Patch Tuesday Tracker: April 2026 Updates, Known Issues, and What to Watch
A pattern is forming in Microsoft’s monthly update cycle that most coverage isn’t connecting. In Q1 2026 alone, Microsoft has issued three out-of-band updates to fix problems caused by the previous Patch Tuesday: a March emergency replacement after KB5079391 was pulled mid-rollout, an April out-of-band to stop domain controllers from rebooting in loops, and an ongoing investigation into a 24H2-to-25H2 force-upgrade boot loop that has affected an unknown number of consumer PCs. The Register has started calling it “out of control” rather than “out of band.” That is not unfair.
This page is the running ledger. Each month, we publish what shipped, what broke, and what to do — without the marketing language Microsoft uses on the release health dashboard, and without the panicked tone of the security press. If you administer Windows machines for a living, or you are the small-business person who became “the IT person” by default, this is the page to bookmark.
What shipped on April 14, 2026
The April 2026 Patch Tuesday addressed 167 vulnerabilities, including two zero-days and eight rated Critical, making it Microsoft’s second-largest Patch Tuesday ever in terms of CVE count. The headline KBs:
| Product | KB | Build | Notes |
|---|---|---|---|
| Windows 11 25H2 | KB5083769 | 26200.8246 | Mandatory; Q2 hotpatch baseline |
| Windows 11 24H2 | KB5083769 | 26100.8246 | Same package; force-upgrade to 25H2 staged |
| Windows 11 23H2 | KB5082052 | 22631.6936 | Enterprise/Education only — Home/Pro EOL was Nov 2025 |
| Windows Server 2022 | KB5082142 | 20348.5020 | Caused DC reboot loops; see below |
| Windows Server (multi) | KB5082063 | various | DC reboot loop issue |
Two zero-day vulnerabilities are worth knowing by name. CVE-2026-32201 is a SharePoint Server spoofing vulnerability that Microsoft confirms is being actively exploited; the attack vector is presenting falsified content within trusted SharePoint environments to enable phishing and social engineering against employees. CVE-2026-33825 is “BlueHammer,” a Windows Defender privilege escalation flaw that was publicly disclosed before patching after the researcher grew frustrated with Microsoft’s response timeline. Tharros vulnerability analyst Will Dormann confirmed the public exploit no longer works after KB5083769 is applied.
If you run SharePoint Server on-premises, install KB5083769 immediately — exploitation is not theoretical. If you don’t, the urgency drops sharply, and there is a strong argument for waiting at least 7 days before deploying to consumer or workstation fleets. April’s track record explains why.
What broke (and what is still broken)
KB5082063 / KB5082142 — Domain controller reboot loops. Within 48 hours of release, IT administrators began reporting that domain controllers in environments using Privileged Access Management (PAM) were entering reboot loops with LSASS crashes during startup. Microsoft confirmed the issue on April 16 and released KB5091575 as an out-of-band fix on April 19, 2026. If you administer Windows Server 2016, 2019, 2022, or 2025 with PAM, do not install the standard April update — go straight to the OOB. The fix is also available as a hotpatch for eligible devices. Microsoft has not explained how a regression this consequential made it through pre-release validation; the answer matters for anyone weighing whether to extend their staged-deployment ring testing in May.
KB5083769 — BitLocker recovery prompt. Microsoft acknowledges that “some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update.” This is enterprise-side; it is not affecting the average consumer PC. The mitigation is reviewing your BitLocker GPO and confirming the recovery key is accessible before installing — not after the boot screen.
KB5083769 — 24H2-to-25H2 force-upgrade boot loops. As of April 28, 2026, Notebookcheck and other outlets are reporting unrecoverable boot loops on a subset of unmanaged consumer PCs that received the staged force-upgrade from Windows 11 24H2 to 25H2 alongside KB5083769. Microsoft has not announced a fixed timeline for resolution. Affected users are recovering by boot-media-rolling-back the upgrade, which is not a procedure most consumers can execute without help. This is the failure mode worth watching most closely in May.
Reset This PC fix. On the positive side, KB5083769 does fix the March-introduced bug in the “Keep my files” and “Remove everything” recovery paths that followed the KB5079420 hotpatch. If you held off on a reset because of that issue, April clears the road.
What to install, what to wait on
For consumer PCs and small-business workstations: install KB5083769 unless you are seeing reports of issues with your specific OEM or Windows 11 24H2 device family. Most PCs receive it without incident.
For domain controllers: skip KB5082063 and KB5082142 entirely. Install KB5091575 (the April 19 out-of-band) instead. Microsoft has effectively replaced the April update for server fleets — there is no benefit to installing the broken version first.
For SharePoint Server administrators: install KB5083769 today, regardless of your normal staged-deployment cadence. CVE-2026-32201 is being actively exploited and the attack does not require user authentication.
For Copilot+ PCs: the AI component updates bundled with KB5083769 are pre-staged for the May refresh. They install quietly.
