Earlier today, Microsoft released the Windows 11 April Patch Tuesday updates for April 2026. The new updates are available under KB5083769 for versions 25H2 and 24H2. Alongside other changes, the new patch brings some big updates related to a new security vulnerability.
Microsoft is introducing new safeguards in Remote Desktop to counter phishing attacks that can misuse RDP files. The new vulnerability has been added under new ID CVE-2026-26151, a remote desktop spoofing vulnerability. Spoofing essentially means pretending to be something harmless similar to the "Windows 11 24H2 update" we covered recently.
As such, these attacks often trick users into connecting to attacker‑controlled systems and silently sharing local resources. The latest Windows 11 Patch changes that by presenting a new security dialog before any connection is made. The update introduces a first‑launch warning and consent that appears the very first time an RDP file is opened after the patch. This warning explains the nature of phishing attacks and encourages admins and users alike to be cautious when opening such files.
The banners will display the remote computer address, publisher information when available, and any requested access to local resources. All requested settings are disabled by default, meaning users must explicitly enable them before connecting. In addition, a one‑time warning appears the first time an RDP file is opened so as to caution users about the risks. If you are wondering, these changes do not affect connections started manually in the Remote Desktop app. It is only triggered when opening an RDP file.
Microsoft has explained how redirection can expose sensitive files or allow malware to be planted on systems. For example, clipboard sharing can leak passwords or confidential text while smart cards and Windows Hello credentials can be misused for unauthorized access. Microphones and cameras can lead to surveillance, and even printers, ports, and location data can be exploited in malicious ways.
The new dialog highlights these requests showing whether the file is signed and by whom. Unsigned files now display “Unknown publisher” with a "Caution" mark while signed files show the publisher’s name but still advise careful verification, since attackers can use deceptive names.
If you are an admin who wants to revert this change due to incompatibility or conflict in your environment,
- Select Start, type Registry Editor, and then open it.
- Go to and modify the key:
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client
with the following values: - Name: RedirectionWarningDialogVersion
Type: REG_DWORD
Data: 1
Although Microsoft has provided this option to configure dialog behavior through the registry modification (above), it warns that future updates may remove such rollback options.