All new patches will be approved in our patch policy.

April showers us with 134 security updates with 1 actively exploited zero-day vulnerability.
Notably, CVE-2025-29824 is a Windows Common Log File System Driver Elevation of Privilege Vulnerability which can allow attackers to gain SYSTEM privileges on the device. At this time the security update for CVE-2025-29824 is not yet available for Windows 10 x64-based and 32-bit systems. Microsoft promises to release one as soon as possible.

• Critical remote code execution vulnerabilities in Windows Remote Desktop services (RDP) are CVE-2025-27480 and CVE-2025-27482.
• CVE-2025-26663 and CVE-2025-26670 are remote code execution (RCE) vulnerabilities affecting Windows Lightweight Directory Access Protocol (LDAP) and LDAP Client respectively.
• A few new SSUs for Windows Server 2008/2012/2016/2019 and Windows 10.

Heads Up!

Some Windows 23H2 agents are not detecting new cumulative updates (CU). Last month it was brought to our attention a problem with some Windows 11 23H2 agents being unable to detect the latest CU. The March CU for Windows 11 23H2 was KB5053602. Most machines installed KB5053602 without issue but some of them did not show KB5053602 as installed or missing in Patch Management.

When we ran a powershell “Get-WindowsUpdate” command it did not show KB5053602 as missing but it DID SHOW KB5053598 as needed.

KB5053598 was the March CU for Windows 11 24H2. The powershell output also showed the size of KB5053598 as 90 GB. The Microsoft Update Catalog has KB5053598 at about 1.2 GB. It appears the KB5053598 showing up on 23H2 machines is actually a pending full 24H2 upgrade. Software Management will show KB5053598 as needed on some 23H2 agents but it not clear whether it will actually try to install it.

We found if we locked the 23H2 machines to Target Version 23H2 it would block the 24H2 upgrade and scan normally – detecting the latest CU. We have agent procedures available on ClubMSP that will lock (and unlock) agents to target version 23H2 (or 24H2). If you are postponing 24H2 we recommend locking your agents to target version 23H2 so the patch scans detect the latest CU and patch normally. You can run the unlock script when you are ready to upgrade.

Finding the affecting agents can be tricky. You can create a View to see only 23H2 agents with a given KB installed or missing – but “missing” isn’t the same as “not detected”. Generally the lasted CU replaces the previous month’s CU under patch status. You can create a View showing the previous month’s CU as installed then on the patch status page look for agents that appear to be fully patched – i.e. latest CU is neither installed or missing. We posted an agent procedure “Windows 11 – Check Latest Cumulative Update (CU)” to help find the problem agents. If the latest CU is not installed it will return “No” to a custom field.

FYI April CU for Windows 10/11 creates an empty inetpub folder at the root of C: Microsoft: Windows ‘inetpub’ folder created by security fix, don’t delete https://www.bleepingcomputer.com/news/security/microsoft-windows-inetpub-folder-created-by-security-fix-dont-delete/

Disclosed: none
Exploited: CVE-2025-29824

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:4/08/2025)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: The Windows 10/11 Security Stack Updates are included in the monthly Cumulative Updates.

Known Issues

Reporting inconsistency with Audit Logon/Logoff events in the local policy. Problems with Windows Hello facial recognition or PIN.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

“Active Directory Group Policy: Events in local policy”

https://support.microsoft.com/en-us/topic/april-8-2025-kb5055528-os-builds-22621-5189-and-22631-5189-b146080a-bd4e-4a10-8ab0-22368c61556b#id0ebbbbf=symptom

Affected platforms: Windows 10 1809, Server 2019.2022, Windows 11 22H2/23H2

Symptom: Audit Logon/Logoff events in the local policy of the Active Directory Group Policy might not show as enabled on the device even if they are enabled and working as expected. This can be observed in the Local Group Policy Editor or Local Security Policy, where local audit policies show the “Audit logon events” policy with Security Setting of “No auditing”. This issue might only manifest as a reporting inconsistency. It’s possible that logon events are correctly being audited on the device. However, the “Audit logon events” policy will reflect that this is not the case. Home users are unlikely to be affected by this issue, as logon auditing is generally only necessary in enterprise environments.

