STATUS_CTX_SHADOW_DISABLED 0XC00A0031 Remote Control Fix

When You See This Error

You're an admin managing a Windows Server 2019 or 2022 Remote Desktop Services (RDS) environment. You open Server Manager, right-click a user session, and select "Remote Control." Then you get hit with: STATUS_CTX_SHADOW_DISABLED (0XC00A0031) – The requested session is not configured to allow remote control. It's especially common after patching or a fresh RDS role setup. The session is there, the user is logged in, but you just can't take control.

What Causes It

Shadowing, Microsoft's term for remote control of an RDS session, is controlled by two things: the shadow registry setting and the group policy that manages permissions. The error means either the registry key Shadow is set to 0 (disabled) for the session, or the group policy Set rules for remote control of Terminal Services user sessions is configured to "No Remote Control Allowed." The default in a fresh RDS install is often disabled, so an admin who expects it to work gets stuck immediately.

The Fix: Step-by-Step

You have two paths here—group policy (recommended for multiple servers) or registry (quick for one box). I'll cover both.

Option 1: Group Policy (Best for Server Farms)

1. On your Domain Controller or a management workstation, open Group Policy Management Console (gpmc.msc).
2. Create a new GPO or edit an existing one linked to the OU containing your RDS servers. For this scenario, I'll call it RDS Shadow Policy.
3. Navigate to: Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections.
4. Double-click Set rules for remote control of Terminal Services user sessions.
5. Set it to Enabled. Then in the options under Level of Control, choose Full Control with user's permission if you want the user to confirm, or Full Control without user's permission if you need silent access. For most help desk setups, I recommend with permission—it avoids freaking users out.
6. Click OK.
7. Run gpupdate /force on the RDS server or wait for the next automatic refresh. After applying, you should see the policy take effect in the local RSOP.
8. Test by trying to remote control a session again. It should prompt the user or let you in directly, depending on your choice.

Option 2: Registry (Fast for a Single Server)

1. Log directly into the RDS server as an administrator.
2. Open Registry Editor (regedit).
3. Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.
4. Find the value Shadow. If it doesn't exist, right-click in the right pane, select New -> DWORD (32-bit) Value, and name it Shadow.
5. Set the value to 1 for permission required, or 2 for no permission required. (1 is safer for user trust.)
6. Click OK and close Registry Editor.
7. Restart the Remote Desktop Services service (or reboot the server). After the restart, the shadowing should work.

Verify the Permissions

Even with shadowing enabled, the user's session must allow remote control. By default, users have this right. But if you've locked down user accounts or have custom security policies, check:

1. Open Remote Desktop Session Host Configuration (tsconfig.msc).
2. Double-click the RDP-Tcp connection.
3. Go to the Remote Control tab. Make sure Use remote control with the following settings is selected and matches your GPO/registry setting. If it's grayed out, group policy is overriding it—stick with Option 1.

What to Check If It Still Fails

• Firewall rules: RDS shadowing uses port 3389 by default. If you've got custom firewalls between the admin workstation and the RDS server, make sure TCP 3389 is open both ways.
• User permissions: The admin account needs "Remote Control" permission on the RDS server. Check local groups—your admin should be in Remote Desktop Users or explicitly granted via RDS Manager security.
• Session type: You can't shadow a console session (the local admin desktop) unless you're using shadowing commands with mstsc /shadow:ID. Server Manager remote control only works for RDS sessions, not the console.
• Event logs: Look in Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-RemoteConnectionManager -> Operational for event ID 1020 or 1021. It'll tell you exactly why shadowing was denied.