Thanks again! 2019 and 2022 are the only server versions in our Org. Then I will first pray to the mighty Ones and Zeros and then start test patching :-) Hopefully without 0x800f0922

[-]

FCA162@reddit

After the relaunch, three out of four failed installations have been resolved. The fourth installation is still in progress.

[-]

My test installations on 1 x Server 2019 and 1 x Server 2022 were sucessful. Also 3 x Client Win11 ENT 25H2 and 1 x Win10 ENT LTSC 2021 were sucessful. I will now push the updates to the other machines in (small) org with WSUS - see you next month!

[-]

3sysadmin3@reddit

Is this thread intentionally not pinned this month?

[-]

Friendly_Guy3@reddit

Last time this happened I tried to ping a mod an it was fixed ....

Hey u/mkosmo can you please stick the megathread again ? It got un-sticket and it's now a bit hard to find .

[-]

SomeWhereInSC@reddit

it was pinned earlier this week, but this happened last month as well...

[-]

aMazingMikey@reddit

What happened? Is there some sort of pinning bug in Reddit or did one of the mods intentionally unpin it?

[-]

SomeWhereInSC@reddit

I'm not sure, but can say since December this has been a continuing issue... eventually it gets re-pinned...

[-]

Routine_Brush6877@reddit

Yeah what the heck is up with this place lately?? I need to know if its safe to patch!

[-]

andyr354@reddit

What's weird is the March thread is now pinned for me.

[-]

pducharme@reddit

Not able to install KB5086023 on 2 Win 2025 Standard. Always fail with "Retry". Did try dism to restorehealth, sfc /scannow and manually installing the .msu. Not successfully installed them. Worked fine on all other systems I manage. (mix of Win2022 or Win2025).

[-]

FCA162@reddit

Free disk space?
KB5083769 Windows Server 2025 is 5.1 GB ...

or: insufficient space in the System Reserved Partition. Windows requires a minimum amount of free space, at least 500 MB, here to handle update configuration files.

[-]

pducharme@reddit

I have 60+ GB free on both of the servers on the C:\

[-]

FCA162@reddit

There was no WU error code?

Check C:\Windows\Logs\CBS\CBS.txt and search for string ", Error" and "HRESULT = 0x800"

e.g.:
2026-04-15 07:04:04, Error CBS Startup: Failed to process advanced operation queue, startupPhase: 0. A rollback transaction will be created. [HRESULT = 0x800f0922 - CBS_E_INSTALLERS_FAILED]

[-]

pducharme@reddit

Always 0x80073712 on both servers.

[-]

FCA162@reddit

If you receive WU 0x80073712, it means that a file needed by Windows Update is damaged or missing.

Try to fix it with my script Mark_Corrupted_Packages_as_Absent.ps1

It has already helped many admins in the past!

[-]

pducharme@reddit

i'm trying this right now on one of my 2 servers. The scripts been running since 10 minutes and list probably all packages because there is a lot! Can I avoid a Reboot before a retry? maybe if I do the usual WindowsUpdate reset and restart the services only? just want to avoid a reboot.

[-]

pducharme@reddit

Finally did not solve it :(

[-]

FCA162@reddit

i'm pretty sure a reboot is needed.

[-]

pducharme@reddit

Ok thank you, I’ll try that. After running the script, so I need to do something else like renaming SoftwareDistribution, etc ?

[-]

FCA162@reddit

No, just running the script, reboot and re-apply patching.
No need to rename SoftwareDistribution or doing something else.

[-]

pirutgrrrl@reddit

It’s not just you - https://windowsreport.com/kb5082063-causing-update-failures-on-windows-server-2025-microsoft-confirms/

[-]

pducharme@reddit

Yeah. I figured there is an issue. I did re-run the Script, no more components in the output. Did a full reboot. Still the same error :(

[-]

pirutgrrrl@reddit

It's not just you - https://windowsreport.com/kb5082063-causing-update-failures-on-windows-server-2025-microsoft-confirms/https://windowsreport.com/kb5082063-causing-update-failures-on-windows-server-2025-microsoft-confirms/https://windowsreport.com/kb5082063-causing-update-failures-on-windows-server-2025-microsoft-confirms/https://saasprotection.datto.com/help/M365/Content/Troubleshooting/Management_configuration/KB3600500757511.html?

[-]

Educational_Vast9020@reddit

I have on all Win Server 2025 Standard the same issue. We have setup the Servers in german. Dism to restorehelth, sfc /scannow no success. Any ideea?

[-]

Educational_Vast9020@reddit

I've now conducted several tests: 
I reinstalled two servers using a Windows Server 2025 Std. HPE ROK ISO image. 
One was in German and the other in English. 
Both refused to install KB5082063. 
Subsequently, I downloaded and installed the evaluation ISO for Windows Server 2025 Std. in both German and English from Microsoft. 
The update installed successfully on both evaluation installations. 
All four servers were installed on the same hardware under Hyper-V and were not licensed. 
I assume this is related to the OEM-branded installation media (HPE or Dell). These media implement a BIOS lock for licensing.

[-]

Educational_Vast9020@reddit

I've now conducted several tests: I reinstalled two servers using a Windows Server 2025 Std. HPE ROK ISO image. One was in German and the other in English. Both refused to install KB5082063. Subsequently, I downloaded and installed the evaluation ISO for Windows Server 2025 Std. in both German and English from Microsoft. The update installed successfully on both evaluation installations. All four servers were installed on the same hardware under Hyper-V and were not licensed. I assume this is related to the OEM-branded installation media (HPE or Dell). These media implement a BIOS lock for licensing.

[-]

pducharme@reddit

Haven't found a solution yet for my 2 failing Win2025. They are US English in my case.

[-]

episode-iv@reddit

No issues here on German 2025 Datacenter systems.

[-]

hingino@reddit

I wish the admin circle jerks didn't get so many upvotes so we could see the actual issues people are facing...

[-]

Zamphyr-@reddit

always sort this thread by New

[-]

Zaphod_The_Nothingth@reddit

This is the way.

[-]

FCA162@reddit

A small number of devices might fail to install KB5082063 with error 800F0983

Status: Confirmed

Affected platforms

Server Versions Message ID Originating KB Resolved KB

Windows Server 2025 WI1281095 KB5082063 –

Microsoft is monitoring diagnostic data reports on update installation failures and has observed a recurring error on Windows Server 2025 devices when installing the April 2026 Windows security update (the Originating KBs listed above), released on April 14, 2026. A limited number of affected servers might experience an installation failure accompanied by the error code 800F0983.

Next steps: We are actively investigating this issue and will provide more information as more details become available.

MS Service Alert - WI1281095

[-]

sasilik@reddit

I had problems with "2026-04 Cumulative Update for Microsoft server operating system version 24H2 for x64-based Systems (KB5082063) (26100.32690)". Install failed with code 0x80073712. Seems that there are others with same problem https://www.reddit.com/r/WindowsServer/comments/1smbwzm/anyone_else_getting_error_code_0x80073712_when/

[-]

FCA162@reddit

If you receive WU 0x80073712, it means that a file needed by Windows Update is damaged or missing.

Try to fix it with my script Mark_Corrupted_Packages_as_Absent.ps1

It has already helped many admins in the past!

[-]

FCA162@reddit

We've postponed the patching of our DCs, due to many issues;

failed KB installations WU error 0x800F0922
RDP session failed to connect
DCs in reboot loop after patching
Critical Process lsass.exe terminated unexpectedly with "status code -1073741819. The system will now shut down and restart."

