Stay ahead of critical vulnerabilities with our breakdown of this month's Microsoft security patches.
Release Date: April 14, 2026 KB Articles: KB5083769 (Windows 11 25H2/24H2) · KB5082052 (Windows 11 23H2) · KB5083768 (Windows 11 26H1) OS Builds: 26200.8246 / 26100.8246
.rdp files now display all connection settings before connecting, with a one-time security warning on first useMicrosoft's April 2026 Patch Tuesday is one of the largest security updates of the year, addressing 167 vulnerabilities across Windows, Microsoft Office, Remote Desktop Services, and other core components. The release includes fixes for 2 zero-day vulnerabilities and delivers significant improvements around Secure Boot certificate management, an area of critical urgency as legacy 2011 certificates approach their June 26, 2026 expiration.
Coming off a turbulent March that saw multiple out-of-band emergency releases and failed installations, April's update also resolves a known issue causing device resets to fail after the March 2026 Hotpatch. IT and security teams should treat this update as high priority and begin deployment immediately, with particular focus on the zero-days and Secure Boot remediation.
Effective patch management is the cornerstone of endpoint security, and April's release underlines why a structured, automated deployment process is no longer optional for enterprise environments.
| Severity | Count |
|---|---|
| Critical | 11 |
| Important | 149 |
| Moderate | 7 |
| Total | 167 |
Note: This total does not include separately patched Microsoft Edge (Chromium) or Azure cloud-side-only vulnerabilities released earlier in the month. For full CVE details, see the Microsoft Security Update Guide for April 2026.
April 2026 addresses two zero-day vulnerabilities. Both were publicly disclosed before this release, meaning technical details are circulating in the security community and exploitation risk is elevated. For background on how zero-day vulnerabilities are discovered and weaponized, see Zecurit's security hub.
Component: Windows Remote Desktop Protocol (RDP) Impact: Remote Code Execution (unauthenticated) Priority: Critical
This zero-day affects Windows' Remote Desktop Protocol implementation, potentially allowing an attacker to execute arbitrary code on a target system without authentication. Organizations relying on RDP for remote administration must prioritize this patch above all others in this cycle.
Beyond the vulnerability patch itself, Microsoft has introduced an important anti-phishing hardening measure for .rdp files: when a user opens an .rdp file, Remote Desktop now displays all requested connection settings before connecting, with each setting disabled by default. A one-time security warning also appears the first time an .rdp file is opened on a device. This directly addresses a documented attack vector where threat actors deliver malicious .rdp files via phishing emails to establish unauthorized remote sessions. You can learn more about monitoring Remote Desktop connections in our knowledge base.
Component: Windows Kernel Impact: Local Elevation of Privilege (SYSTEM-level access) Priority: High
This publicly disclosed zero-day allows a local attacker to elevate system privileges, potentially gaining full control. The fix strengthens kernel-level security checks and access controls. While local access is required, privilege escalation flaws like this are routinely chained with phishing, malicious attachments, or lateral movement from already-compromised endpoints to complete full attack chains. Defenders should enable endpoint monitoring and alerts to detect unusual privilege activity in the post-deployment window.
One of the most operationally significant aspects of April's update is the continued rollout of updated Secure Boot certificates, addressing the impending expiration of the original 2011 certificates on June 26, 2026, now just 73 days away.
This is no longer a future planning item. It is an active remediation requiring immediate attention across your entire fleet.
Windows Security App Visibility: April introduces a Secure Boot certificate update status display in the Windows Security app (Settings > Privacy & Security > Windows Security), including badge notifications and status alerts. Learn more about Secure Boot certificate update status. Note this feature is disabled by default on commercial devices.
Broader Device Targeting: Windows quality updates now include additional high-confidence device targeting data, increasing the pool of devices eligible to automatically receive new Secure Boot certificates in a controlled, phased rollout.
BitLocker Recovery Bug Fix: This update resolves a critical issue where devices entered BitLocker Recovery mode after Secure Boot certificate updates, disrupting organizations that had already begun rolling out March's update. If you rely on BitLocker encryption, this fix is essential before further Secure Boot remediation. Zecurit's BitLocker management guide and BitLocker recovery key guide can help if devices need manual recovery.
Devices without updated 2023 Secure Boot certificates will continue to boot normally, but will:
Action now: Verify Secure Boot compliance using Confirm-SecureBootUEFI in PowerShell or via System Information. Note that some systems manufactured between 2012 and 2025 also require OEM firmware/BIOS updates to accept new UEFI certificates, this is hardware-level work that cannot be delivered by Windows Update alone. See Microsoft's full Secure Boot Certificate Expiration and CA Updates guidance for preparation steps.
This update fixes a failure in the "Keep my files" and "Remove everything" device reset options introduced by the March 2026 Hotpatch (KB5079420). Organizations that needed to re-image or reset endpoints since March will now be unblocked.
This update improves reliability when Windows uses SMB compression over QUIC, reducing timeout failures and supporting more dependable enterprise network performance. This is particularly relevant for environments using direct SMB access over the internet or cloud-hosted Windows shares.
EoP flaws account for nearly half of all 167 patches this month. Understanding privilege escalation is critical for defenders, as these vulnerabilities are the primary mechanism attackers use to move from initial access to full system compromise. Combine prompt patching with strong endpoint privilege management practices to limit the blast radius of any breach.
