Microsoft will ship a security update in April 2026 that changes how Windows handles .rdp files—and it will affect everyone who distributes Remote Desktop connection shortcuts. The most immediate consequence: unsigned .rdp files will appear with an "Unknown publisher" warning, and any local resource redirections they request will be turned off by default until the user manually enables them. That’s a significant departure from the current behavior, where Windows may show a less prominent warning and often leaves redirections enabled.
The fix isn’t complicated, but it requires administrative action and a clear understanding of how certificate trust works for RDP publishers. Specifically, administrators on Windows Server 2025—and any supported server back to Windows Server 2016—should start signing .rdp files with the rdpsign /sha256 command. And yes, you should keep that Group Policy with “SHA1” in its name. Here’s why.
What’s Actually Changing in April 2026
When a user clicks an .rdp file after the update installs, a new security dialog will appear. For unsigned files, the publisher field will say “Unknown publisher.” The dialog will also list any local resources the .rdp file wants to redirect from the user’s machine to the remote session—drives, printers, clipboard, etc.—but those redirections will start in a disabled state. The user must check each box they want to allow.
Microsoft’s goal is straightforward: make it obvious who created the .rdp file and give users a conscious choice about what local resources they share. For organizations that have long distributed unsigned .rdp files through internal portals, shared drives, or even help desk tickets, this change will surface warnings that didn’t exist before. And if users aren’t trained, they might either click through without understanding or—worse—decline necessary redirections and then wonder why their remote app broke.
What This Means for IT Administrators and Users
For IT teams, the April 2026 update introduces three immediate concerns:
- Help desk volume may spike. Users who aren’t expecting a new security dialog will likely call support when they see “Unknown publisher” on a file they’ve been using for years. Even with signed files, if the redirections they rely on are now off by default, you’ll need to explain why they have to enable them each time.
- Authentication of .rdp files becomes non-optional. If you haven’t been signing your centrally distributed connection files, now is the time to start. A signed file from a trusted publisher removes the “Unknown publisher” label and reassures users that the file hasn’t been tampered with.
- Trust configuration is a two-part problem. Signing a file with a certificate is only half the battle. Windows must also consider that certificate a trusted RDP publisher. That’s where a specific Group Policy enters the picture—and it’s one you shouldn’t delete.
Home users and very small businesses are less likely to distribute custom .rdp files, but anyone who downloads connection files from a service provider or a friend might see the warning too. If you’re the one supplying those files to others, the onus is on you to sign them.
How We Got Here: The Steady Hardening of RDP Security
Remote Desktop has been a favorite attack vector for years. From brute-force logins to man-in-the-middle certificate spoofing, the protocol’s ubiquity has made it a high-value target. Microsoft has responded with incremental but meaningful changes: enforcing Network Level Authentication, requiring TLS 1.2 for connections, and more recently, patching credential-guessing vulnerabilities.
The April 2026 dialog change isn’t a bolt from the blue. It follows the same pattern: making the trust model more visible and giving users a clearer signal about the files they’re launching. In fact, Microsoft has been nudging administrators toward signed .rdp files for a while. The rdpsign tool gained the /sha256 option back in Windows Server 2016 and Windows 10 version 1607. But many organizations never adopted it because the prompt wasn’t intrusive enough to force the issue. That changes next April.
Step-by-Step: Signing Your .rdp Files with SHA-256
If you’re running Windows Server 2016 or later—including Windows Server 2025—the command is simple:
rdpsign /sha256 <certificate-SHA256-thumbprint> <full-path-to-file.rdp>
You’ll need a code-signing certificate that your organization trusts. If you already have one for other software signing, you can likely reuse it. The thumbprint is the SHA-256 hash of the certificate, which you can obtain from the certificate’s properties in the Certificates snap-in or via PowerShell.
Before rolling out en masse, sign a test file and open it on a client that has the April 2026 update (or a preview if available). Check that the publisher name appears correctly and that any redirections are listed but initially disabled. This is your chance to tweak the .rdp file’s resource requests—maybe you’ve been redirecting drives that nobody needs, and you can clean those up now.
The Policy You Shouldn’t Touch: “SHA1 Thumbprints of Trusted .rdp Publishers”
At this point, a well-meaning administrator might spot the Group Policy setting called “Specify SHA1 thumbprints of certificates representing trusted.rdp publishers” and decide it’s obsolete. It’s an understandable reaction—SHA-1 has been cryptographically broken for years, and Microsoft itself recommends against using it for signing. But this policy’s name is misleading.
The policy doesn’t generate or require SHA-1 signatures. It simply uses the certificate’s SHA-1 thumbprint as an identifier, much like a serial number, to tell Windows which certificates to trust as RDP publishers. The actual signing of .rdp files is done with the full certificate and its associated private key, and when you use rdpsign /sha256, you’re instructing the tool to select the certificate by its SHA-256 thumbprint and then sign the file with a modern algorithm. The two mechanisms—signing and trust identification—are independent.
Removing that GPO or not configuring it with your certificate’s SHA-1 thumbprint would mean Windows no longer trusts the publisher of your signed .rdp files, even if you signed them correctly. You’d be right back to the “Unknown publisher” warning. So, for now, maintain that policy. Add the SHA-1 thumbprint of your signing certificate to it, and keep it updated.
Certificate Rotation: The Real Operational Risk
Signing .rdp files is straightforward, but certificates expire. When you replace your signing certificate, you have to coordinate two things: resign all distributed .rdp files with the new certificate, and update the trusted-publisher GPO with the new certificate’s SHA-1 thumbprint. If you do one without the other, you’ll either have unsigned files or files signed by an untrusted publisher—both leading to warnings.
The safest approach is an overlap period. Add the new certificate’s SHA-1 thumbprint to the GPO and the new SHA-256 thumbprint to your signing script while the old certificate is still valid. Then sign a batch of files with the new certificate, test them, and gradually swap out the distributed copies. Only after you’re confident all managed files use the new certificate should you remove the old thumbprint from the policy. Old copies of .rdp files have a habit of lingering in downloads folders, desktop shortcuts, and old documentation; ripping out trust too quickly can turn them into broken shortcuts.
A Temporary Safety Net: The Rollback Registry Key
Microsoft acknowledges the disruption this change might cause and offers a temporary escape hatch. You can set a registry key on clients to revert to the previous warning-dialog behavior:
- Path:
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client - Value:
RedirectionWarningDialogVersion(REG_DWORD) - Data:
1
Apply this only if the new dialog threatens a time-sensitive production deployment and you need breathing room to sign files and update instructions. Microsoft warns that a future update could drop support for this setting, perhaps even on older Windows versions. It’s a short-term Band-Aid, not a long-term strategy. Use it with a clear expiration date and a named owner who will remove it once signing is complete.
Looking Ahead: What to Watch Beyond April 2026
The SHA-1-thumbprint GPO will likely get a makeover eventually. Microsoft is methodically removing weak cryptographic references from its administrative tools, and a policy with “SHA1” in its title is a prime candidate for renaming or replacement. But as of now, there’s no documented successor, no migration guide, and no deadline. IT teams should monitor the Remote Desktop Connection policy documentation and the rdpsign documentation pages on Microsoft Learn. If a new trust-list format emerges, it will almost certainly come with a conversion process that preserves your existing trust configuration.
For now, the prudent path is clear: sign your .rdp files with SHA-256, manage your signing certificate’s lifecycle carefully, test the April 2026 dialog with real users, and resist the temptation to retire a GPO just because its name sounds outdated. The tools exist today to make next year’s update a non-event—and that’s exactly what a well-prepared Windows Server 2025 shop should be aiming for.