Microsoft Bolsters RDP Security with New Warnings and Defaults

The changes, delivered via cumulative updates in April 2026, add educational prompts and a security dialog that warns users of potential risks and disables local resource redirections by default.

Microsoft has introduced new security protections for Remote Desktop Protocol (RDP) connection files in Windows 10 and Windows 11. The measures are designed to counter phishing campaigns where malicious RDP files have been used to steal data and credentials.

Update Details and Scope

The new security features were included in the following cumulative updates released in April 2026:

• Windows 10: Update KB5082200
• Windows 11: Updates KB5083769 and KB5082052

These protections apply specifically to remote desktop connections initiated by double-clicking or opening an .rdp file. They do not apply to connections established directly through the Windows Remote Desktop client application.

New Security Features

The update introduces a two-stage warning system for users opening RDP files.

• The first time a user opens an RDP file after installing the update, a one-time educational prompt appears.
• This prompt explains what RDP files are and outlines the associated security risks.
• The user must acknowledge understanding the risks to proceed; this prompt will not appear again for that user.

For every subsequent attempt to open an RDP file, a security dialog appears before any connection is established. This dialog displays:

• Digital Signature Status: Whether the RDP file is digitally signed by a verified publisher.
• Remote Address: The address of the remote system to which the file will connect.
• Resource Redirections: A list of all local resources configured for redirection to the remote host, such as drives, the clipboard, or devices.
• Default Settings: All local resource redirection options are disabled by default within this dialog.

• Unsigned Files: If an RDP file is not digitally signed, Windows displays a "Caution: Unknown remote connection" warning and labels the file's publisher as "Unknown."
• Signed Files: If an RDP file is digitally signed, Windows displays the publisher's name but still includes a warning advising the user to verify the publisher's legitimacy before connecting.

Background and Rationale

• RDP files are configuration files commonly used in enterprise environments to connect to remote systems. Administrators can preconfigure these files to automatically redirect local resources like drives to the remote host.
• Microsoft states that threat actors have misused this capability in phishing campaigns by sending RDP files through emails.

According to Microsoft, when a victim opens a malicious RDP file, their device can silently connect to an attacker-controlled server and share local resources.

This can give an attacker access to files, credentials stored on disk, clipboard data (including passwords), and can redirect authentication mechanisms like smart cards or Windows Hello. Security reporting indicates that the Russian state-sponsored hacking group APT29 has previously used rogue RDP files in attacks.

Administrative Controls

• System administrators can temporarily disable these new protections by modifying a specific Windows Registry value.
• The registry key is: HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client
• The value to modify is RedirectionWarningDialogVersion. Setting this value to 1 disables the protections.

Microsoft states that due to the historical abuse of RDP files in attacks, it recommends keeping these protections enabled.