[-]

FriskyDuck@reddit

We updated our 2019 DCs without issue. Moving to 2025 DCs soon…. fingers crossed

[-]

FCA162@reddit

We've postponed our migration to 2025 DCs by 6 months.
We only have a few 2025 DCs running in the lab environment and we have encountered many issues with computer password changes.

[-]

FriskyDuck@reddit

Damn, over a year later and they still haven't fixed the reason we abandoned our 2025 DC migration the first time around.

[-]

H3ll0W0rld05@reddit

Sounds crazy! I only have one DC on 2022 patched. Can you link the issues to specfic versions?

[-]

joesoap8308@reddit

Oh dear, what OS are you running on them?

[-]

FCA162@reddit

Mixed 2019/2022/2025

[-]

joesoap8308@reddit

Cool thanks for confirming

[-]

welcome2devnull@reddit

Having some issue with Win11 25H2 machine (was upgraded from Win11 23H2 \~ 3 weeks ago) - when i try to install the 2026-04 Update for Win11 25H2 i get the error 0x80073712.

Tried to install KB5086672 (the fixed oob update from 2026-03) but get the same error on that update.

Installation was attempted via SCCM and another try via admin cmd shell just executing the msu update file. Always the result.

[-]

FCA162@reddit

If you receive WU 0x80073712, it means that a file needed by Windows Update is damaged or missing.

Try to fix it with my script Mark_Corrupted_Packages_as_Absent.ps1

It has already helped many admins in the past!

[-]

icq-was-the-goat@reddit

Anyone else seeing Print Spooler issues on Server 2019 RDS hosts after this month’s updates?

Installed Servicing Stack 10.0.17763.8642, KB5082413, and KB5082123. After reboot, the Print Spooler service was completely missing. Had to manually recreate it and fix permissions.

Once it was back, it would start but crash after \~10 seconds. Dump pointed to a PostScript driver (PS5UI.DLL).

Uninstalled the updates and everything went back to normal.

This isn’t the first time. Same server had this last month, removed KB5075904 and it fixed it, and now this month’s updates seem to have triggered it again.

Feels like something in these updates is breaking older PostScript drivers. Curious if anyone else has seen this.

[-]

Jaymesned@reddit

Anyone a regular user of Greenshot? After the latest Win 11 25H2 update, it's slow to the point of being unusable. Built-in Windows screenshot via Print Screen button is off.

[-]

hingino@reddit

Its still normal for me. Only 1 of my pilot users other than myself use it, but they arent having issues either.

[-]

Jaymesned@reddit

Turns out I wasn't using the latest version. Update to Greenshot has it working again as normal.

[-]

BoysenberryDue3637@reddit

I retired end of March. Today is the happiest day of my life not having to worry about patching.

Good luck all.

[-]

dcnjbwiebe@reddit

Only 21 months left for me (not that I am counting...).

[-]

BlockBannington@reddit

Only 34 years for me!

[-]

CeC-P@reddit

If it makes you feel better, society on Earth probably doesn't have that long lol.

[-]

chron67@reddit

I... have mixed feelings about this.

[-]

BurtanTae@reddit

Well unfortunately you still have to worry about patching your Home PC(s) :P

[-]

Losha2777@reddit

Bold of you to assume goat farmer has home computer(s).

[-]

ISegunb@reddit

This really is one of the best things I have read today on the internet.

Wishing you all the best on your next Rodeo. Aye! Aye! Captain!

[-]

RunSilentRunAway@reddit

Congratulations! Freedom!

[-]

gomibushi@reddit

Enjoy! I probably won't reach retirement before the climate wars start. :(

[-]

Seirui-16@reddit

Congrats! May all your future meetings start with cocktails.

[-]

BoysenberryDue3637@reddit

You talk about meetings. I woke up in the middle of the night to the Teams ding ding ringing in my head. I'm getting there but still having issues.

[-]

pirutgrrrl@reddit

Congratulations - not a minute too soon!

[-]

TheLostITGuy@reddit

Retired? Whats that?

[-]

Baiteh@reddit

13 here, unlucky for some.... :P

[-]

frac6969@reddit

Happy retirement! Six more years for me.

[-]

Bendy_ch@reddit

25 for me. now I'm depressed

[-]

Entegy@reddit

I am unable to apply this patch to an offline image. I get an error about being unable to apply the unattend file of the msu?

[-]

bjc1960@reddit

We have three computers at remote offices or remote users, and we can't figure out what is causing the lock up as of yet.

[-]

thefinalep@reddit

Who's all ready for Kerberos changes! Hope everyone has been looking out for 0x17.

[-]

HDClown@reddit

I was lazy about this and didn't do proper investigation until last week. Fortunately, it's a small environment and the only thing using RC4 was Entra Connect for SSSO which was an easy fix.

[-]

harveylaw@reddit

I'm doing that this afternoon. Did you just set AES on the AZureADSSOACC and then roll the Entra SSO keys?

[-]

HDClown@reddit

Yup, AES256 specifically. Set msDS-SupportedEncryptionTypes to 16 (0x10) then roll key.

I don't have a lot of SSSO activity, so I did it in the middle of the day with no impact. If you have a ton of SSSO requests, doing it during work hours would causes some to fail between setting AES and rolling the key.

[-]

QuickYogurt2037@reddit

Is this also necessary for group managed service accounts (gMSA)?

[-]

harveylaw@reddit

We used the Get-KerbEncryptionUsage.ps1 script here to find our accounts actively using RC4.

https://learn.microsoft.com/en-us/windows-server/security/kerberos/detect-remediate-rc4-kerberos#use-powershell-to-audit-rc4-usage

[-]

JTp_FTw@reddit

So if I run .\Get-KerbEncryptionUsage.ps1 and get a thousand results but then run it with “-Encryption RC4” filtering option and it returns nothing, I’m good?

[-]

HDClown@reddit

That tells you no events with RC4 tickets, so that's good, at least within the historical period of your event logs. If the event logs go back a couple days or even a couple weeks and you have some random process that might only run once a month and use kerberos auth, it wouldn't necessarily show up yet.

Check out the block I linked in my other comment, it has some PowerShell commands you can run to evaluate how msDS-SupportedEncryptionTyp is defined on objects. Also check registry on your DC's to see if DefaultDomainSupportedEncTypes was set. If neither of those come back with anything that includes RC4, you should be good to go.

[-]

trail-g62Bim@reddit

If neither of those come back with anything that includes RC4, you should be good to go.

If the msDS-SupportedEncryptionType includes RC4 but also includes SHA1, and the account isn't using RC4, that should be good, right? It means it can use RC4 but isn't, so it wont be a problem when it is taken away?

[-]

HDClown@reddit

If you do not see RC4 tickets then you can update msDS-SupportedEncryptionType to an option that does not include RC4.

Easiest way to confirm that is to use the script from Microsoft's article using .\Get-KerbEncryptionUsage.ps1 -Encryption RC4

[-]

trail-g62Bim@reddit

Yeah I just ran that and it looks like I do have a few spots where it is being used for the ticket encryption, even though both the source and target are capable of SHA1. Looks like I need more testing.

[-]

HDClown@reddit

Since you are talking about AD objects, changing msDS-SupportedEncryptionType on the objects you are seeing using RC4 to 24 (AES128/AES256) or 16 (AES256) is the correct action to take.

The only potential risk is if those objects also make requests to something other than your DC's and that destination only accepts RC4.