Multiple remote code execution vulnerabilities affect Windows Server, Office, and network services. Internet-facing and externally accessible systems should be prioritized in your deployment schedule. For Windows Server management environments, this release patches RCE flaws across Windows Server 2019, 2022, and 2025.
| OS Version | KB Article | Build Number | Link |
|---|---|---|---|
| Windows 11, version 26H1 | KB5083768 | 28000.1836 | View KB |
| Windows 11, version 25H2 | KB5083769 | 26200.8246 | View KB |
| Windows 11, version 24H2 | KB5083769 | 26100.8246 | View KB |
| Windows 11, version 23H2 | KB5082052 | 22631.6936 | View KB |
For the full Windows servicing history, visit the Windows Release Health Dashboard and the Windows Message Center.
April's 167-vulnerability release must be viewed in the context of a relentlessly active Q1 2026. Reviewing our January 2026 Patch Tuesday and February 2026 Patch Tuesday breakdowns reveals how the threat landscape has accelerated month over month:
| Month | CVEs Patched | Zero-Days | Critical |
|---|---|---|---|
| January 2026 | 112 | 3 (1 actively exploited) | 8 |
| February 2026 | 58 | 6 (all actively exploited) | 5 |
| March 2026 | 84 | 2 (publicly disclosed) | 8 |
| April 2026 | 167 | 2 (publicly disclosed) | 11 |
February's six actively exploited zero-days, including a SmartScreen bypass (CVE-2026-21510), MSHTML Framework bypass (CVE-2026-21513), and Remote Desktop Services EoP (CVE-2026-21533) discovered by CrowdStrike , illustrated just how aggressively attackers are targeting Windows components. March's AI-discovered CVSS 9.8 RCE flaw further signalled that the pace of vulnerability discovery is accelerating. April's 167-vulnerability count is the year's largest Patch Tuesday to date.
The day after Patch Tuesday is widely known as "Exploit Wednesday" , when threat actors reverse-engineer newly released patches to develop working exploits for still-unpatched systems. With 11 actively exploited zero-days documented across Q1 2026, a rapid and well-planned patch deployment strategy is essential.
Given the scale of this release and the lessons from March's problematic rollout, organizations should follow a risk-tiered deployment approach. A mature vulnerability management program backed by automated endpoint management tooling will be especially important for large fleets.
Confirm-SecureBootUEFI) or System Information before the June 26, 2026 deadline.Organizations operating under HIPAA, GDPR, PCI-DSS, or other regulatory frameworks have a mandated obligation to apply security patches within defined windows. The two publicly disclosed zero-days in this release, combined with CISA's history of adding Microsoft vulnerabilities to the KEV catalog within days of Patch Tuesday, mean that federal agencies and regulated enterprises must treat April's deployment as non-deferrable. Federal Civilian Executive Branch (FCEB) agencies should note that CISA mandates KEV-listed vulnerabilities be remediated by defined deadlines.
The Zero Trust security model reinforces why patch status must be treated as a condition of device trust. Unpatched endpoints, particularly those with the RDP zero-day unresolved, should be treated as untrusted until confirmed compliant, especially in environments using Zero Trust network access principles.
For organizations still managing Windows 10 endpoints that reached end-of-life in October 2025, note that extended security updates (ESU) continue to be released. Zecurit's Windows 10 end-of-life guide covers your ESU options and migration planning path to Windows 11.
Other vendors also released security updates this cycle. Administrators managing broader environments should review:
Keeping pace with top cybersecurity vulnerabilities across the third-party landscape is an important complement to Windows patching, especially for organizations with diverse software estates.
Posted by Zecurit | Endpoint Management & Patch Intelligence | April 14, 2026
Below is a detailed list of the security patches and CVEs released in this month's Patch. This information is fetched directly from the Microsoft Security Response Center (MSRC) to help you stay protected with the latest patches.
Patch Tuesday is the second Tuesday of each month when Microsoft releases its regular updates for Windows operating systems and other Microsoft products. These updates typically include security patches, bug fixes, and sometimes feature improvements.
Patch Tuesday is crucial for maintaining the security and stability of systems. The updates often address vulnerabilities that could be exploited by attackers, and keeping systems up to date helps protect against these risks.
Microsoft releases Patch Tuesday updates on their website and through Windows Update. For detailed patch notes, you can refer to Microsoft's Security Update Guide or subscribe to update notifications from your device or trusted sources like security blogs.
Yes, you can manually download and install updates through Windows Update, or directly from the Microsoft Update Catalog website, which offers patches for individual downloads.
It’s highly recommended to install all security updates to ensure your system remains protected from known vulnerabilities. However, non-security updates or feature updates might be optional based on your needs.
If you miss a Patch Tuesday update, it’s important to install the updates as soon as possible to avoid potential security risks. Microsoft allows you to download and install any missed updates through Windows Update.
For businesses or IT administrators, you can use Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM), or third-party patch management tools to schedule, approve, and distribute updates across multiple systems.
Not all updates are critical. Patch Tuesday updates include a range of fixes, from critical security patches to optional non-security updates. It’s important to assess which updates are most relevant to your environment.
Failing to apply updates can leave your system vulnerable to exploits and attacks. Many of the updates address critical security flaws that cybercriminals may target, so staying updated is vital for system security.
