Windows Update, April 2026: KB5083769 lands with 167 fixes and two zero‑days

What’s new in this month’s Windows Update

Microsoft’s April 2026 Patch Tuesday landed on Tuesday, April 14, delivering fixes for 167 Microsoft vulnerabilities, including two zero‑days — one actively exploited in the wild — across Windows, Office, Defender and SharePoint. (bleepingcomputer.com )

For Windows 11, the security cumulative update KB5083769 is now rolling out to supported devices on versions 25H2 and 24H2, advancing OS builds to 26200.8246 and 26100.8246, respectively. (support.microsoft.com )

The headline risks: two zero‑days to prioritize

• CVE‑2026‑32201 (SharePoint Server, spoofing) — confirmed as actively exploited. Organizations running on‑premises SharePoint should fast‑track server patching and downstream hardening. (bleepingcomputer.com )
• CVE‑2026‑33825 (Microsoft Defender, elevation of privilege) — publicly disclosed and now patched via a Defender platform update (version 4.18.26030.3011). Ensure Defender platform updates are current in addition to Windows quality updates. (bleepingcomputer.com )

Independent trackers note minor variance in monthly counts (163–167 total CVEs) depending on inclusion criteria, but all agree April ranks among Microsoft’s largest monthly drops in recent memory. (redmondmag.com )

What KB5083769 changes on Windows 11

Beyond security fixes, Microsoft calls out quality and reliability work in networking, Remote Desktop, and servicing. Notable items include:

• SMB over QUIC: Improved reliability when using SMB compression, reducing timeouts. (support.microsoft.com )
• Remote Desktop hardening: New guardrails when opening .rdp files now show all requested connection settings before connecting, with a one‑time security warning on first use. (support.microsoft.com )
• Servicing Stack Update (SSU): KB5088467 enhances the reliability of the Windows Update installation pipeline. (support.microsoft.com )

Known issue to watch:

• Devices with an unrecommended BitLocker Group Policy (for example, explicit PCR7 selection) may be prompted for a BitLocker recovery key after the first reboot. Microsoft provides workarounds and a Known Issue Rollback (KIR) for environments that cannot change policy prior to deployment. (support.microsoft.com )

Windows 10: ESU year is underway — mark these dates

Mainstream support for Windows 10 ended on October 14, 2025. Extended Security Updates (ESU) are available to keep Windows 10 devices receiving Critical/Important security patches after that date, structured as up to three annual terms post‑EoS for commercial customers. Consumer ESU coverage runs through October 13, 2026, while enterprise and education programs can extend further according to Microsoft’s ESU framework. (learn.microsoft.com )

If you are maintaining Windows 10 22H2 devices under ESU, expect distinct cumulative updates (separate from Windows 11’s KB numbers) each Patch Tuesday. Validate entitlement and update channels in WSUS/Intune so ESU devices continue to receive monthly security rollups. (learn.microsoft.com )

Secure Boot certificates: new status in Windows Security

Starting this month, Microsoft is surfacing Secure Boot certificate update status directly in the Windows Security app (Device security > Secure Boot) to help admins verify that legacy 2011 certificates have been replaced with updated 2023 certificates via Windows Update. Expect user‑visible status and related notifications as these rollouts continue. (support.microsoft.com )

Who should patch first

• SharePoint Server farms exposed to the internet or supporting business‑critical workflows (due to CVE‑2026‑32201). (bleepingcomputer.com )
• Endpoints relying on Microsoft Defender platform protections (ensure the Defender platform update listed in the advisory is present). (bleepingcomputer.com )
• High‑value Windows endpoints and servers where network‑adjacent RCE or privilege‑escalation chains are feasible; April’s release again skews heavily toward elevation‑of‑privilege fixes. (bleepingcomputer.com )

How to get today’s updates

• Windows 11 (24H2/25H2): Settings > Windows Update > Check for updates. Managed environments can sync the “Windows 11” product and “Security Updates” classification in WSUS/Windows Update for Business. For offline servicing, Microsoft provides MSU packages and DISM commands in the KB documentation. (support.microsoft.com )
• Windows 10 (ESU): Confirm ESU enrollment, then Check for updates. In managed estates, verify ESU keys/policies and deployment rings so eligible devices receive April’s cumulative ESU package. (learn.microsoft.com )

Deployment guidance for admins

1. Stage and test

• Pilot KB5083769 to representative hardware/BitLocker configurations. Validate reboot behavior and PCR7 binding to avoid unnecessary recovery prompts. If policy changes aren’t feasible, request and deploy the KIR before broad rollout. (support.microsoft.com )

2. Verify Defender platform version

• Post‑update, confirm Microsoft Defender Antimalware Platform version 4.18.26030.3011 (or later) to close CVE‑2026‑33825. (bleepingcomputer.com )

3. Prioritize server workloads

• Patch SharePoint servers promptly and review logs for suspicious activity predating patching. Reassess authentication hardening and inbound rules. (bleepingcomputer.com )

4. Communicate end‑user changes

• Prepare help desk notes on new .rdp file warnings and any first‑boot BitLocker prompts to reduce ticket noise. (support.microsoft.com )

The broader picture

Security researchers characterize April’s Patch Tuesday as one of the largest in the last year, underscoring a continued surge in elevation‑of‑privilege and information‑disclosure fixes across Windows components and Office. The wide spread of affected products and the presence of an actively exploited SharePoint flaw are the key drivers for urgency this month. (redmondmag.com )

Bottom line

• Update Windows 11 devices with KB5083769 immediately, especially in environments using SharePoint or relying on Defender. (support.microsoft.com )
• For Windows 10, ensure devices are either upgraded to Windows 11 or properly enrolled in ESU to keep receiving monthly security fixes through their eligible term. (learn.microsoft.com )
• Watch for BitLocker and Secure Boot certificate status changes during rollout, and use Microsoft’s documented mitigations where needed. (support.microsoft.com )

We will continue to monitor Microsoft’s release health notes and MSRC guidance and update this article if new issues or out‑of‑band fixes emerge for April 2026’s updates.