[-]

trail-g62Bim@reddit

It appears my two big problems are a couple of storage devices. I have set both to 24. Did that a few days ago. One has some accounts connecting with RC4 tickets and AES session keys. The other one is the other way around -- AES tickets with RC4 session keys...and the target is krbtgt.

[-]

HDClown@reddit

If those devices do not run Windows, they are probably going to require a config change and possibly software/firmware update on the devices. I would reach out to support and tell them how you configure those devices to not use RC4.

[-]

trail-g62Bim@reddit

Thanks for the help!

[-]

harveylaw@reddit

I would think you're good but I'm in no way an expert. I'd say be ready with the reg key for your DCs to disable until July just in case.

[-]

HDClown@reddit

You would really need to look at event logs to see if they are using RC4 (make sure you have appropriate auditing enabled on DC's).

You can check see what msDS-SupportedEncryptionTypes is set to on your managed service accounts but if it's something like 20 (0x1C), that allows for RC4/AES128/AES256 so it doesn't definitely tell you what is being used for tickets, so you have to review event logs. If it's set to something that only includes AES128 and/or AES256 then you are good on those. If they are blank, then it would be using whatever is set in DefaultDomainSupportedEncTypes

[-]

QuickYogurt2037@reddit

Thanks a lot! Just to make sure I understand correctly: if my AD environment was set up using Server 2016 DC and is using only Windows 10 / Server 2016 or up, then Kerberos auth should be fine? "DefaultDomainSupportedEncTypes" is unset. I turned on the audit logs, but I dont see any related entries. I dont have have legacy applications in my env.

My plan is to just set DefaultDomainSupportedEncTypes to 0x18 (AES-128 & AES-256) on all DCs? And then see if anything breaks.

[-]

HDClown@reddit

It sounds like you are in a good spot overall.

Just to confirm, for audit logs you are checking Event ID 4768/4768, Ticket Encryption Types in the General info section and looking for 0x17. Those entries generate when new tickets are requested, so it's not something you can just check once and be good

DefaultDomainSupportedEncTypes is only used if msDS-SupportedEncryptionTypes is 0/null/notset, so you need to know what is set in msDS-SupportedEncryptionTypes on all your AD user/computer objects for the full picture. If msDS-SupportedEncryptionType is was manually set on any objects, set from checking "this account suportts kerberos AES 128/256 encryption" or via GPO, then msDS-SupportedEncryptionType will be honored on those objects over whatever DefaultDomainSupportedEncTypes is set to.

Look at this blog, there are a bunch of PowerShell queries to give you details on what is set for msDS-SupportedEncryptionTypes: https://www.samuraj-cz.com/en/article/kerberos-disabling-rc4-part-2-moving-from-rc4-to-aes/

Once you get everything aligned so you know only 0x18 is used, then you will be in a "wait and see if something breaks state" relative to RC4 tickets.

[-]

QuickYogurt2037@reddit

Thanks, I just confirmed that msDS-SupportedEncryptionType is null on all user/computer objects in AD. So I will just set DefaultDomainSupportedEncTypes globally and see if anything breaks. ¯_(ツ)_/¯

[-]

harveylaw@reddit

Thanks. We have quite a bit of Entra SSO activity so I'm waiting for off-peak time to get this done. I appreciate the response.

[-]

VulturE@reddit

cd $env:programfiles"\Microsoft Azure Active Directory Connect"
Import-Module .\AzureADSSO.psd1
New-AzureADSSOAuthenticationContext #must be global admin or hybrid identity administrator
Get-AzureADSSOStatus | ConvertFrom-Json
$creds = Get-Credential #must be domain admin entered in domain\admin or domain.com\admin format, admin cannot be in Protected Users group
Update-AzureADSSOForest -OnPremCredentials $creds

And yes, just do this bit after you've already edited the AzureADSSOACC value for msDS-SupportedEncryptionTypes to 24 or whatever number your agency has decided to use.

[-]

harveylaw@reddit

Just learned about these last week. Been rushing to get RC4 cleaned up. Not quite there yet so I'll be postponing out DC updates for a few days until we can get this finished. We'll push out some user patches and member server patches to test as usual to make sure that this doesn't cause issues there.

[-]

redsedit@reddit

You are not alone. Discovered [hopefully] one last device and it can't be upgraded to AES, so I've spent the last few days doing an emergency migration. Fun...not.

[-]

Old_Outcome8049@reddit

Thanks for mentioning this. This somehow totally blindsided me and your message made me check. Totally have 201 and 202 events, so I need to figure out what we can do. Appreciate the casual mention.

[-]

woodburyman@reddit

I'm ready. Only because we haven't been patching our DC's since Nov 2022 in the last Kerberos changes that eliminated Kerberos delegation for Server 2003 effectively. We still have a IIS site on Server 2003 running business critical functions. And they fired the guy porting the legacy code/system to a new application 14mo ago and have yet to replace him. FML.

[-]

DaveRaveDJ@reddit

I've got about 200 Windows 2K/2K3 servers left that are running critical services. You can safely patch to Jan 2023 (we have) and probably Sept 2023 (when the "KrbtgtFullPacSignature CVE-2022-37967 fix" broke pre-2K8 boxes).

You'll need to set DefaultDomainSupportedEncTypes (GPO on DCs) and/or msds-SupportedEncryptionTypes (AD attribute on affected user/computer objects). 0x27 is good for you but you might try 0x3C.

[-]

TheBros35@reddit

200 on 2003 or older?!? How many servers in total do you have?

[-]

ElizabethGreene@reddit

This needs to be documented to your senior managers in writing, repeatedly, using specific phrases like "thousands of outstanding unpatched vulnerabilities create a material business risk" and "our data and our customer's data is not safe or protected".

[-]

woodburyman@reddit

It has been. It's been brought directly to our CEO and I told them that more or less our entire IT department is falling apart, and I can't be liable or held responsible for this. I don't even bother getting security audits anymore because the top 10 things on any list my hands are tied on.

[-]

ElizabethGreene@reddit

I feel your pain. In terms of risk management, do you have any HIPPA (medical) or PCI (credit card/identity) data in that environment? If so, that's a show stopper. Can you move your modern devices to a separate forest that can be updated?

[-]

woodburyman@reddit

Luckily no. Maybe lucky isn't the right word.... The only thing we're somewhat subject to is CMMC/Nist 800-171. We were going for Level 1 CMMC 2.0 accreditation when our IT staff was reduced from 4 to 2. We haven't applied although we took a lot of the steps.

The devices cant easily be moved. The codes so old changing the forest or domain their in and modifying it to allow trusted connections to our main domain just isn't feasible. Im tempted to just turn the VM off, delete it, and go "whoops" one of these days as for 12 years I've raised flags about it and nothinggs been done.

[-]

throwaway_eng_acct@reddit

Holy hell. At this point the right, just, and moral thing to do is to find a new job that isn’t trying to give you stress-induced heart disease.

[-]

woodburyman@reddit

Tell me about it. Myself and one other for IT got a 300+ $65M company. We were also told last week don't expect new hires or things to change for a year.

[-]

Vic20DBA@reddit

For anyone else working with SQL.. Last week we restricted traffic to only AES and half our test SQL servers went offline, so I knew I had work to do. I found a good query to check server authentication and the servers that lost connectivity all showed using NTLM authentication. The fix was adding DNS mappings for service accounts to their respective SQL server/instance. A couple of those showed using a dynamic port, so I changed them to static so the named instances using alternative ports wouldn't change. All servers showed using Kerberos authentication after these changes and there were no issues after restricting traffic to AES again. I'm happy to share the SQL query and DNS command syntax if anyone needs it.

