Microsoft: New Remote Desktop warnings may display incorrectly

Microsoft: New Remote Desktop Warnings May Display Incorrectly

1. Overview

• Microsoft has confirmed a newly reported issue where security warnings shown when opening Remote Desktop (.rdp) files can render incorrectly.
• The problem affects all supported Windows versions, including Windows 11, Windows 10, and Windows Server, and is linked to the April 2026 cumulative updates.
• Microsoft’s advisories describe that the warning text may appear unreadable and the interaction buttons can be misplaced, hindering the user’s ability to respond.

1. Affected Windows Versions and Support

• Windows 11: affected by the April 2026 updates, with KB articles identified as part of the set (KB5083768 and KB5083769).
• Windows 10: affected by the corresponding April 2026 update (KB5082200).
• Windows Server: affected by the related update (KB5082063).
• The issue is described as a known problem in the updated advisories, applying across supported Windows platforms.

1. Symptoms on Affected Systems

• Text in the security warning windows may be difficult to read due to layout issues.
• Buttons in the warning dialogs can be misplaced or partially hidden, complicating interaction with the dialog.
• The problem is more likely to occur when users operate with more than one monitor that has different display scaling settings (for example, one display at 100% and another at 125%).

1. What the Security Warnings Show

• After the April 2026 security update, opening an RDP file for the first time triggers a one-time educational prompt about potential risks.
• On subsequent openings, a security dialog appears before any connection is made. It indicates:
• Whether the RDP file is signed by a verified publisher.
• The remote system’s address.
• A list of local resource redirections (drives, clipboard, devices), with all options disabled by default.
• If an RDP file is not digitally signed, a “Caution: Unknown remote connection” warning is shown and the publisher is labeled as unknown. If the file is signed, the publisher is shown and users are warned to verify legitimacy before connecting.

1. RDP Files in Enterprise Environments

• RDP files are commonly used in enterprise settings to connect to remote systems, with administrators preconfiguring redirects of local resources to the remote host.
• There is a history of abuse where threat actors have leveraged RDP files in phishing campaigns to steal credentials and data remotely.

1. Context and Threat Landscape

• The use of RDP files in phishing campaigns has been observed in various threat scenarios.
• There is emphasis on ensuring users understand the risks associated with remote connections and the provenance of RDP files, especially in environments where multiple publishers and unsigned files may appear.

1. Educational Prompt and Protective Measures

• The April 2026 update introduces an educational prompt to raise awareness about the risks of RDP files.
• The subsequent security dialog aims to provide transparency about the publisher, destination, and redirections prior to establishing a connection, while defaulting to a cautious stance with disabled options.

1. Summary of Behavior Shifts

• Initial open: one-time educational notification about RDP risks.
• Later opens: pre-connection security dialog showing publisher status, remote address, and resource redirections, with interactive options restricted by default.
• Display issues: potential misalignment and unreadable text when using multi-monitor setups with differing scaling across monitors.

1. Related Observations

• The enhancements to Windows protections for remote desktop files were introduced as part of a broader security initiative in the April 2026 updates.
• The changes reflect ongoing efforts to curb phishing and abuse involving RDP files, while introducing new usability challenges in certain display configurations.

1. Closing Notes

• The issue is categorized as a known problem in Microsoft advisories.
• It highlights the interaction between new security protections and multi-monitor display environments, emphasizing the importance of visual clarity and reliable dialog interaction when dealing with remote connections.