When attempting to provide remote assistance to users on Windows Server 2012 Remote Desktop Session Hosts (RDSH), administrators encounter a critical limitation: mouse and keyboard control fails when initiating Remote Assistance from within another RDS session. This creates significant challenges in cross-domain support scenarios where:
- Support agents may not have compatible client OS versions
- Domain membership restrictions prevent direct workstation access
Microsoft removed the Session Shadowing feature in Server 2012 RDSH, forcing administrators to rely on Remote Assistance. The current implementation has these technical constraints:
// Registry settings that control unsolicited remote assistance
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fAllowUnsolicited"=dword:00000001
"fAllowUnsolicitedFullControl"=dword:00000001
"fAllowToGetHelp"=dword:00000001
For immediate troubleshooting needs, consider this PowerShell script to enable proper control delegation:
# PowerShell script to configure Remote Assistance settings
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
-Name "fAllowUnsolicited" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
-Name "fAllowUnsolicitedFullControl" -Value 1 -Type DWord
# Enable firewall exceptions for Remote Assistance
netsh advfirewall firewall set rule group="Remote Assistance" new enable=yes
# Restart required services
Restart-Service -Name SessionEnv -Force
Restart-Service -Name UmRdpService -Force
When native Remote Assistance fails, these third-party tools can bridge the gap:
- Connectwise Control: Supports session shadowing in RDS environments
- TeamViewer: Works across domains without complex configuration
- Dameware Remote Support: Enterprise-grade solution with AD integration
Cross-domain assistance requires proper network configuration:
# Example firewall rule for cross-domain Remote Assistance
New-NetFirewallRule -DisplayName "Remote Assistance (Cross-Domain)"
-Direction Inbound -Protocol TCP -LocalPort 3389,80,443
-Action Allow -RemoteAddress 192.168.1.0/24,10.0.0.0/8
For organizations planning upgrades:
- Consider Windows Admin Center for modern management
- Evaluate Azure Virtual Desktop for cloud-based scenarios
- Implement Just-In-Time (JIT) access solutions for security
When attempting to provide unsolicited remote assistance to users on Windows Server 2012 RDS hosts from within another Remote Desktop session, we encounter a critical limitation: while the connection establishes successfully, control inputs (mouse/keyboard) from the expert machine are silently ignored even after permission is granted.
This behavior stems from architectural changes in Server 2012 where Microsoft removed the native Session Shadowing capability. While Remote Assistance was designed as the replacement, it exhibits this peculiar limitation specifically in RDS-to-RDS scenarios.
For cross-domain support scenarios, consider implementing a PowerShell-based solution that establishes direct RDP control:
# PowerShell script to enable temporary console session access
$cred = Get-Credential
$sessionID = (quser | Where-Object { $_ -match 'console' } | ForEach-Object { ($_ -split '\s+')[2] })
Invoke-Command -ComputerName $targetServer -Credential $cred -ScriptBlock {
param($session)
tscon $session /dest:console
} -ArgumentList $sessionID
For environments where PowerShell remoting isn't feasible:
- Deploy a web-based remote control solution like Guacamole
- Implement a VNC-based fallback system with the following registry tweak:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
"Shadow"=dword:00000004
For cross-domain support, ensure proper trust relationships exist. This can be verified through:
nltest /domain_trusts /all_trusts /v