[-]

Silver-Ad7638@reddit

To be sure, you added SPNs for those service accounts and their SQL Server Instances?
In our environment, almost every SPN is automatically created.

[-]

Vic20DBA@reddit

You got it! For some reason SPNs didn't get created for some of our service accounts. Thankfully, it's an easy fix.

[-]

Vivid_Mongoose_8964@reddit

I plugged this into chatgpt for some help. here's the two PS scripts it provided to check for RC4, posting here for others.

Get-WinEvent -FilterHashtable @{

LogName='Security'

Id=4769

} | Where-Object {

$_.Properties[5].Value -eq 0x17

} | Select-Object TimeCreated,

@{Name="User";Expression={$_.Properties[0].Value}},

@{Name="Service";Expression={$_.Properties[2].Value}} |

Format-Table -AutoSize

What this means:

0x17 = RC4 encryption
If you see results → ⚠️ you still have RC4 dependencies

-------------------------------------------------------------------------------------------------------------

Get-WinEvent -FilterHashtable @{

LogName='Security'

Id=4768

} | Where-Object {

$_.Properties[8].Value -eq 0x17

} | Select-Object TimeCreated,

@{Name="User";Expression={$_.Properties[0].Value}} |

Format-Table -AutoSize

👉 If this returns anything:

Your users or systems are requesting RC4 tickets
This is a bigger red flag

[-]

ElizabethGreene@reddit

The updates they shipped earlier this year means you can get this information much more easily by filtering the DC system logs for event IDs 200-209.

[-]

lgq2002@reddit

If you have already disabled RC4 usage via group policy for domain controllers, this shouldn't be any concern I think.

[-]

Cormacolinde@reddit

About the only environment I manage directly right now (project to be handed over the customer in a few weeks) has had RC4 disabled at the AD level. But I’m sure I’ll get customer calls in the next few weeks.

[-]

techvet83@reddit

https://strongwind1.github.io/Kerberos/ is a very good source of information on this topic. I will be installing the auditing key on our DCs to buy us time while certain teams get their act together.

[-]

n1ckst33r@reddit

Its Not the final Switch. July is the final Change , now with April you can rollback. So when Not ready , you have 2 months more time

[-]

thefinalep@reddit

You're correct, I'm treating this month as the deadline so I have the next two months to fix anything I might of missed or overlooked.

[-]

n1ckst33r@reddit

Absolutely!

[-]

andyr354@reddit

I should be. I've enforced it on my DCs for a couple months now.

[-]

FullExchange7233@reddit

Seems to have broken ADFS for us, anyone else?

[-]

mikeyes5@reddit

Also seeing ADFS broken immediately post April patching. ADFS console loads but WAP connection is not occurring. Server 2019, isolated DMZ servers multiple SAML authentications in operation.

[-]

IndyPilot80@reddit

Anyone see Win 11 systems reverting to "Spotlight" desktop background?

Have had a couple of 25H2 go from "Picture" to "Spotlight" after installing KB5083769.

[-]

Flyerman85@reddit

Not on servers but saw on a workstation, we replace the img0.jpg and on a system that had that it swapped to "Spotlight" after KB5083769

[-]

QuickYogurt2037@reddit

Wtf is this new prompt for .rdp files? We use signed rdp files and still get these prompts?!

Any way to disable this new "feature"?

[-]

HDClown@reddit

Microsoft article: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remotepc/understanding-security-warnings

Was there literally no advance notice from Microsoft about this? First time I saw anything about it was from a Message Center notification that went out today, the day the patch is being rolled out, WTF?

There is a registry key you can set to disable the new behavior which I'm pushing out now to gain more time to deal with this.

Only files signed by a trusted publisher give you the option to save the desired redirect settings, but unsigned files do not. The .RDP files we provide today are not signed so this would cause havoc.

I am thinking that if you use a signed file, you can pre-set the "trust these redirection sources and don't ask again" when editing the RDP file in text editor. Will need to test it out once I have a signed file to play with, but I'm sure some bloggers will have info on it before I have that time to test.

[-]

scotterdoos@reddit

I'm still currently testing it out, but it appears to honor the following policy setting and doesn't prompt me with the expected 2nd warning dialog.

Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client

Specify the SHA1 thumbprints of certificates representing trusted .rdp publishers. Enabled with a comma separated list of SHA1 cert thumpbrints.

For me this has cleared out the 2nd warning dialog for our connection brokers.

[-]

No_Whereas_8803@reddit

What kind of cert is needed for this?
I have tried using a remote desktop cert it says it was successful, but nothing ever gets applied?

[-]

scotterdoos@reddit

Assuming you have a correct cert bound for terminal services, or at least have policy set to use a specific certificate template with the correct EKU and OIDs (https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remote-desktop-services-certificates?tabs=gui) simply just need to set the certificate's thumprint in the trusted publisher policy I listed above. I believe the dialog may be case sensitive. I read somewhere that you have to make sure all lowercase letters are capitalized when you configure the policy.

[-]

HDClown@reddit

A couple others have confirmed that setting the trusted cert thumbprints on a signed RDP file is preventing the second popup. You can set the trusted certs via GPO and in Intune as well.

https://old.reddit.com/r/sysadmin/comments/1sm61eo/fyi_microsoft_rdp_changes_with_april_cumulative/ogclwab/

[-]

CheaTsRichTeR@reddit

We have a RDS farm which generate signed RDP files and we have set the GPO

Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Specify the SHA1 thumbprints of certificates representing trusted .rdp publishers

But both Reistry tweaks above are not working...

[-]

cashew76@reddit

Reply For the almighty algorithm and yeah why a check box which doesn't do anything to prevent subsequent nags.:

[-]

Tl9zaXh0eWZvdXI@reddit

Signing the file doesn't make the popup go away, it just goes from unknown to a verify the publisher text. The page you linked has screenshots of it.

Yes signing the rdp file does add a bunch of signing data to the file itself.

I just used the regkey, I'm ok with a big warning on unsigned, but a popup on every connection on signed ones is fucking stupid.

[-]

HDClown@reddit

Screenshots show that signed files add a checkbox at the bottom for "Remember my choices for remote connections from this publisher", do you not get that?

I'm also now wondering if that checkbox sets a registry entry since it's "from this publisher" and not "for this connection"

[-]

Tl9zaXh0eWZvdXI@reddit

Yep, but it only remembers the choices from the checkboxes above it about remote resources, not the popup itself.

No idea about where that's stored, most likely a regkey somewhere. I do know rdp credentials are stored in Credential Manager, but that doesn't support other random data as far as I know.

[-]

HDClown@reddit

Oh lame. I was hoping that the checkbox would prevent the popup from showing up once it was set. I imagine Microsoft will get a lot of shit about this from all over the place, including large enterprise customers. That will hopefully cause them to provide a way to deploy an RDP file that won't always bring up the popup without having to rely on the workaround registry setting.

[-]

Tl9zaXh0eWZvdXI@reddit

I would have thought that too and yeah I assume and hope microslop gets lots of shit about this. I understand the warning for unsigned rdp and I even get the concern over how easy it is to get a signing cert to bypass warnings, but this is not an acceptable "solution".

[-]

bostjanc007@reddit

And what kind of registry key exists that would exclude this warning? Helpdesk department is already full of tickets and questions about this new RDP security pop up

[-]

HDClown@reddit

It's at the bottom of https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remotepc/understanding-security-warnings

HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client with the following values:

Name: RedirectionWarningDialogVersion
Type: REG_DWORD
Data: 1

[-]

Green-Wallaby9663@reddit

Key: HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client
Name: RedirectionWarningDialogVersion
Type: REG_DWORD
Data: 1

[-]

iiiRaphael@reddit

Looks like you can still run the executable with arguments and there’s no pop up. Might be suitable for some people. MSTSC.exe /v:hostname

[-]

HDClown@reddit

The change only applies to saved .RDP files.

