Shadowing is a feature that gives you the ability to watch or control ('shadow') an active session. This does not replace the session and won't result into the original session getting disconnected.
This feature works on all active sessions including the 'console session', which means you can also use this take over normal desktop computers screens.

A session can only be shadowed using or authenticating with an account which has shadow rights, you do not necessarily need the credentials from the account of the shadowed session.
By default all Administrators have this permission. For more information regarding permissions within Remote Desktop, please refer to the Remote Desktop permissions article.

Setup

Manually

Follow these steps to manually configure your computer, within each step there are multiple options to do it.

1. Enable Remote Desktop.

   • Go to "System > Remote Access/Settings", or search for this in the Start Menu, or run "systempropertiesremote.exe".

   Select "Allow remote connections to this computer".

   NOTE: Low editions of Windows do not have this feature, skip to the second option.

   • Or, edit the following registry key:

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]

   "fDenyTSConnections"=dword:00000000

2. Grant users or groups permission.

   • Go to "System > Remote Access/Settings", or search for this in the Start Menu, or run "systempropertiesremote.exe".

   Enter "Select Users", and add a user or group.

   NOTE: Low editions of Windows do not have this feature, skip to the third option.

   • Or, go to "Computer Management > Local Users and Groups" and make a user or group member of "Remote Desktop Users".

   NOTE: Low editions of Windows do not have this feature, skip to the third option.

   • Or, execute this command as an administrator:

   net localgroup "Remote Desktop Users" <username> /add

   If the group does not exist, create it first with the command:

   net localgroup "Remote Desktop Users" /add

3. Configure the firewall to allow Remote Desktop traffic.
   NOTE: This step is already done automatically when you executed the first option of step 1.

   • Go to "Windows Defender Firewall > Advanced Settings".

   Create an Inbound Rule, choose Program, and allow "%SystemRoot%\System32\RdpSa.exe".

   Create an Inbound Rule, choose Port, and allow TCP port 445.

   • Or, execute these commands as an administrator:

   netsh advfirewall firewall add rule name="RDS" dir=in action=allow protocol=TCP program="%SystemRoot%\System32\RdpSa.exe"

   netsh advfirewall firewall add rule name="RDS" dir=in action=allow protocol=TCP localport=445 program=System

4. Configure shadow mode level.

   • Open "Local Group Policy Editor" (gpedit.msc), go to "Computer Configuration > Administrative Templates > Windows components > Remote Desktop Services > Remote Session Host > Connections".

   Open "Set rules for remote control of Remote Desktop Services user session".

   Enable this policy, and set it to level which you would like to use.

   • Or, edit the following registry key:

   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]

   "Shadow"=dword:00000001

Tool

Using the Remote Desktop Shadow tool, you can click on the Setup button (requires Administrator rights) to easily configure your computer to be shadowed.

Usage

b

Tool

c

Other

Trivia

• Shadowing will display all screens of the shadowed session and will scale them to fit into one window, there is no feature to select only specific screens.
• Even though some editions of Windows don't officially support being a Remote Desktop host, manually setting this up through this article (or tool) will make this feature work.