Microsoft\u2019s April 2026 Windows 11 quality updates are doing exactly what modern Patch Tuesdays so often do: tightening security in one area while creating friction in another. KB5083769 for Windows 11 24H2 and KB5082052 for Windows 11 23H2 introduced a new Remote Desktop Protocol (RDP) security feature that is blocking connections for a significant number of users. The issue stems from an updated Network Level Authentication (NLA) enforcement policy that Microsoft enabled by default, breaking compatibility with older RDP clients and some third-party remote access tools.

What the Updates Changed

The April 8, 2026 Patch Tuesday releases (KB5083769 for version 24H2, KB5082052 for 23H2) included a change to the CredSSP (Credential Security Support Provider) protocol. Microsoft hardened the encryption oracle remediation policy to require \"Protected Mode\" for all RDP connections. This means any client not supporting the updated CredSSP with SHA-256 hash enforcement gets blocked at the authentication stage. The error message users see is: \"An authentication error has occurred. The function requested is not supported.\" This is a direct result of the NLA tightening.

Who Is Affected

The bug primarily impacts organizations and power users who rely on RDP to connect to older Windows versions or non-Windows systems. Windows 10 machines that have not received the latest CredSSP updates, Linux-based RDP clients using FreeRDP or xrdp, and even some Windows 11 systems that skipped the February 2026 security updates are all vulnerable. Help desk teams reported a surge in tickets on April 9, with users unable to remote into office machines from home.

Temporary Workarounds

Microsoft has acknowledged the issue in a support document published on April 10. The recommended workaround is to set the group policy \"Encryption Oracle Remediation\" to \"Vulnerable\" (which disables the new protection) or to update all RDP clients to the latest version. For enterprise environments, administrators can deploy the policy change via Group Policy Management Console under Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Encryption Oracle Remediation. Setting it to \"Mitigated\" (the default before this update) restores compatibility without fully disabling protection.

The Security Trade-Off

This is not a simple bug fix; it\u2019s a deliberate security enhancement. The new default is \"Protected Mode\" which requires the client to support SHA-256 hash verification. This prevents man-in-the-middle attacks that could downgrade the encryption. However, the rollout was clearly not tested against the full spectrum of RDP clients in use. The problem is that many third-party RDP clients, including some VPN appliances, have not updated their CredSSP implementations. Users are now forced to choose between security and functionality.

What Microsoft Should Do

Microsoft needs to release an out-of-band update that either reverts the default to \"Mitigated\" or provides a clear notification during the update installation about the potential RDP impact. The current approach of silently changing security policies during a cumulative update is a recipe for disruption. In the meantime, IT administrators should audit their RDP client versions and apply the group policy workaround if necessary. Home users can use the Settings app to adjust the policy via Local Group Policy Editor (gpedit.msc).

Conclusion

The April 2026 Patch Tuesday updates are a reminder that security improvements often come with compatibility costs. While the CredSSP hardening is a positive step, the execution needs refinement. Until Microsoft provides a more seamless update path, users must manually intervene to restore RDP functionality. Check your RDP clients, apply the group policy workaround, and monitor Microsoft\u2019s support pages for an official fix.