[-]

iiiRaphael@reddit

Yeah, I'm just suggesting that people who want to avoid the popup could create a shortcut to MSTSC with the /v command line argument instead of using an .RDP file. You certainly don't get the same degree of control - but it could be suitable for some users.

[-]

ElizabethGreene@reddit

It's to keep me from sending your users a (signed or unsigned) RDP file to my RDP server where I steal their credentials when they log in.

[-]

QuickYogurt2037@reddit

Thats why you dont allow outgoing RDP connections to random IPs. Does the warning show once for each signed RDP file?

[-]

Green-Wallaby9663@reddit

Key: HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client
Name: RedirectionWarningDialogVersion
Type: REG_DWORD
Data: 1

[-]

raresolid@reddit

This is madness… I tried making my own signed file and importing it. Didn’t work for me, will have to resort to the registry change, although Microsoft states that future updates may disable that registry change…..

[-]

PenguinTribe@reddit

Time to look for ways to permanently disable future windows updates.

[-]

GMkOz2MkLbs2MkPain@reddit

https://windowsforum.com/threads/april-2026-rdp-security-warnings-block-redirections-stop-rdp-phishing.412699/ looks like an overhaul this is going to be a headache but hopefully for the best.

[-]

landon_at_automox@reddit

A few things worth flagging from this month:

CVE-2026-32201 (SharePoint XSS, CVSS 6.5)

Actively exploited, confirmed by Microsoft. No authentication required on internet-facing instances. Patch this before the higher-CVSS SQL bug since active exploitation changes the priority order.

CVE-2026-33120 (SQL Server EoP, CVSS 8.8)

Escalates an existing foothold to sysadmin via SQL injection in the database engine. Not actively exploited yet, but a companion SQL Server RCE dropped in the same cycle and the two can be chained. Shared service accounts across SQL instances are your worst-case scenario.

Also worth noting: \~80 Edge/Chromium fixes released this month. None confirmed exploited, but browser updates are the lowest-friction patches you'll push all month.

Secure Boot reminder: monthly BIOS/firmware/OS updates are delivering certificate rotations that need to be in place before Microsoft's current certs expire. Endpoints that miss the window won't boot.

Full breakdown from Automox's security team is on the blog and on the Patch [FIX] Tuesday podcast.

[-]

fiddlesmg@reddit

this is not true is it> Endpoints that miss the window won't boot

[-]

SomeWhereInSC@reddit

agreed that is not the case, no new certs just means your now vulnerable to bios/boot hacks...

[-]

landon_at_automox@reddit

Good point, thanks. The machine will still boot since UEFI doesn't check cert expiry dates on boot.

The main issue is that once Microsoft stops signing boot updates with the old certs, machines without the new ones can't install them.

[-]

bdam55@reddit

Right: the problem is that you won't get future secure boot updates until you get the 2023 secure boot certs installed and working. So June is a deadline of sorts, but not a particularly hard one.

[-]

FCA162@reddit

Windows release health: April Windows security update might trigger a one-time BitLocker recovery screen

Status: Mitigated

Affected platforms:

Windows 11, version 25H2/24H2/23H2
Windows 10, version 22H2/21H2
Windows Server 2025
Windows Server 2022

Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing the April 2026 Windows security update (the Originating KBs listed above), or a later update.

This issue only affects a limited number of systems in which ALL of the following conditions are true. These conditions are unlikely to be found on personal devices not managed by IT departments.

1. BitLocker is enabled on the OS drive.

2. The Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).

3. System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible".

4. The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.

5. The device is not already running the 2023-signed Windows Boot Manager.

In this scenario, the BitLocker recovery key only needs to be entered once -- subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged. For help finding your BitLocker recovery key, see the article, Find your BitLocker recovery key.

This issue occurs because, beginning with the April 2026 Windows security update (the Originating KBs listed above), systems with the Windows UEFI CA 2023 certificate present in the Secure Boot DB switch the default boot manager to the 2023-signed Windows Boot Manager. This boot manager change results in a PCR7 measurement change. When PCR7 is explicitly included in the BitLocker validation profile through group policy—even though binding is reported as "Not Possible"—BitLocker detects a platform integrity change and requires recovery. Under the default behavior (when the Group Policy is not configured), Windows automatically choses an appropriate PCR validation profile that is suitable for the hardware, which avoids this issue. When PCR 7 binding is reported as "Not Possible", BitLocker switches to the PCR 0,2,4,11 validation profile instead of PCR 7,11.

Enterprises are recommended to audit their BitLocker group policies for explicit PCR7 inclusion and check msinfo32.exe for their PCR7 binding status before installing the April 2026 Windows security update. Details about this group policy are shown below.

Group Policy Details

· Policy Name: Configure TPM platform validation profile for native UEFI firmware configurations

· Policy Path: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

· Registry Path: HKLM\SOFTWARE\Policies\Microsoft\FVE

· Registry Value: OSPlatformValidation_UEFI

Warning: Microsoft does not recommend configuring this policy. Changing the default platform validation profile affects device security and manageability. Setting this policy might prompt a BitLocker recovery when firmware is updated. If this policy is set to include PCR0, suspend BitLocker prior to applying firmware updates.

Workaround

Option 1: Remove the Group Policy configuration before installing the update (Recommended)

1. Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console.

2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

3. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured".

4. Run the following command on affected devices to propagate the policy change: gpupdate /force

5. Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C:

6. Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C:

7. This updates the BitLocker bindings to use the Windows-selected default PCR profile.

Option 2: Apply the Known Issue Rollback (KIR) before installing the update

A Known Issue Rollback (KIR) is available for customers who cannot remove the PCR7 group policy before deploying the April 2026 Windows security update (the Originating KBs listed above). The KIR prevents the automatic switch to the 2023 Boot Manager, avoiding the BitLocker recovery trigger. The KIR should be deployed before installing the update on affected devices. Contact Microsoft’s Support for business to obtain this KIR.

Next Steps:

A permanent resolution for this issue is planned in a future Windows update. We will provide more information when it is available.

[-]

Silver-Ad7638@reddit

Curious for your source - I found

This update addresses an issue where the device might enter BitLocker Recovery after the Secure Boot updates.

under the Server release notes, plus an article on BleepingCompy, but nothing for desktop OS

I'd love to know that some of the random bitlocker stuff happening over the last few months wasn't my fault.

[-]

bdam55@reddit

Message Center: https://admin.cloud.microsoft/?source=applauncher#/windowsreleasehealth/knownissues/:/issue/WI1280135

KB (same story for pretty much every other April update/KB): https://support.microsoft.com/en-us/topic/april-14-2026-kb5083769-os-builds-26200-8246-and-26100-8246-22f90ae5-9f26-40ac-9134-6a586a71163b

[-]

Silver-Ad7638@reddit

Thanks!

[-]

poncewattle@reddit

I've had quite a few people call me about the bitlocker screen over past few months. I just advise them to C-A-D and it always works the second time. Annoying though. Just seems so random.

[-]

Zaphod_The_Nothingth@reddit

This has been happening on our CAD machines for YEARS. Never been able to work out a fix.

