Certificate-based authentication is at the core of modern Active Directory environments, powering VPN access, Windows Hello for Business, smart card logon, Remote Desktop authentication, and domain controller trust. The 2022 origin patch (KB5014754, addressing CVE-2022-26923, CVE-2022-26931, and CVE-2022-34691) introduced Strong Certificate Mapping; the 2025 follow-up (KB5057784, for CVE-2025-26647) added NTAuth-store enforcement, and both have now reached Full Enforcement with no remaining registry bypass. Patch Tuesday after Patch Tuesday, the goalposts have moved: new enforcement modes, removed registry escape hatches, emergency out-of-band updates landing within days of a regular release. Keeping your PKI healthy now means keeping up with a lot more than just security CVEs.
This guide provides a consolidated reference for Microsoft updates impacting certificate infrastructure across Windows Server 2025, Windows Server 2022, and Windows Server 2019. It helps administrators track what changed, when it changed, and why it matters for enterprise PKI environments with PKI/ADCS/certificate-impacting changes. Non-PKI fixes are also included to give administrators a complete view of the update.
Understanding Hotfixes
If you manage Windows Server infrastructure, you have almost certainly encountered the word “hotfix” in a Microsoft support article. But what does it actually mean, and why should PKI administrators pay more attention to hotfixes than most?
A hotfix is a targeted software patch released by Microsoft to address a specific bug, regression, or security vulnerability, often outside the normal monthly Patch Tuesday cadence. Think of it as an emergency repair dispatched to fix a single crack in the wall, rather than a scheduled renovation of the whole building.
The term “hotfix” originated in the days when patches were literally applied to a running system, “hot,” like a running engine without a full shutdown or reinstall. Today, Microsoft uses several related terms that are worth distinguishing:
| Term | What it Means |
|---|---|
| Hotfix | A targeted fix for a single issue, often released urgently outside normal cycles. |
| Cumulative Update (CU) | A monthly package released on Patch Tuesday that bundles all previously released fixes together with new ones. Because each CU is self-contained, installing only the latest CU is sufficient to bring a system fully up to date, with no need to install older updates first. |
| Out-of-Band (OOB) | An emergency release that does NOT wait for Patch Tuesday. Microsoft ships these when a regression or vulnerability is too serious to hold for the next regular cycle. |
| Security Update | A fix specifically addressing a Common Vulnerability and Exposure (CVE). May be delivered as part of a CU or as a standalone patch. |
| Hotpatch | A live-patching mechanism for Windows Server Datacenter: Azure Edition that applies security fixes directly into memory without a reboot. Available on servers hosted in Azure or connected via Azure Arc. Not applicable to on-premises Windows Server installations. |
The Lifecycle of a Windows Server Hotfix
Understanding when and how Microsoft releases patches helps you anticipate rather than react to changes in your environment. The typical lifecycle looks like this:
- Vulnerability or regression is discovered, either internally by Microsoft’s Security Response Center or externally by a security researcher or enterprise customer.
- Microsoft engineers develop and test a fix. This can take days for a critical regression or weeks or months for a planned security hardening.
- Patch Tuesday (second Tuesday of every month) is the normal shipping window. Planned security fixes and quality improvements are bundled here as Cumulative Updates.
- Out-of-Band (OOB) release: when a fix cannot wait a full month (e.g., domain controllers crashing on reboot), Microsoft ships an OOB update, sometimes within 72 hours of a Patch Tuesday release.
- Hotpatch release (Azure Edition only): Certain fixes are backported to the hotpatch format so Azure-hosted servers can receive them without downtime.
Why PKI Administrators Must Track Hotfixes Differently
Most IT teams treat patch management as a risk-reduction exercise: apply updates, test for regressions, move on. For PKI and Active Directory environments, that model breaks down because Microsoft’s certificate hardening journey has made cumulative updates a vector for authentication enforcement changes, not just bug fixes.
