Microsoft has confirmed a new issue causing newly introduced Windows security warnings to display incorrectly when opening Remote Desktop (.rdp) files.
This known issue impacts all supported Windows versions, including Windows 11 (KB5083768 & KB5083769), Windows 10 (KB5082200), and Windows Server (KB5082063).
As Microsoft explains in updates to the original advisories, “the security warning that appears when opening Remote Desktop (RDP) files might not display correctly in some cases.”
On affected systems, the text in the warning windows is difficult to read, and the buttons are misplaced, making it hard, if not impossible, to interact with the security dialog.
“This issue might occur when you use more than one monitor with different display scaling settings (for example, one display set to 100% and another set to 125%),” Microsoft says.
“When this happens, the warning window might show overlapping text or partially hidden buttons, which can make the message difficult to read or interact with.”
Microsoft introduced these new protections on Windows systems as part of the April 2026 cumulative updates to prevent malicious RDP connection files from being used on devices.
After installing the April 2026 security update, a one-time educational prompt appears when users open an RDP file for the first time, warning them about the risks.
When opening RDP files afterward, a security dialog is displayed before any connection is made, showing whether the file is signed by a verified publisher, the remote system’s address, as well as a list of all local resource redirections, such as drives, clipboard, or devices, with every option disabled by default.
When RDP files are not digitally signed, Windows displays a “Caution: Unknown remote connection” warning, labeling the publisher as unknown. If the RDP files are digitally signed, Windows will again display the publisher and also warn users to verify their legitimacy before connecting.
RDP files are commonly used in enterprise environments to connect to remote systems because admins can preconfigure them to automatically redirect local resources to the remote host.
Threat actors have increasingly abused RDP files in phishing campaigns; for instance, the Russian state-sponsored APT29 hacking group has previously used them to steal credentials and documents from victims’ devices remotely.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