April Windows security update might trigger a one-time BitLocker recovery screen

[-]

admlshake@reddit

Anyone else having issues with Edge? Seems like when I go to google and type anything in the search box it goes dog ass slow. Like I can take my hand off the keys and wait for it to catch up. Some other sites are having the same issue. Yet, for this comment it's going fine. Didn't start until I rebooted yesterday to install the updates. Going to try and roll back if I can't find any other issue to make me think it was something else.

[-]

virtualuman@reddit

KB5083769 RDP warning is going to be an issue!

[-]

FCA162@reddit

Why?
fyi: Administrators can temporarily disable these protections by going to the HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client Registry key and modifying the RedirectionWarningDialogVersion value so it is set to 1.

[-]

CheaTsRichTeR@reddit

And this setting does not work on my testclient...

[-]

raresolid@reddit

Don’t forget that Microsoft says they will remove this registry option in a future security release.

[-]

link470@reddit

We've had IT staff now report that after installing April 2026 updates for Windows 11 v25H2 (KB5083769), the Print Management RSAT tool no longer launches. Instead, the Microsoft Management Console service uses a full core of CPU and just sits there in Task Manager.

You *can*, however, still open MMC and add a Print Management snap-in and manage printers this way. That works no problem. But the Print Management tool itself doesn't launch.

[-]

xqwizard@reddit

Working ok for me on 25h2

[-]

FCA162@reddit

Understanding security warnings when opening Remote Desktop (RDP) files | Microsoft Learn

[-]

tracagnotto@reddit

IMHo this has to do with the Mythos/Capybara release from Claude. They must've discovered something nasty and patched it on the go giving you responsibility it something happens lmao

[-]

carrots32@reddit

Inferring here without much public info, CVE-2026-33824 seems very worrying for anyone using Always-on-VPN / RRAS. Typically a Windows server with public-facing IKEv2.

Microsoft's mitigation without updating is "configure firewall rules to allow inbound traffic on UDP ports 500 and 4500 only from known peer addresses" which kind of defeats the purpose of an enterprise VPN.

Probably a "patch immediately" situation.

[-]

InvisibleTextArea@reddit

Our external facing AoVPN servers patch as soon as they can get the updates. I'd rather have a broken AoVPN server than a vulnerable one.

[-]

user_is_always_wrong@reddit

Better to have a server that no one can connect to rather everyone without password can connect to.

[-]

vastarray1@reddit

Our handful of Windows 11 Enterprise LTSC testers are having problems with their Taskbar not loading, Start Menu missing, error message stating (title bar explorer.exe) "The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application." Removing KB5083769 brought them back to normal.

[-]

hingino@reddit

I had this issue in March on my test machines. Found WDAC was blocking .appx packages installed by the update. Removing WDAC policies let the update run properly.

[-]

vastarray1@reddit

The fix for us was "DISM /Online /Cleanup-Image /RestoreHealth" followed by "sfc /scannow"

[-]

schuhmam@reddit

Through a very helpful posted guide, I discovered that two Synology DS1618+ units (DSM 7.3.2-86009 Update 3) were missing the 'msDS-SupportedEncryptionTypes' value of 0x18 (24). I updated the setting, rebooted them (probably not necessary), and ran an LDAP test against the AD. Everything appears to be working fine. SSO is still working and the test was successful.

[-]

redsedit@reddit

I'm running into that too. Apparently only DSM 7+ supports AES. If you have a model where there is no v7 update (🤚), you are SOL.

[-]

SilentBuilding3915@reddit

Personal observations so far, fails to installs and rolls back on the following; Windows 11 23H2 & 24H2, Windows Server 2016 & Windows Server 2025 also. Windows Server 2019 & 2022 seem ok. FYI - These are on our testing builds. Microsoft Form = Poor!

[-]

No_Salamander846@reddit

Its not the same without taco

[-]

Lets_Go_2_Smokes@reddit

He literally would just post things like "updating 1,000,000 servers tonight!!" without much else. I think we can survive.

[-]

timbotheny26@reddit

It was less his comments and more that he served as a great litmus test for potential issues since had so many end points he was updating at once.

I miss him specifically for that reason.

[-]

natecull@reddit

It was less his comments and more that he served as a great litmus test for potential issues since had so many end points he was updating at once.

Did he really though? The number always kept changing.

My headcanon is that Taco's actual network was two gaming PCs in his bedroom.

[-]

timbotheny26@reddit

Well he was one point of information I would take into consideration, but he certainly wasn't the only one - that would be foolish.

[-]

jake04-20@reddit

You forgot the cigarette emoji 🚬

[-]

TheLostITGuy@reddit

Thank you! The taco fan girls are silly.

[-]

timbotheny26@reddit

I miss him.

Please return to us Taco!

[-]

bostjanc007@reddit

Damn i havent been awhile following this thread. So've they ban taco for what reason?

[-]

fujitsuflashwave4100@reddit

Used one of these patch megathreads to post a multi-paragraph political comment that was removed by the mods. He was given a temp ban for off-topic discussion. He went to another sub, posted the same thing, and then claimed the mods here banned him for his post in another subreddit. Mods here posted proof that he did also post it in the patch thread. He conveniently claims he forgot that he had also posted it here. The temp ban has been long over but he doesn't post here anymore.

[-]

dreamfin@reddit

Let me guess... Claimed the patch was high quality tested by a professional QA team?

[-]

landob@reddit

He still banned? I thought it was only for like 7 days.

[-]

RunSilentRunAway@reddit

Pretty sure he isn't banned, he just was offended by being banned and is no longer contributing

[-]

PTCruiserGT@reddit

That's understandable, but dang.

[-]

GeeToo40@reddit

🚬🚬🚬🌮🌮🌮

[-]

urjuhh@reddit

4.5GB .msu, half of it crap that doesn't apply to most computers. Nice carbon footprint...

[-]

Hi_Tech_Low_Life@reddit

Yeah, the patch installers have become massive. Microsoft did introduce a system called checkpoint cumulative updates, but AFAIK they have released only one of those in september 2024 (I think). Another one is long overdue!

[-]

PTCruiserGT@reddit

Yes, the checkpoint cumulative updates is what I was thinking of. Seems like they gave up on them.

[-]

PTCruiserGT@reddit

Whatever happened to delta/checkpoint updates? Those were supposed to be smaller.

[-]

bdam55@reddit

Copilot model updates, that's what.

But as others have called out; in the real world the endpoint shouldn't be downloading the whole MSU file. If you download it manually from the catalog then ... yea ... it's the whole thing.

[-]

ElizabethGreene@reddit

The updates are still deltas internally and WU+DO/BITS will only download the parts they need. If your patching process needs the whole MSU though, it's suboptimal.

[-]

Lazy-Function-4709@reddit

This is a great question. I totally forgot about this. Maybe if you're using a managed solution the client only downloads the bits it needs? That's what's sticking in my memory for some reason.

[-]

Resident-War8004@reddit

Updated Win 11, Server 2019, 2022 and 2025 test machines without issues. Hesitant to deploy to production due to the number of issues I have seen posted on this thread. Will make a decision tonight.
Good luck to all admins out there!

[-]

jake04-20@reddit

Multiple reboots for this round of updates. Not that big of a deal but still a minor annoyance.

[-]

ohioleprechaun@reddit

Is anyone else seeing Windows Recall (preview) being installed with the April update?

[-]

4wheels6pack@reddit

Will be testing this on my homelab server (2025) first before this goes anywhere near production. Lots of ugly reports so far

Fascinating to think that the reason we all gather to this thread every month is because there are so many new exploits/holes and these updates break so many things. You would be forgiven for assuming these systems should be more secure and stable with each passing month.

