Remote Desktop Protocol Archives

Winsage

November 14, 2025

Be thankful: November’s Patch Tuesday has just one zero-day

The Readiness team analyzes updates monthly, providing testing guidance based on Microsoft patches. The November release includes updates for network infrastructure, remote connectivity, and wireless components, requiring careful testing despite no high-risk flags. Key areas for testing remote connections include validating packet transmission over IPv4 and IPv6, transferring large files over IPv6, testing web browsing and workflows with Microsoft Teams and Skype, and verifying Remote Desktop connections. The updates significantly impact application communication capabilities, necessitating dedicated validation for IPv6 alongside IPv4 operations.

Winsage

October 22, 2025

Microsoft Confirms Recent Updates Cause Login Issues on Windows 11 24H2, 25H2, and Windows Server 2025

Microsoft has identified an authentication issue affecting users of Windows 11 versions 24H2 and 25H2, as well as Windows Server 2025, due to updates rolled out since late August 2025. These updates have caused failures in Kerberos and NTLM protocols on devices with identical Security Identifiers (SIDs), leading to widespread login disruptions in enterprise networks. Users have reported repeated credential prompts, error messages, and compromised network access, including issues with Remote Desktop Protocol (RDP) sessions and Failover Clustering operations. Event Viewer logs indicate machine ID mismatches and potential session discrepancies. The problem is particularly severe in virtual desktop infrastructure (VDI) environments where multiple machines share SIDs. Microsoft has emphasized the importance of using the Sysprep tool to ensure unique SIDs during cloning, as the recent updates now strictly verify SIDs during authentication. IT administrators can temporarily alleviate the authentication blocks with a specialized Group Policy, but a permanent solution involves rebuilding devices using approved cloning procedures. As of October 21, 2025, no broader patch has been released.

Winsage

October 9, 2025

Tested: Why Remote Desktop Protocol (RDP) rejects Microsoft account logins

Some users are experiencing issues with Remote Desktop Protocol (RDP) rejecting Microsoft Account (MSA) credentials, displaying an error message about invalid credentials. This problem can arise from various technical factors, including: - Credential validation failures due to issues with Microsoft server interactions. - Problems with secure channel negotiation during the authentication process. - Time synchronization or DNS resolution issues affecting credential verification. - Misconfigured credential policies that block MSA logins over RDP. - Network-Level Authentication requirements that may hinder access if the MSA does not meet security standards like two-factor authentication. - Account restrictions or conditional access policies that impose specific compliance requirements. - Corruption of the user profile associated with the MSA. - Software conflicts or updates, particularly with recent Cumulative Updates or third-party security tools. To address MSA authentication failures, creating a local administrator account on the target machine can serve as a workaround for RDP access. Some users have noted that while most PCs function well with an MSA, certain systems require a local account for successful connections, particularly on Windows versions 24H2 and 25H2 within Insider Preview builds.

Winsage

September 24, 2025

Windows 11 KB5065790 23H2 released, direct download links (.msu)

Windows 11 KB5065790 is being rolled out for version 23H2, focusing on bug fixes and signaling the end of service for this version on November 11, 2025. This update does not introduce new features. Users can manually install the optional update via the settings app or use an offline installer file (.msu) if they encounter issues. The update resolves login issues for users with SIM-type authentication and disconnection problems during Remote Desktop Protocol (RDP) sessions. Additionally, an Out-of-band update for Windows 11 24H2 addresses urgent issues, excluding SMB protocol problems, and resolves issues affecting Microsoft Office applications in App-V environments, as well as bugs in Microsoft Edge and printer queue UI crashes. The SMB file sharing issue remains unresolved in the OOB update for 24H2.

Tech Optimizer

August 8, 2025

Cyberattackers Leverage Trusted Drivers to Disable Antivirus Software and Bypass Security Protocols

A cyberattack on a Brazilian enterprise involved the use of legitimate, digitally signed drivers to disable antivirus solutions and deploy MedusaLocker ransomware. The attackers executed a Bring Your Own Vulnerable Driver (BYOVD) attack by exploiting the ThrottleStop.sys driver, which has a critical vulnerability (CVE-2025-7771) allowing unauthorized memory access. They compromised an SMTP server using valid RDP credentials, extracted user credentials with Mimikatz, and moved laterally across the network. The attackers uploaded and executed an AV killer program and a renamed version of the driver, terminating antivirus processes to facilitate ransomware deployment. The malware targeted major antivirus vendors and employed kernel-level commands to eliminate security processes. Recommendations for defense include multi-factor authentication, hardening RDP access, and implementing layered security measures.

