Windows RDP Anti-Phishing Warning: 'Caution: Unknown Remote Connection' Dialog After April 2026 Patch Tuesday
The April 2026 Patch Tuesday update (CVE-2026-26151) introduces anti-phishing protection in the Windows Remote Desktop client (mstsc.exe), causing a red 'Caution: Unknown remote connection' banner and a resource-sharing settings dialog to appear when opening unsigned or unverified .rdp files. All resource-sharing settings default to disabled, which may disrupt users relying on unsigned internal .rdp files. Resolution involves signing internal .rdp files with a trusted certificate and using Group Policy to standardise client behaviour across the organisation.
Indicators
- Red 'Caution: Unknown remote connection' banner appears when opening an .rdp file
- Security dialog listing all requested resource-sharing settings is presented upon opening an .rdp file
- All resource-sharing settings in the dialog are disabled by default, potentially breaking expected behaviour
- Dialog appears specifically for .rdp files that lack a verifiable digital publisher signature
- Behaviour occurs on Windows 10 or Windows 11 23H2 or later after the April 2026 Patch Tuesday update is installed
Likely causes
- April 2026 Patch Tuesday cumulative update (CVE-2026-26151) installed on the endpoint, enabling RDP anti-phishing protection
- The .rdp file does not carry a valid digital signature or verifiable publisher identity
- An .rdp file distributed via phishing requesting excessive resource-sharing permissions is triggering the new security control
- Internally distributed .rdp files were never signed because the warning did not previously exist
Diagnostic steps
-
Confirm the April 2026 Patch Tuesday cumulative update is installed: run 'winver' or navigate to Settings > Windows Update > Update History and look for the April 2026 cumulative update entry.
-
Open the triggering .rdp file in Notepad or another text editor and review all resource-sharing directives (e.g., drivestoredirect, redirectclipboard, redirectprinters) to understand what permissions are being requested.
-
Check whether the .rdp file is digitally signed: right-click the file > Properties > Digital Signatures tab. Absence of a valid signature confirms why the 'Caution: Unknown remote connection' banner is displayed.
-
Review the mstsc.exe security dialog carefully, noting every resource-sharing setting listed, and confirm whether the settings match what the legitimate connection requires.
-
If the file originates from a trusted internal source, escalate to the team responsible for distributing the .rdp file and request it be signed with a trusted certificate before redistribution.
-
Open gpedit.msc and navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client to review available policy settings for managing the security dialog behaviour across the organisation.
Resolution path
- Confirm the April 2026 Patch Tuesday update is installed on the affected endpoint and that the behaviour is expected per CVE-2026-26151.
- Advise users that the red 'Caution: Unknown remote connection' banner indicates an unverified .rdp file and that caution is warranted before proceeding.
- For legitimate internal .rdp files generating the warning, work with the responsible team to sign them using a certificate trusted by the organisation's PKI, which will suppress the unknown publisher banner.
- Review and reduce resource-sharing settings in all internally distributed .rdp files to only those strictly necessary for the intended task.
- Where specific resource-sharing settings must be re-enabled, instruct users to do so explicitly in the security dialog only after confirming the connection is trusted.
- Deploy Group Policy via gpedit.msc or Intune to standardise Remote Desktop client security dialog behaviour and prevent ad-hoc user decisions across the organisation.
Prevention
- Sign all internally distributed .rdp files with a trusted digital certificate to suppress the unknown publisher warning and provide a verified identity to end users.
- Restrict .rdp file execution to approved sources only using Group Policy, AppLocker, or Intune application control policies.
- Minimise resource-sharing permissions in .rdp files to only those strictly required for each specific use case.
- Train users to treat the red 'Caution: Unknown remote connection' banner as a phishing risk indicator and to never open .rdp files received via email or unknown links.
- Keep all Windows endpoints patched with the latest Patch Tuesday cumulative updates to benefit from ongoing security improvements including RDP anti-phishing protections.
- Monitor and audit .rdp file usage within the organisation using endpoint detection and response (EDR) or endpoint security tooling.
- Establish a process for reviewing and re-signing internally distributed .rdp files whenever their resource-sharing settings change.
Tools
- mstsc.exe (Windows Remote Desktop client)
- Notepad or any text editor (to inspect .rdp file contents)
- Windows Settings > Windows Update > Update History (to verify patch installation)
- winver (to confirm Windows build version)
- gpedit.msc / Group Policy Editor
- File Properties > Digital Signatures tab (to verify .rdp publisher signature)