Windows 11 April 2026 Update Fixes Secure Boot & RDP Phishing

Microsoft has released KB5083769, its April 2026 Patch Tuesday cumulative update for Windows 11 versions 25H2 and 24H2, advancing both to OS builds 26200.8246 and 26100.8246, respectively, patching 167 vulnerabilities, neutralizing two zero-days, and introducing urgent Secure Boot certificate mitigations ahead of a hard June 2026 deadline.

Released on April 14, 2026, this is one of the largest monthly security releases from Microsoft this year, and it demands immediate action from enterprise IT teams, security administrators, and end users alike.

April’s Patch Tuesday is a heavyweight by every measure. Of the 167 CVEs addressed across Microsoft’s product portfolio, 11 are rated Critical, al and the majority are classified as Important.

The scope spans Windows Kernel components, networking stacks, authentication services, cloud file drivers, and enterprise productivity platforms.

Notable CVE entries include CVE-2026-33824, a Critical remote code execution vulnerability in the Windows IKE Extension rated CVSS 9.8, and CVE-2026-26149 in Microsoft Power Apps, rated CVSS 9.0.

Additional high-severity fixes target Windows Push Notifications, the Remote Desktop Client, Desktop Window Manager (CVE-2026-32152, CVE-2026-32154), Windows COM (CVE-2026-32162), Windows Shell (CVE-2026-32225), and Microsoft Defender (CVE-2026-33825).

One Actively Exploited in the Wild

The most critical headline from this release is the confirmation of two zero-day vulnerabilities, one actively exploited and one publicly disclosed before any patch existed.

The actively exploited flaw is CVE-2026-32201, a Microsoft SharePoint Server Spoofing Vulnerability triggered by improper input validation.

Microsoft has confirmed that this CVE is in “Exploitation Detected” status. The flaw can be triggered remotely, without authentication or user interaction, allowing attackers to access limited sensitive data and modify SharePoint content across on-premises deployments.

Organizations running on-premises SharePoint Server should treat this as Priority 1 patching. The second zero-day is CVE-2026-26151, a Remote Desktop Spoofing Vulnerability that was publicly disclosed before Microsoft’s fix was available.

Although not yet confirmed as actively exploited in the wild at the time of publication, the public availability of disclosure details dramatically lowers the barrier for threat actors to weaponize this flaw.

Spoofing vulnerabilities of this nature can be leveraged to intercept or impersonate RDP sessions, posing serious risks in enterprise environments where remote access is widespread.

Secure Boot Certificate Expiration: June 2026

Perhaps the most operationally urgent component of KB5083769 is the Secure Boot certificate update, which addresses a ticking clock that no enterprise can afford to ignore.

The original Secure Boot certificates issued in 2011 are set to expire on June 26, 2026, now just 73 days away. After that date, devices without updated 2023 Secure Boot certificates will:

Stop receiving security fixes for Windows Boot Manager
Lose protection against bootkit malware,e including BlackLotus (CVE-2023-24932)
Fail to trust third-party software signed with newer certificates

KB5083769 begins a phased, targeted rollout of new Secure Boot certificates, deploying only to devices that have demonstrated sufficient successful update signals.

The Windows Security app (Settings > Privacy & Security > Windows Security) will now display Secure Boot certificate status badges and notifications.

However, these enhancements remain disabled by default on commercial devices. Additionally, this update resolves a critical bug where Secure Boot certificate updates caused affected devices to enter BitLocker Recovery mode, a disruptive loop that had impacted patched systems since March 2026.

New RDP Phishing Protections Against Malicious.RDP Files

Microsoft has introduced a significant new anti-phishing countermeasure in KB5083769 targeting the growing abuse of Remote Desktop Protocol (.rdp) files in phishing campaigns.

Threat actors have increasingly weaponized .rdp files sent via phishing emails, silently connecting victims’ machines to attacker-controlled servers and exposing sensitive resources.

Under the new protections, when a user opens an .rdp file, Remote Desktop now displays all requested connection settings before establishing any connection, with each setting toggled off by default.

A one-time security warning is also shown the first time an .rdp file is opened on a given device. Administrators can temporarily turn off these protections by setting the RedirectionWarningDialogVersion value to 1 in the HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client registry key.

These protections apply to connections initiated via .rdp files, not through the standard Remote Desktop client interface.

SMB/QUIC, Reset PC, and AI Components

Networking reliability is improved through a fix for SMB compression over QUIC, resolving intermittent timeouts that disrupted enterprise file-sharing operations.

The “Reset this PC” feature, which had been broken for users attempting to use “Keep my files” or “Remove everything” following the March 2026 KB5079420 Hotpatch, is now fully restored.

Microsoft also updated four core AI components: Image Search, Content Extraction, Semantic Analysis, and Settings Model, all advanced to version 1.2603.377.0, reflecting continued integration of on-device machine learning into Windows 11’s architecture.

The accompanying Servicing Stack Update (KB5088467) advances to build 26100.8247, ensuring the update infrastructure itself remains robust for future deployments.

KB5083769 is a mandatory update that installs automatically via Windows Update and Microsoft Update.

Microsoft said organizations can also deploy Windows Server Update Services (WSUS), the Microsoft Update Catalog, and the DISM command-line tools for advanced scenarios. A system restart is required after installation.