User Session Shadowing Support

Administrators can now view and control active user sessions from the CAS Admin Console

Reisbel Machado avatar
Written by Reisbel Machado
Updated over a week ago


Microsoft's Remote Desktop Protocol (RDP) supports session shadowing, where a user can connect to another user's session to view or control their desktop while they are both connected.

This functionality is built into the RDP protocol and is enabled in CAS Cloud Desktop deployments by default. itopia has simplified the process to start a shadow session by adding the feature to the CAS Admin Console (

This feature is currently only available for RDS Session Hosts; shadowing users on Windows 10 Cloud Desktops is not currently supported from the CAS console, although manual instructions are provided below.

Shadowing a User in an RDS Collection Pool

When a user is logged into their Cloud Desktop, an administrator can view the user's active sessions in the CAS Admin Console; if the active session is in an RDS Collection Pool, the administrator can start an RDP shadow session with either view-only access or full control. In either scenario, the user is prompted for confirmation before the administrator can connect.

To start a shadow session:

  1. Log into the CAS Admin Console ( as an administrator with appropriate permissions: either the built-in Deployment Editor role (or higher), or a custom role with the Shadow User Sessions permission.

  2. Navigate to the Cloud Desktops > Users module. Click the desired user to view their details.

  3. Near the bottom of the Details page, the user's active sessions are displayed. Click the overflow menu button (three vertical dots) and select Shadow Session.

  4. In the dialog box that appears, select whether to request view-only or desktop control access and click Continue.

  5. You will be prompted to download an RDP file. Choose Open to automatically launch the RDP file once it is downloaded. The RDP file is compatible with any standard RDP client such as the Microsoft Remote Desktop client.

  6. Your Remote Desktop client will attempt to connect to the user's session, and the user will be prompted to grant you access. If they accept, your RDP client should now display their session. The user will also remain connected to their session.

  7. Once you are finished with your shadow session, simply close the Remote Desktop client. The user will remain connected to their session.

Shadowing a User in a Windows 10 Collection Pool

Shadowing a user's Windows 10 Cloud Desktop is possible but requires several manual steps and is subject to several limitations.

To shadow a Windows 10 Cloud Desktop, you must be use the Microsoft Remote Desktop Connection client on a Windows system; neither the Remote Desktop app from the Windows store nor the Remote Desktop client for other operating systems currently supports shadowing.

To connect to a user's Windows 10 Cloud Desktop session, you will need the following information:

  • The external access end point of your deployment. This address is available from the Dashboard in the CAS Admin Console, under Deployment Details.

  • The computer name of the user's Cloud Desktop host. This is available in the Collection Pool details in the CAS Admin Console. Near the bottom of the Details page, a list of users is provided along with their assigned session host name.

  • The user's Session ID on their Cloud Desktop. The user can provide this information by running the following command from a standard command prompt or PowerShell window in their Cloud Desktop environment: query user

With this information, you can launch the Remote Desktop Connection application on your local machine and establish a shadow session with the user's Cloud Desktop.

  1. On your local Windows desktop, click Start and type Run. From the search results, click the Run application option. NOTE: For Windows 7 desktops, click the Run item directly on the start menu. You may also press [WIN]+R to launch the run application.

  2. In the Run window that appears, type the following command, replacing the parameters in <brackets> with the values you collected earlier:

mstsc.exe /v:<computer name> /g:<external access end point> /shadow:<Session ID>

NOTE: To request desktop control, add the /control parameter to the command above.


The session shadow feature as provided by itopia is intended to make remote support easier; it is not provided as a mechanism to monitor user activity without their consent. As such, itopia does not provide a way to remove the user confirmation requirement. However, it is possible to use group policy objects (GPOs) to disable the user confirmation requirement if so desired.

Session shadowing is only available for active (logged-on) user sessions. If a user is not logged in to their session, the shadow option will not be available.

Did this answer your question?