few things at hand;

  • A server for your user to work on
  • Access to Group policies
  • Ability to query remote session ID’s

By default this functionality is disabled, you cannot shadow a user session just like that. So one has to enable shadowing to do so. Enabling shadowing is too easy as it only takes one policy change.

To enable this setting you need to open the Group policy management console and browse to <Computer Configuration> \<User Configuration> \Administrative Templates\Windows Components\Remote Desktop Services \Remote Desktop Session Host\Connections. There you find the policy named “Set Rules for Remote control of Remote Desktop user sessions“. If you enable this one, you are presented a few options.

The option you are presented are;

  • No remote control allowed
  • View user session with user’s permission
  • View user session without user’s permission
  • Control user session with user’s permission
  • Control user session without user’s permission

That is basically it, the only thing left is to wait for a policy update to happen or if you want to do a quick test do a gpupdate /Force.

Can I prevent some admin setting this policy?

Yes, you can but it takes some work. For one, you should set your default shadow policy in the default domain policy and enforce that one. That will prevent someone from setting something in a lower OU to enable it. Now they need to edit the Default domain policy, not sure what punishment is on that but it should be severe.

The other measure you can take is create different Admin groups and make sure only the most senior admin can change the default domain policy. The last measure is a written policy for any admin to not change settings to gain access to data, session or nything they should stay out.


I was a little surprised that this option is still there. I don’t see the real use of it as Microsoft also offers MSRA to support users. This options only value seems to be to manage desktops without users knowing about it. I would like to see this removed but that is just me. For me, this is an unwanted feature allowing a breach of privacy.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.