Microsoft Locks Down Login Prompts After Windows Hello Injection Flaw

February 2026 Patch Tuesday updates introduced a new Windows security hardening change that alters credential autofill behavior across authentication dialogs.

Microsoft confirmed the change is intentional and addresses a Windows Hello input injection vulnerability tracked as CVE-2026-20804. The update tightens how Windows processes credential input, especially during remote sessions and automated login workflows.

Microsoft fixes Windows Hello input injection vulnerability (CVE-2026-20804)

According to Neowin, security changes target risks where malicious tools could simulate keyboard input and tamper with authentication prompts. Windows authentication dialogs now ignore virtual keyboard input originating from remote desktop connections, screen-sharing tools, or automation scripts.

This means credential prompts will only accept input from trusted local sources, including a physical keyboard, approved accessibility tools with UIAccess privileges, or properly elevated applications.

Microsoft designed this mitigation to block untrusted input injection that could interfere with Windows Hello and other secure authentication interfaces.

Autofill and automation workflows impacted

As a result of the update, some apps may no longer autofill login details in specific scenarios. Scripted authentication processes that relied on simulated keyboard input can also fail.

Remote desktop software, screen-sharing platforms such as Teams, and third-party automation tools may see Windows credential dialogs become unresponsive to automated input. This affects environments where IT teams depend on remote credential submission during support sessions.

Microsoft advises developers and IT administrators to transition to supported Windows authentication UI methods instead of relying on simulated keystrokes. Using official APIs ensures compatibility with the new security model.

For organizations that still require legacy behavior, Microsoft notes that running remote credential-submission tools with administrator privileges may temporarily restore functionality. The company recommends this only in tightly controlled and secure environments.

The February rollout also included updates KB5077178, KB5077180, and KB5077374, bringing changes to Windows Recovery Environment and Secure Boot components.

Separately, CISA issued a warning about a critical vulnerability affecting Microsoft SCCM, urging administrators to review and patch affected systems promptly.

With this latest hardening change, Microsoft continues to prioritize authentication security, even if it means breaking older automation workflows in the process.