[-]

flyguydip@reddit

Anyone else seeing Cumulative Update (Kb5083769 v26200.8246) rollbacks after the new Malicious Software Removal Tool v5.140 installs?

I was working on loading up some new machines from scratch (via MDT) with the Windows 11 25h2 .iso when windows found 5 updates waiting to be installed (KB2267602, KB5082417, KB5083769, KB890830, and KB2267602). The first update (the new Malicious Software Removal Tool v5.140) installs without a problem and then the new CU starts. On 3 separate attempts to install windows on 2 different machines, CU 2026-04 fails to install after it initiates the first reboot. It then reverts the CU and finishes the deployment. On first login, I go to check for new updates and find that all but the MSRT are waiting to be installed. Once WU finds the remaining 4 updates, they all install without an issue.

To verify MSRT was causing some sort of conflict with the CU, I created a new task to silently install v5.140 and reboot before running the first windows update task and, wouldn't you know it, the entire deployment finishes without a problem, updates and all.

[-]

pirutgrrrl@reddit

A haiku:
Patch Tuesday thread
is now filling me with dread
the thread keeps growing

[-]

Lets_Go_2_Smokes@reddit

The large calendar when clicking the clock is back!

[-]

TheLostITGuy@reddit

It was gone?

[-]

Scrios@reddit

At one point it didn't open the big calendar when clicking the clock on a secondary monitor.

I think this was fixed a month or two ago, though.

[-]

nosurprisespls@reddit

oh man, I got to check that out. My laptop's calendar stopped working when clicking on the clock for a year or more, and I tried a bunch of fixes/scans/repair steps and nothing worked. I ended up downloading a separate calendar app (Rainlendar) lol. I stopped using Windows 11 on that laptop a few months ago after installing Linux; I guess I'll boot up that partition to see if this annoying bug is fixed.

[-]

dhayes16@reddit

Yikes. The sky is definitely falling today. So far uninstalled the April update on 4 systems. Have many more to go. Remote printing completely broken via rdp. Remote desktop to azure joined systems broken (forces windows hello, etc). Quite insane. Gonna be a long day

[-]

Ehfraim@reddit

Probably due to this: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remotepc/understanding-security-warnings
Inform end users and let them accept the warnings and that they choose correct resources to be allowed? Printers for example.

[-]

Proper-Mobile-3702@reddit

I have users who are not receiving any prompt. they can sign into the sesison host without it, but the redirected printer is now missing. Not sure whats going on there.

[-]

dhayes16@reddit

This seemed to fix it for me. Basically a kill switch to force back to version 1 for RDP printers.

reg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client" /v RedirectionWarningDialogVersion /t REG_DWORD /d 1 /f

[-]

dhayes16@reddit

Yes thanks. For the printer redirection thing that works. But we need to find a way to make it more permanent. Changing the rdp file to enable printer redirections does not work. The windows hello issue is still an issue so we need to uninstall the update until we can ascertain the issue. I understand signing the connection is the proper option but for remote access into windows 11 systems it will be a challenge.

[-]

FCA162@reddit

Microsoft adds Windows protections for malicious Remote Desktop files

Microsoft has introduced new Windows protections to defend against phishing attacks that abuse Remote Desktop connection (.rdp) files, adding warnings and disabling risky shared resources by default.

As part of the April 2026 cumulative updates for Windows 10 (KB5082200) and Windows 11 (KB5083769 and KB5082052), Microsoft has now released new protections to prevent malicious RDP connection files from being used on devices.

After installing this update, when users open an RDP file for the first time, a one-time educational prompt is shown that explains what RDP files are and warns about their risks. Windows users will then be prompted to acknowledge that they understand the risks and press OK, which will prevent the alert from being shown again.

[-]

Proper-Mobile-3702@reddit

I have several users (so far) that are not receiving any prompt at all, but their local printers are no longer redirecting. Curious if anyone else has seen this.

[-]

Upstairs-Mix674@reddit

I cannot log in (Password wrong) after installing these updates to ws2025. Anyone else experiencing this? Any solutions yet?

[-]

episode-iv@reddit

Your account probably doesn't have an AES key yet because the password was last changed before raising your domain's functional level to 2008.

See https://strongwind1.github.io/Kerberos/security/quick-start/#step-2-check-their-encryption-type-settings for details.

Short version: Set HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\RC4DefaultDisablementPhase to 1 and restart the KDC service. Then spend the time until July to remove RC4.

[-]

lordcochise@reddit

lol thanks for this - we have some task-based accounts with limited perms that are for general use and they definitely have static passwords that were created back in the paleolithic.

I was so certain it was some kerb / domain issue post-update I was trying everything on two specific machines until it became clear it was a specific-account related lol

[-]

Upstairs-Mix674@reddit

Thanks, Figured that out now by myself before seeing your reply. I reset my Domain Admins password via the local admin account and think this should've updated the AES key. I now require all Domain Users to change their passwords upon next login, this should probably do the trick. (Very small AD).

[-]

episode-iv@reddit

That probably won't work unless you set the registry key allowing your users to login with their existing RC4 key.

[-]

AzureAsTheNightSky@reddit

Seeing random systems fail to install the 2026-04 monthly update. 0x80242016 I think? Trying to determine a pattern but it's a nonzero number of boxes.

[-]

BrechtMo@reddit

anyone else noticing Outlook (classic) notifications being re-enabled after the Office / windows update? (W11 23H2, Office 365 monthly enterprise)

[-]

FCA162@reddit

Microsoft EMEA security briefing call for Patch Tuesday April 2026

The slide deck can be downloaded at aka.ms/EMEADeck (available)

The live event starts on Wednesday 10:00 AM CET (UTC+1) at aka.ms/EMEAWebcast.

The recording is available at aka.ms/EMEAWebcast.

The slide deck also contains worth reading documents by Microsoft.

What’s in the package?:

A PDF copy of the EMEA Security Bulletin Slide deck for this month
ESU update information for this month and the previous 12 months
MSRC Reports in .CSV format, for this month’s updates including detailed FAQ’s and Known Issues data.
Microsoft Intelligence Slide
A Comprehensive Handbook on "Navigating Microsoft Security Update Resources" !

[-]

FCA162@reddit

Enforcements / new features in this month’ updates

/!\ Kerberos KDC – RC4 Usage Restrictions for Service Ticket Issuance related to CVE-2026-20833 / KB5073381 (April 2026 - Enforcement Phase with manual rollback)

Security Impact

RC4 is no longer considered secure for Kerberos service tickets.
Strengthens Kerberos authentication using AES-based encryption
Legacy service accounts or applications relying on RC4 may experience authentication failures if not updated
Enforcement mode enabled by default on domain controllers
Accounts without explicit encryption configuration default to AES-only
Non-compliant services may fail authentication

IMPORTANT Installing updates released on or after January 13, 2026, will NOT address the vulnerabilities described in CVE-2026-20833 for Active Directory domain controllers by default. To fully mitigate the vulnerability, you must move to Enforced mode (described in Step 3) as soon as possible on all domain controllers.

Upcoming Updates/deprecations

June 2026

Secure Boot playbook for certificates expiring in 2026 - Windows IT Pro Blog

Secure Boot certificates have always had expiration dates. New certificates help ensure that your devices stay up to date with the latest security protections. That is why your organization will need to install the 2023 CAs before the 2011 CAs start expiring in June of 2026.