Two Enforcement Tracks Running in Parallel
Track 1: KB5014754 (Strong Certificate Mapping): Governs the StrongCertificateBindingEnforcement registry key. Full Enforcement became the Default in February 2025; the registry bypass was retired with the September 9, 2025, update.
Track 2: KB5057784 / CVE-2025-26647 (NTAuth Store Enforcement): Governs the AllowNtAuthPolicyBypass registry key. Audit mode began in April 2025; Enforcement by Default began in July 2025; the registry bypass was retired with October 14, 2025, update.
Completing Track 1 does not satisfy Track 2. Both must be independently addressed.
Here is the fundamental difference that makes PKI patching uniquely complex:
- A typical server patch might change how a service behaves under specific conditions. A PKI-relevant patch can silently change whether every domain-joined device in your organization can authenticate.
- A typical rollback undoes a patch. Rolling back a KB that activated Full Enforcement Mode may not restore your authentication environment if certificate templates have already been reissued or mappings changed.
- A typical patch is reversible via registry settings. The StrongCertificateBindingEnforcement registry value (KB5014754) was retired with the September 9, 2025, update; the AllowNtAuthPolicyBypass registry value (KB5057784 / CVE-2025-26647) was retired with the October 14, 2025, update. As of October 2025, no registry bypass remains for either enforcement track.
With that context in place, here is the complete PKI hotfix reference covering every certificate-impacting update from the May 2022 origin KB5014754 (applicable to Server 2019 and Server 2022) through June 2026. Windows Server 2025 coverage begins at its General Availability date of November 1, 2024.
Windows Server 2025
Windows Server 2025 reached General Availability on November 1, 2024. This table covers 18 hotfixes for Windows Server 2025 through June 2026, including PKI-adjacent cumulative updates and three OOB emergency releases.
| KB Article | Release Date | Update Type | Description | CVE / Reference |
|---|---|---|---|---|
| KB5044284 | October 8, 2024 | Cumulative Update | [Remote Desktop Gateway Service] Fixed: The service stops responding when a service uses remote procedure calls (RPC) over HTTP, causing connected clients to disconnect. | CVE-2024-26248, CVE-2024-29056 |
| KB5050009 | January 14, 2025 | Cumulative Update | Windows Kernel Vulnerable Driver Blocklist (DriverSiPolicy.p7b)] Updated the list of drivers at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks. Includes servicing stack improvements. | CVE-2022-26931, CVE-2022-26923 |
| KB5051987 | February 11, 2025 | Cumulative Update (Critical) | [Digital/Analog Converter (DAC)] Fixed: USB audio devices (particularly those using DAC drivers based on USB 1.0) could stop working, halting playback. [USB cameras] Fixed: Device not recognizing that the camera is on. Note: This update introduced a known issue causing Remote Desktop sessions to freeze shortly after connection (resolved in KB5055523). | CVE-2022-26931, CVE-2022-26923, CVE-2022-34691 |
| KB5053598 | March 11, 2025 | Cumulative Update | [Winlogon] Fixed: A stop error occurs during shutdown. Also adds a new Narrator shortcut (Narrator key + Ctrl + X) to copy the last spoken content to the clipboard, and enables Narrator to auto-read email content in the new Outlook. | N/A (Quality fix) |
| KB5055523 | April 8, 2025 | Cumulative Update (Critical) | [Authentication] Fixed: Machine password rotation failure in the PKINIT path when Kerberos was used with Credential Guard enabled, causing user authentication problems. Machine Accounts in Credential Guard are temporarily disabled pending a permanent fix. [Remote Desktop] Fixed: Sessions were freezing shortly after connection, making mouse and keyboard input unresponsive. [Kerberos Authentication] Changed: Adds protections for CVE-2025-26647: Phase 1 — Audit Mode only. AllowNtAuthPolicyBypass defaults to 1; Event ID 45 is logged for non-NTAuth certificates, but authentication is NOT denied. Enforcement by Default begins with the July 8, 2025, update. May log Event ID 45 on domain controllers. [OS Security] New: Creates a %systemdrive%\inetpub folder on all devices regardless of IIS installation status — required for CVE-2025-21204 protection, do not delete. [Windows Hello] Changed: Facial recognition now requires color cameras to detect a visible face for enhanced security (CVE-2025-26644). | CVE-2025-26647 |
