P2 · Remote Access & VPN

RDS & AVD Black Screen on Connection — rdpinit.exe Session Initiation Deadlock (Early 2026 Patches)

Users connecting via RDP or Azure Virtual Desktop encounter a black screen lasting 30–60 seconds before disconnection. A deadlock between the Remote Desktop Graphics Service (rdpinit.exe) and local credential providers, introduced by early 2026 Windows patches, prevents session initialization. Resolution requires installing Microsoft's OOB patch targeting session initiation deadlocks, with registry (fEnablefips) and GPO (disable UDP) workarounds available for interim mitigation.

Indicators

Black screen displayed immediately after RDP/AVD connection established, persisting for 30–60 seconds
Session drops or forces disconnection after black screen timeout — no desktop ever loads
Protocol errors or unexpected channel terminations in Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational event log
Surge in remote access emergency tickets from remote workers unable to access environments
rdpinit.exe process visible in Task Manager but session fails to initialize

Likely causes

Deadlock between Remote Desktop Graphics Service (rdpinit.exe) and local credential providers caused by handshake and display container management flaws introduced in early 2026 Windows patches
FIPS enforcement on RDP-Tcp connections exacerbating the deadlock condition during session initialization
UDP transport path triggering the handshake deadlock more frequently than TCP-only connections

Diagnostic steps

Open Event Viewer > Applications and Services Logs > Microsoft > Windows > RemoteDesktopServices-RdpCoreTS > Operational. Filter for errors and warnings at reported black screen times.

Identify protocol errors or unexpected channel terminations confirming the session initiation deadlock pattern.
Correlate RdpCoreTS/Operational event timestamps with reported black screen duration (30–60 seconds) to confirm sessions terminate due to deadlock rather than network timeout.

Distinguish this issue from network-layer disconnections and confirm rdpinit.exe/credential provider deadlock is the failure mode.
Check patch history on affected hosts: Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 20

Confirm early 2026 patches are installed, validating the known-bad patch set is the root cause.
Verify whether Microsoft OOB patch targeting session initiation deadlocks is already applied by checking Windows Update history or comparing installed KBs against Microsoft's advisory.

Determine whether primary fix (OOB patch) is in place or needs deployment, and triage which workaround to apply interim.
Query current FIPS registry value: reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fEnablefips

Assess whether registry workaround can be safely applied given current FIPS configuration and compliance posture.

Resolution path

Step 1 — PRIMARY: Install Microsoft OOB patch targeting session initiation deadlocks between rdpinit.exe and credential providers. Obtain from Microsoft Update Catalog or WSUS and apply to all affected RDS/AVD hosts.
Step 2 — WORKAROUND A (if OOB unavailable and compliance permits): Disable FIPS on RDP: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fEnablefips /t REG_DWORD /d 0 /f
Step 3 — WORKAROUND B (alternative/complementary): Enable GPO 'Turn Off UDP On Client' at Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client to force TCP-only transport.
Step 4 — Reboot affected session hosts or drain and restart AVD host pool nodes after applying OOB patch or registry change to ensure all in-flight RDP sessions pick up the fix.

Prevention

Implement staged patch deployment with canary ring of RDS/AVD hosts — validate RDP connectivity after each Patch Tuesday or OOB release before promoting to production
Configure proactive alerting on Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational event log channel (protocol errors, unexpected channel terminations) for early detection
Subscribe to Microsoft's OOB release notifications via Security Update Guide RSS feed or Windows Health Dashboard for immediate alerts when RDS/AVD patches publish

Tools

Event Viewer — review RdpCoreTS/Operational logs for protocol errors
reg.exe — apply/revert registry workaround for fEnablefips
Group Policy Management Console (GPMC) — toggle UDP usage for RDP clients via GPO
Get-HotFix (PowerShell) — verify installed patches and OOB fix status
Windows Update / WSUS / Microsoft Update Catalog — deploy OOB patch
wusa.exe — uninstall specific KB patch if rollback required

References

Microsoft Out-of-Band Patch — RDS Session Initiation Deadlock

RDSRemote Desktop ServicesAzure Virtual DesktopAVDblack screenrdpinit.exesession deadlockWindows Server 2019Windows Server 2022Windows Server 2025Windows 11 multi-sessionOOB patchfEnablefipsUDP RDPcredential providerRdpCoreTSremote access