July 2026

/!\ Kerberos KDC – RC4 Usage Restrictions for Service Ticket Issuance related to CVE-2026-20833 / KB5073381 (Enforcement Phase)
Audit-only mode removed
RC4DefaultDisablementPhase registry control no longer supported
RC4 service ticket issuance effectively blocked unless explicitly configured per-account

IMPORTANT Installing updates released on or after January 13, 2026, will NOT address the vulnerabilities described in CVE-2026-20833 for Active Directory domain controllers by default. To fully mitigate the vulnerability, you must move to Enforced mode (described in Step 3) as soon as possible on all domain controllers.

Second half of 2026

Advancing Windows security: Disabling NTLM by default Phase 2: Addressing the top NTLM pain points

February 2027

CVE-2024-30098 Windows Cryptographic Services Security Feature Bypass Vulnerability The DisableCapiOverrideForRSA registry key will be removed.

Product Lifecycle Update

Announcements

Support for Windows Server 2016 will end in January 2027

Plan for Windows Server 2016 and Windows 10 2016 LTSB end of support - Windows IT Pro Blog

[-]

FCA162@reddit

Bleepingcomputer: Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days

Tenable: Microsoft’s April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201)

Latest Windows hardening guidance and key dates - Microsoft Support

Patch Tuesday April 2026 - Action1

The April 2026 Security Update Review - Zero Day Initiative

Microsoft Patch Tuesday – April 2026 - Lansweeper

[-]

dragunov84@reddit

Ready to deploy some high-quality tested patches

gif

[-]

dreamfin@reddit

God speed to you sir!

[-]

PepperdotNet@reddit

Good luck finding any of those.

[-]

MikeWalters-Action1@reddit

Key third-party vulnerabilities to note ahead of this month’s Patch Tuesday (top 10 by importance and impact):

Cisco Secure Firewall: Critical remote code execution vulnerabilities (CVE-2026-20079, CVE-2026-20131, CVSS 10.0)
Ivanti Endpoint Manager: Unauthenticated access; actively exploited in the wild (CVE-2026-1603, CVSS 8.6)
Chromium / Chrome: Multiple actively exploited zero-days (CVE-2026-3909, CVE-2026-3910, CVE-2026-5281, CVSS 8.8)
Fortinet Network Security Appliance: Remote code execution with confirmed real-world exploitation (CVE-2026-35616, CVSS 9.1)
F5 BIG-IP: Unauthenticated remote code execution; actively exploited (CVE-2025-53521, CVSS 9.8)
Nginx UI: Unauthenticated access to backup data (CVE-2026-27944, CVSS 9.8)
Oracle WebLogic: Critical unauthenticated remote code execution (CVE-2026-21992, CVSS 9.8)
HPE Aruba AOS-CX: Authentication bypass (CVE-2026-23813, CVSS 9.8)
MongoDB Server: Unauthenticated denial-of-service (CVE-2026-25611, CVSS 7.5)
Microsoft 365 Copilot: Information disclosure vulnerability (CVE-2026-26133, CVSS 7.1)

[-]

SecureNarwhal@reddit

Adobe also has a zero day addressed by their April 14th patch

[-]

AnDanDan@reddit

Thats last months patch tuesday youve got linked.

[-]

MikeWalters-Action1@reddit

Thanks for pointing that out, this has been updated now!

[-]

MediumFIRE@reddit

Installed the April CU for Server 2016 on one of our DCs. From download / install / reboot - 1 hr 45 m. Cannot wait to kill off the last 4 servers running 2016.

[-]

techvet83@reddit

Looks like al supported versions of .NET Core and .NET Framework are being patched this month.

.NET and .NET Framework April 2026 servicing releases updates - .NET Blog

[-]

Kracus@reddit

Seems the last patch killed a bunch of scanners across my org... Trying to figure out a fix for it.

[-]

scotterdoos@reddit

If they're talking to your domain, they most likely need to be updated, or have a hard dependency on RC4 cipher support in Kerberos. We had a bunch of MFDs die a couple years back when we finally ripped the bandaid off and killed off RC4 cipher support.

[-]

Kracus@reddit

Nah all the network ones are running. It killed all the one offs in people's offices plugged in. I found a regedit work around.

[-]

lordmycal@reddit

Can you share the workaround for anyone here that is also affected?

[-]

SomeWhereInSC@reddit

haha initially though scanners as in networking port scanning stuff, not document scanners

[-]

Educational_Vast9020@reddit

The cumulative update for Server 2025 for April 2026 is failing on all systems (different customers) with error code (0x80073712). The servers are configured in German.

I have already tried `dism.exe /online /cleanup-image /restorehealth` and `sfc /SCANNOW`. Unfortunately, without success.

Is anyone else experiencing the same error?

[-]

EsbenD_Lansweeper@reddit

Here is the Lansweeper summary + audit. Highlights are an actively exploited SharePoint Server spoofing vulnerability, a Defender elevation of privilege vulnerability and a Active Directory remote code execution vulnerability.

[-]

jaritk1970@reddit

Bleepingcomputer.com links: https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-10-kb5082200-extended-security-update/

https://www.bleepingcomputer.com/news/microsoft/windows-11-cumulative-updates-kb5083769-and-kb5082052-released/

https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/

[-]

Difficult-Tree-156@reddit

1PM Eastern Time, and so it begins. The flood gates are opening. Once we verify we will update our test group of servers. Even then, may wait an extra day before updating anymore.

[-]

Difficult-Tree-156@reddit

Test servers updated successfully. Secure Boot is showing the green check mark. No issues at present.

[-]

Vivid_Mongoose_8964@reddit

Here's a health check script from chatgpt for rc4, very cool!

$rc4Tickets = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} -ErrorAction SilentlyContinue |

Where-Object { $_.Properties[5].Value -eq 0x17 }

$rc4TGTs = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768} -ErrorAction SilentlyContinue |

Where-Object { $_.Properties[8].Value -eq 0x17 }

$usersNoEnc = Get-ADUser -Filter * -Properties "msDS-SupportedEncryptionTypes" |

Where-Object { -not $_."msDS-SupportedEncryptionTypes" }

$computersNoEnc = Get-ADComputer -Filter * -Properties "msDS-SupportedEncryptionTypes" |

Where-Object { -not $_."msDS-SupportedEncryptionTypes" }

$score = 0

if ($rc4Tickets) { $score += 40 }

if ($rc4TGTs) { $score += 40 }

if ($usersNoEnc.Count -gt 0) { $score += 10 }

if ($computersNoEnc.Count -gt 0) { $score += 10 }

Write-Host "==== RC4 EXPOSURE REPORT ====" -ForegroundColor Cyan

Write-Host "RC4 Service Tickets: $($rc4Tickets.Count)"

Write-Host "RC4 TGT Requests: $($rc4TGTs.Count)"

Write-Host "Users w/o AES set: $($usersNoEnc.Count)"

Write-Host "Computers w/o AES: $($computersNoEnc.Count)"

Write-Host ""

Write-Host "RISK SCORE: $score / 100" -ForegroundColor Yellow

if ($score -eq 0) {

Write-Host "STATUS: SAFE ✅ (No RC4 usage detected)" -ForegroundColor Green

}

elseif ($score -le 20) {

Write-Host "STATUS: LOW RISK ⚠️ (Minor cleanup recommended)" -ForegroundColor Yellow

}

elseif ($score -le 60) {

Write-Host "STATUS: MEDIUM RISK ⚠️ (Fix before patching)" -ForegroundColor DarkYellow

}

else {

Write-Host "STATUS: HIGH RISK 🔥 (Likely breakage after patch)" -ForegroundColor Red

}

[-]