Winsage

July 24, 2025

ExpressVPN patches Windows bug that exposed remote desktop traffic

ExpressVPN has released a critical patch (version 12.101.0.45) for its Windows application to address a vulnerability that could expose remote desktop traffic, particularly for users utilizing Remote Desktop Protocol (RDP) or traffic routed through TCP port 3389. The vulnerability was reported by an independent researcher on April 25, and the patch was rolled out five days later. While the company indicated that the vulnerability was unlikely to have been exploited, it acknowledged the need for user protection and is implementing automated tests to prevent similar issues in the future.

Winsage

June 20, 2025

Microsoft boosts default security of Windows 365 Cloud PCs

Microsoft is enhancing its Windows 365 Cloud PCs with new security features starting in May 2025. All newly provisioned and reprovisioned Cloud PCs using a Windows 11 gallery image will have Virtualization-Based Security (VBS), Credential Guard, and Hypervisor-Protected Code Integrity (HVCI) enabled by default. VBS creates a secure environment to protect system processes, Credential Guard secures authentication credentials, and HVCI ensures only verified code runs at the kernel level. Additionally, beginning in the latter half of 2025, clipboard, drive, USB, and printer redirections will be disabled by default on newly provisioned and reprovisioned Cloud PCs to mitigate security risks, although IT administrators can re-enable these features if needed.

Tech Optimizer

June 5, 2025

CISA releases TTPs & IoCs for Play Ransomware That Hacked 900+ Orgs

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and the Australian Cyber Security Centre, released an advisory on the Play ransomware group, which has targeted around 900 entities since its inception in June 2022. The group employs a double extortion model, exploiting vulnerabilities in public-facing applications and using tools for lateral movement and credential dumping. Their operations involve recompiling ransomware binaries for each attack to evade detection. The advisory highlights mitigation measures such as multifactor authentication and regular software patching. The Play ransomware specifically targets virtual environments and encrypts files using AES-256 encryption. Indicators of Compromise (IoCs) include: - SVCHost.dll (Backdoor) - SHA-256: 47B7B2DD88959CD7224A5542AE8D5BCE928BFC986BF0D0321532A7515C244A1E - Backdoor - SHA-256: 75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54A - PSexesvc.exe (Custom Play “psexesvc”) - SHA-256: 1409E010675BF4A40DB0A845B60DB3AAE5B302834E80ADEEC884AEBC55ECCBF7 - HRsword.exe (Disables endpoint protection) - SHA-256: 0E408AED1ACF902A9F97ABF71CF0DD354024109C5D52A79054C421BE35D93549 - Hi.exe (Associated with ransomware) - SHA-256: 6DE8DD5757F9A3AC5E2AC28E8A77682D7A29BE25C106F785A061DCF582A20DC6

Winsage

May 14, 2025

Patch Tuesday for May: Five zero day vulnerabilities CISOs should focus on

A vulnerability identified as CVE-2025-30397 can be exploited when Microsoft Edge is in “Internet Explorer” mode, which is typically not the default setting but may be necessary for certain users. Another vulnerability, CVE-2025-29831, can only be exploited during a restart of the Remote Desktop Protocol (RDP) service. SAP has released 18 Security Notes to address various vulnerabilities, including critical authorization issues, remote code execution, information disclosure, and cross-site scripting.

Winsage

May 7, 2025

Microsoft has no plans to fix Windows RDP bug that lets you log in with old passwords

Microsoft has decided not to address a significant security flaw in the Windows Remote Desktop Protocol (RDP) that allows users to log in with outdated, cached passwords, even after those passwords have been changed. The company claims this behavior is intentional, designed to prevent users from being locked out of their machines. Microsoft does not consider this a security vulnerability, despite concerns that it creates a potential backdoor for unauthorized access. The issue has been known to Microsoft since at least August 2023, but they chose not to modify the functionality due to compatibility concerns with existing applications.