Workaround: Adjustments to the Windows registry will prevent this issue. For information about how to make these adjustments, see Security auditing settings are not applied to Windows Vista-based and Window Server 2008-based computers when you deploy a domain-based policy.

Status: Microsoft is working on a resolution and will provide more information when it is available.

“Windows Hello”

https://support.microsoft.com/en-us/topic/april-8-2025-kb5055523-os-build-26100-3775-277a9d11-6ebf-410c-99f7-8c61957461eb

Affected platforms: Windows 11 24H2

Symptom: We’re aware of an edge case of Windows Hello issue affecting devices with specific security features enabled. After installing this update and performing a Push button reset or Reset this PC from Settings > System > Recovery and selecting Keep my Files and Local install, some users might be unable to login to their Windows services using Windows Hello facial recognition or PIN. Users might observe a Windows Hello Message saying “Something happened and your PIN isn’t available. Click to set up your PIN again” or “Sorry something went wrong with face setup”. Note: This issue only affects devices where System Guard Secure Launch or Dynamic Root of Trust for Measurement (DRTM) feature is enabled after installing this update. Devices with Secure Launch or DRTM enabled prior to this update, or those with these features disabled, are not impacted by this issue.

Workaround: To login using PIN, follow the Set my PIN prompt on the logon screen to re-enroll into Windows Hello. To use Face Logon, re-enroll in Windows Hello Facial recognition go to Settings > Accounts > Sign-in options > Facial recognition (Windows Hello), and select Set up. Follow the on-screen instructions.

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health
https://docs.microsoft.com/en-us/windows/release-health/

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022,2025 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

• KB5055557 – Windows Server 2012 R2 (ESU)
• KB5055581 – Windows Server 2012 (ESU)

 

Cumulative Updates

Windows 10

• KB5055547 – Original release version 1507 (OS Build 10240)
• KB5055521 – Version 1607 “Anniversary Update” (OS Build 14393)
• KB5055519 – Version 1809 “October 2018 Update” (OS Build 17763)
• KB5055518 – Version 21H2 “November 2021 Update” (OS Build 19044)
• KB5055518 – Version 22H2 “November 2022 Update” (OS Build 19045)

(Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)

Windows 11

• KB5055528 – 22H2 (OS Build 22621)
• KB5055528 – 23H2 (OS Build 22631)
• KB5055523 – 24H2 (OS Build 26100)

(Version 21H2 is no longer under support)

Windows Server

• KB5055521 – Server 2016 (same KB as Windows 10 Version 1607)
• KB5055519 – Server 2019 (same KB as Windows 10 Version 1809)
• KB5055526 – Server 2022 (OS Build 20348)
• KB5055527 – Server 23H2 (OS Build 25398)
• KB5055523 – Server 2025 (OS Build 26100)

 

April 2025 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/april-2025-updates-for-microsoft-office-5ac73359-8e7f-48d1-9966-ac9d5e4cd140

Notable CVEs

CVE-2025-26663 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26663
Use after free in Windows LDAP – Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network.

CVE-2025-26670 | Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26670
Use after free in Windows LDAP – Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network.

CVE-2025-27480 | Windows Remote Desktop Services Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27480
Use after free in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network.

CVE-2025-27482 | Windows Remote Desktop Services Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27482
Sensitive data storage in improperly locked memory in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network.

CVE-2025-29809 | Windows Kerberos Security Feature Bypass Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29809
Insecure storage of sensitive information in Windows Kerberos allows an authorized attacker to bypass a security feature locally.

CVE-2025-29824 | Windows Common Log File System Driver Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29824
The security update for Windows 10 for x64-based Systems and Windows 10 for 32-bit Systems are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.