All new patches will be approved in our patch policy.

 

April brings the second largest Patch Tuesday on record with 167 vulnerabilities including 2 zero-day (CVE-2026-32201,CVE-2026-33825).

• CVE-2026-32201 is a SharePoint Server Spoofing vulnerability and is already being exploited.
• CVE-2026-33825 is an Elevation of Privilege vulnerability in Microsoft Defender.
• CVE-2026-33824 is a Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution vulnerability with a whopping CVSS score of 9.8.
• A couple of known issues after patching Windows Server – see Known Issues below.
• Also read “Heads Up!” for guidance on patching older versions of Windows 11.
• New SSU for Windows Server 2016.

 

Disclosed: CVE-2026-33825

Exploited: CVE-2026-32201

 

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

 

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:3/1/2018 | Last Updated:4/14/2026)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.

 

Heads Up! Some Windows 23H2/24H2 agents are not detecting new cumulative updates (CU).

Last month it was brought to our attention a problem with some Windows 11 23H2/24H2 agents being unable to detect the latest CU. Windows 11 25H2 is unaffected. The March CU for Windows 11 23H2/24H2 was KB5078883/KB5079473. Most machines installed the CU without issue but some of them did not show it as installed or missing in Patch Management. When we ran a powershell “Get-WindowsUpdate” command it did not show the CU as missing but it DID SHOW 25H2 Feature Update as needed. It appears the pending 25H2 Feature Update is blocking detection of the current CU.

We found if we locked the 23H2/24H2 machines to Target Version 23H2/24H2 it would block the 25H2 upgrade and scan normally – detecting the latest CU. We have agent procedures available on ClubMSP that will lock (and unlock) agents to target version 23H2 or 24H2. If you are postponing 25H2 we recommend locking your agents to target version 23H2/24H2 so the patch scans detect the latest CU and patch normally. You can run the unlock script when you are ready to upgrade. Please reach out to Virtual Administrator support if you have any additional questions.

 

Known Issues

Microsoft is reporting a couple of issues with Windows Server. Domain controller may restart repeatedly and Windows Server 2022/2025 may require the BitLocker recovery key on the first restart. Virtual Administrator has agent procedures available on ClubMSP for reporting on BitLocker status including the key.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

Good resource for known issues with Windows 10/11/Server patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

 

“Domain controllers may restart repeatedly after installing April security update”

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2025

Affected platforms: Windows Server 2016/2019/2022/2025

Symptoms: After installing the April 2026 Windows security update and rebooting, non-Global Catalog (non-GC) domain controllers (DCs) in environments that use Privileged Access Management (PAM), might experience LSASS crashes during startup. As a result, affected DCs may restart repeatedly, preventing authentication and directory services from functioning, and potentially rendering the domain unavailable.

In some environments, this issue can also occur when setting up a new domain controller, or on existing DCs if authentication requests are processed very early during startup.

Note: This issue affects Windows Server only. It does not impact consumer PCs or personal devices. The scenario is unlikely to be observed on individual-use devices that are not managed by an IT department.

Workaround: IT administrators can reach out to Microsoft Support for business to access a mitigation. This mitigation can be applied to devices that already have installed the April 2026 update or prior to installing it.

Status: Microsoft is working to address this issue and will release a resolution in the next coming days.

 

“Devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key”

https://support.microsoft.com/en-us/topic/april-14-2026-kb5082063-os-build-26100-32690-c57e289d-27c9-47cd-a183-72fabc62c5d7

Affected platforms: Windows Server 2022/2025

Symptoms: Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update.

This issue only affects a limited number of systems in which ALL of the following conditions are true. These conditions are unlikely to be found on personal devices not managed by IT departments.

Workaround: Option 1: Remove the Group Policy configuration before installing the update (Recommended) Option 2: Apply the Known Issue Rollback (KIR) before installing the update

Status: A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available.

 

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022,2025 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

• KB5082126 – Windows Server 2012 R2 (ESU)
• KB5078775 – Windows Server 2012 (ESU)

 

Cumulative Updates

Windows 10

• KB5082200 – Version 21H2 “November 2021 Update” (OS Build 19044) (ESU)
• KB5082200 – Version 22H2 “November 2022 Update” (OS Build 19045) (ESU)

(Versions 1507,1511,1607,1703,1709,1803,1809,1903,1909,2004,20H2,21H1 are no longer under support)

 

Windows 11

• KB5082052 – 23H2 (OS Build 22631)
• KB5083769 – 24H2 (OS Build 26100)
• KB5083769 – 25H2 (OS Build 26200)
• KB5083768 – 26H1 (OS Build 28000)

(Version 21H2,22H2 are no longer under support)

 

Windows Server

• KB5082198 – Server 2016 (EOS January 2027)
• KB5082123 – Server 2019 (EOS January 2029)
• KB5082142 – Server 2022 (OS Build 20348)
• KB5082060 – Server 23H2 (OS Build 25398)
• KB5082063 – Server 2025 (OS Build 26100)

 

April 2026 updates for Microsoft Office

https://support.microsoft.com/en-gb/topic/april-2026-updates-for-microsoft-office-f9397970-d11a-4335-922a-77561a8a68cb

 

Notable CVEs

 

CVE-2026-23666 | .NET Framework Denial of Service Vulnerability (Specific KB for each version)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23666

Improper input validation in .NET Framework allows an unauthorized attacker to deny service over a network.

 

CVE-2026-32157 | Remote Desktop Client Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32157

Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

 

CVE-2026-32190 | Microsoft Office Remote Code Execution Vulnerability (Click to Run)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32190

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. The Preview Pane is an attack vector.

 

CVE-2026-32201 | Microsoft SharePoint Server Spoofing Vulnerability (KB5002853,KB5002854,KB5002861)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201

Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).

 

CVE-2026-33824 | Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824

Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.

 

CVE-2026-33825 | Microsoft Defender Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825

Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Last version of the Microsoft Defender Antimalware Platform affected by this vulnerability: Version 4.18.26020.6

First version of the Microsoft Defender Antimalware Platform with this vulnerability addressed: Version 4.18.26030.3011

 

CVE-2026-33826 | Windows Active Directory Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33826

Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.

 

CVE-2026-33827 | Windows TCP/IP Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33827

Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows TCP/IP allows an unauthorized attacker to execute code over a network.