| KB5059087 | April 16, 2025 | Out-of-Band (OOB) | Fixes an issue where Windows containers running in Hyper-V isolation mode could fail to start after the April 8, 2025, container image release. A version mismatch between the container and the hosting utility virtual machine caused compatibility failures; containers can now correctly access required system files from the host. | CVE-2025-26647 |
| KB5060842 | June 10, 2025 | Cumulative Update | New: Scan mode now supports comma ( , ) to jump to the start of an item (table, list, etc.) and period ( . ) to jump to the end, improving navigation of long emails and articles. General security and quality improvements. | CVE-2025-26647 |
| KB5062553 | July 8, 2025 | Cumulative Update | [Application installation] Fixed: The MsiCloseHandle API experienced prolonged execution time when handling MSI files containing a large number of files. [Kerberos] Fixed: Kerberos authentication stops responding in certain scenarios when RC4 is used for encryption. | CVE-2025-26647 |
| KB5065426 | September 9, 2025 | Cumulative Update (Critical) | [Network] Fixed: Windows Server 2025 always showed the network as “public” on new domain controllers; it now checks for a DC name before using loopback addresses for LDAP binding. [Print] Fixed: Non-admin users were unable to uninstall printers they had added. Note: printing components transitioned to the Universal C Runtime Library — print clients older than Windows 10 v2004 will intentionally fail to print to updated servers. | CVE-2022-26931, CVE-2022-26923 |
| KB5066835 | October 14, 2025 | Cumulative Update (Critical) | [Browser] Fixed: Print preview screen stopped responding in Chromium-based browsers. [PowerShell Remoting / WinRM] Fixed: Commands could time out after 10 minutes. [Gaming] Fixed: After signing in via Gamepad at the lock screen, apps and games did not respond to input afterward. | CVE-2025-26647 |
| KB5068861 | November 11, 2025 | Cumulative Update | [Storage] Fixed: An issue that could cause some Storage Spaces to become inaccessible or Storage Spaces Direct to fail when creating a storage cluster. [Start menu] New: Boolean option in the Configure Start Pins policy lets admins apply Start menu pins once, allowing users to customize afterward. [Post-Quantum Cryptography] New features introduced. | N/A (Quality fix) |
| KB5072033 | December 9, 2025 | Cumulative Update | [File Explorer] New: Dividers now separate top-level icons in the context menu. [General] New: A redesigned system prompt appears when apps request access to location, camera, microphone, or other capabilities. [Search on Taskbar] New: A grid view helps users more quickly identify images in search results. | N/A (Quality fix) |
| KB5073379 | January 13, 2026 | Cumulative Update | [Compatibility] Removes legacy modem drivers (agrsm64.sys, agrsm.sys, smserl64.sys, smserial.sys) as hardware dependent on these will no longer work. [Credentials autofill] New security hardening: credential dialogs no longer respond to virtual keyboard input from remote desktop or screen sharing tools. This is also the first release where Windows Server 2025 received its own separate KB identifiers and build numbers. | N/A (Quality fix) |
| KB5077793 | January 17, 2026 | Out-of-Band (OOB) | [Remote Desktop] Fixed: After installing the January 2026 security update (KB5073379), credential prompt failures occurred during Remote Desktop connections using the Windows App, impacting Azure Virtual Desktop and Windows 365. | N/A (Quality fix) |
| KB5075899 | February 10, 2026 | Cumulative Update | Cumulative security update with the latest fixes and improvements, incorporating non-security updates from the prior optional preview release. Includes AI component updates (applicable to Copilot+ PCs only; not installed on standard Windows Server). Advances the KB5025885 Secure Boot bypass protection enforcement phase, moving toward mandatory revocation of the “Windows Production PCA 2011” certificate. | KB5025885 enforcement phase |
