0XC00A0030 Fix: Remote Session Shadowing Error

Quick Answer

Enable remote control via Group Policy: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections – set Set rules for remote control of Remote Desktop Services user sessions to Enabled and choose Full Control with user's permission or Full Control without user's permission. Then restart the Remote Desktop Services service.

This error (0XC00A0030) pops up when you try to shadow a Remote Desktop session but the target machine or user doesn't have remote control permissions enabled. I've seen it most often in Windows Server 2019 and Windows 10 20H2+ environments where Group Policy blocks shadowing by default. The OS literally tells you the session can't be controlled remotely because the RDS shadowing policy isn't configured.

Fix Steps

Open Group Policy Editor – Press Win + R, type gpedit.msc, hit Enter. If you're on Windows Home edition (no gpedit), skip to the registry fix below.
Navigate to the remote control policy – Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.
Enable remote control – Double-click Set rules for remote control of Remote Desktop Services user sessions. Set it to Enabled. Under Options, choose your preferred level:
- Full Control with user's permission – User gets a prompt to allow the shadow. This is safer for production.
- Full Control without user's permission – No prompt. Use for admin-only scenarios or test labs.
Click OK.
Apply the policy – Open Command Prompt as admin and run:
```
gpupdate /force
```
Restart the Remote Desktop Services – In the same command prompt, run:
```
net stop TermService && net start TermService
```
Wait a few seconds, then try the shadow command again:
```
mstsc /shadow:<sessionID> /v:<server>
```

Alternative Fixes

If Group Policy is blocked by domain policy

Check if a higher-level domain policy overrides your local setting. Run rsop.msc and look under the same path. If it says Disabled or Not Configured but the error persists, the domain admins locked it down. You'll need them to adjust the policy or grant you local admin rights on the target machine.

Registry fix (Windows Home or if gpedit is missing)

Open Registry Editor (regedit). Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

Create a DWORD (32-bit) value named Shadow. Set it to 2 (Full Control without permission) or 4 (Full Control with user's permission). Restart the Terminal Services service as above.

Check the target session

Shadow only works on active sessions. Make sure the session ID you're targeting isn't disconnected or idle. Run qwinsta on the server to see all sessions and their states. If the session state is Disc (disconnected), connect to it first via mstsc /admin, then shadow it.

Prevention Tips

Once you've fixed the error, lock down permissions so it doesn't break again. In Group Policy, under the same path, set Set rules for remote control to Full Control with user's permission. This keeps users aware of shadowing sessions and avoids surprise audits. Also, keep your RDS role updated – Windows Server 2022 and Windows 11 22H2 tightened shadowing defaults, so check policy after every feature update.

Finally, test shadowing with a non-admin account first. If it fails with 0XC00A0030 on that account but works for admins, you missed setting the policy in the target user's scope (like per-user policy or RDS profile). Fix that by applying the same Group Policy setting to the user's OU or local user registry hive.