A note on hotpatch
April was a hotpatch baseline month. Devices eligible for hotpatch — primarily enterprise machines on Windows 11 25H2 with the right licensing — still required this month’s full rebooting baseline before they can take advantage of restart-free security updates in May, June, and July. Microsoft has separately confirmed that hotpatch will be enabled by default in Windows Autopatch and Intune for eligible devices starting with the May 2026 security update. That is the more interesting development: from May onward, eligible enterprise fleets will skip the reboot for two of every three Patch Tuesdays. The economics of patch deployment change meaningfully when 8 reboots per year drop to 4.
Q1 2026 in review
Three months of Patch Tuesdays, three out-of-band fixes. The pattern:
| Month | Headline KB | Fixed | Broke |
|---|---|---|---|
| January 2026 | KB5050009 family | 112 CVEs, 1 zero-day | No major regressions |
| February 2026 | KB5051987 family | 59 CVEs, 6 zero-days | No major regressions |
| March 2026 | KB5079391 (pulled) → KB5086672 (OOB) | 83 CVEs | Install error 0x80073712; preview update pulled |
| April 2026 | KB5083769 / KB5082063 → KB5091575 (OOB) | 167 CVEs, 2 zero-days | DC reboot loops; 24H2→25H2 boot loops |
That is two consecutive months where Microsoft shipped, pulled, or replaced an update. For perspective, in the previous 36-month window Microsoft averaged roughly two out-of-band updates per year, not per quarter. Either we are seeing regression-to-mean variance after a smoother period, or quality assurance is degrading. May will tell us which.
When to stop
There is a category of advice that proliferates on tech-support content for Patch Tuesday issues that is genuinely harmful: download a third-party “driver updater” tool, run an automated registry cleaner, or install an unrelated update from a forum link to “fix” a stuck installation. Don’t. None of those will resolve a real Windows Update regression, and several are vectors for malware that specifically targets users who Google their error codes after a botched update.
If KB5083769 fails to install on your PC: confirm you have at least 20 GB of free disk space, run wuauclt /resetauthorization from an elevated Command Prompt, and try again. If it still fails, note the error code and check the Windows Update KB error reference below — most install errors are diagnostic, not catastrophic.
If a domain controller is in a reboot loop after KB5082063 or KB5082142: stop trying to boot normally. Boot from recovery media, restore from a pre-update backup if you have one, and apply the April 19 OOB instead. If you do not have a recent backup, contact Microsoft Support for Business — this is exactly the scenario they exist for.
If your 24H2 PC went into a boot loop after the staged 25H2 upgrade: this is not a fix-it-from-Google problem. Use a Windows recovery USB to roll the upgrade back, then defer the next 25H2 rollout until Microsoft confirms the issue is resolved.
Related articles
The articles below are the standing references for the diagnostic patterns that show up most often in the Patch Tuesday cycle:
- Windows Update error codes by category (ongoing series)
- Windows 11 24H2 end of updates: what the October 2026 deadline actually means
- Secure Boot certificate expiration June 2026: what to verify on your PC
- DISM and SFC: how to repair Windows safely
FAQ
When is the next Patch Tuesday? The second Tuesday of every month. May 2026 falls on May 12. Microsoft Security Response Center publishes the release notes between 10:00 AM and 1:00 PM Pacific Time on Patch Tuesday itself.
Should I install Windows Updates immediately or wait? For consumer PCs, the right answer in 2026 is “wait 7 days unless you are running a service that is actively under exploitation.” Two of the last three Patch Tuesdays have produced regressions serious enough to warrant out-of-band fixes. Seven days is enough for the worst issues to surface and for community workarounds to appear, but not so long that you remain exposed to known-exploited zero-days.
What is an out-of-band update and why are there so many? An out-of-band update is a fix Microsoft releases outside the regular monthly cadence, usually because a recent update introduced a serious bug. They are designed to be the exception. Q1 2026 has produced three of them, which is unusual.
What happens if I don’t install Patch Tuesday? Your PC will continue to function. Standard Windows updates will keep installing. But your machine becomes progressively more exposed to the vulnerabilities each Patch Tuesday addresses. For SharePoint Server administrators in April 2026 specifically, “not installing” means leaving an actively exploited zero-day open.
How do I know which KB applies to my PC? Settings → Windows Update shows the KB number after each install. If you want to know in advance, check the Windows release health dashboard — Microsoft lists the KB numbers per Windows version each month.
Is hotpatch worth enabling? For enterprise fleets on Windows 11 25H2 with Autopatch or Intune licensing: yes, starting May 2026 when it is enabled by default. For consumer PCs: not currently available, and not worth chasing.
Official references
- April 14, 2026—KB5083769 Release Notes — Microsoft Support
- Windows release health dashboard — Microsoft Learn
- April 19, 2026—KB5091575 Out-of-Band — Microsoft Support
- Microsoft Security Response Center (MSRC) — primary CVE source
This page is updated monthly within 24 hours of Patch Tuesday and again at +30 days with retrospective analysis. Last updated: April 28, 2026.