| KB5078740 | March 10, 2026 | Cumulative Update | Security update containing quality improvements from KB5075899. Highlights an important Secure Boot certificate expiration notice: certificates used by most Windows devices are set to expire starting June 2026, which may affect secure boot on unpatched devices. Continues the KB5025885 enforcement phase. | KB5025885 enforcement phase |
| KB5082063 | April 14, 2026 | Cumulative Update | Cumulative security update with the latest fixes and improvements. A known issue was introduced: a small number of devices may fail to install this update with error 0x80073712. Additionally, domain controllers in multi-domain forests using Privileged Access Management (PAM) may experience LSASS crashes after restart. Both issues are resolved in KB5091157. | N/A (Regression) |
| KB5091157 | April 19, 2026 | Out-of-Band (OOB) | [Active Directory] Fixed: After installing the April 2026 security update, domain controllers in multi-domain forests using Privileged Access Management (PAM) could experience LSASS stopping responding, causing repeated restarts and making the domain unavailable. [Windows update installation] Fixed: A small number of Windows Server 2025 devices failing to install KB5082063. | N/A (Emergency fix) |
Note: Windows Server 2025 shares OS Build 26100.x with Windows 11 24H2. All KBs listed above apply to both products.
Windows Server 2022
Windows Server 2022 reached General Availability on August 18, 2021. The table below covers PKI/ADCS/certificate-impacting updates from the origin KB5014754 (May 2022) through June 2026. This includes 19 hotfixes.
| KB Article | Release Date | Update Type | Description | CVE/Reference |
|---|---|---|---|---|
| KB5014754 | May 10, 2022 | Security Update (Origin KB) | [Kerberos KDC] Fixed: The KDC did not validate machine name formatting during certificate-based authentication, allowing certificates to be spoofed. Conflicts between User Principal Names (UPN) and sAMAccountName introduced additional emulation vectors. Addresses CVE-2022-26931, CVE-2022-26923, and CVE-2022-34691 (elevation of privilege via Kerberos certificate spoofing). Enterprise CAs now embed a SID extension (OID 1.3.6.1.4.1.311.25.2) in issued certificates; DCs start in Compatibility Mode logging weak mappings via Event IDs 39, 40, and 41. | CVE-2022-26931, CVE-2022-26923, CVE-2022-34691 |
| KB5044281 | October 8, 2024 | Cumulative Update | [MSIX applications] Fixed: Fail to open when installed from an HTTPS URI if the download is incomplete. [Task Manager] Fixed: Stops responding when selecting the Performance tab. [AppLocker] Fixed: Rule collection enforcement mode not overwritten when merging rules with an unconfigured collection. [Remote Desktop] Fixed: Windows Servers might disrupt Remote Desktop connections across the organization. | CVE-2024-26248, CVE-2024-29056 |
| KB5049983 | January 14, 2025 | Cumulative Update | [Windows Kernel Vulnerable Driver Blocklist] Updated: Adds drivers at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks. Addresses security issues for the Windows OS. | CVE-2022-26931, CVE-2022-26923 |
| KB5051979 | February 11, 2025 | Cumulative Update (Critical) | Makes miscellaneous security improvements to internal OS functionality. Known issue introduced: Devices with Citrix Session Recording Agent (SRA) version 2411 may be unable to complete installation (resolved in KB5053603). | CVE-2022-26931, CVE-2022-26923, CVE-2022-34691 |
| KB5053603 | March 11, 2025 | Cumulative Update | Makes miscellaneous security improvements to internal OS functionality. No additional quality issues documented for this release. | N/A (Quality fix) |
| KB5055526 | April 8, 2025 | Cumulative Update (Critical) | [Authentication] Fixed: Machine password rotation failure in the PKINIT path when Kerberos is used with Credential Guard enabled. Known issue introduced: DCs may log Kerberos Event IDs 45 and 21 for WHfB Key Trust environments (resolved in KB5060526). | CVE-2025-26647 |
| KB5059092 | April 16, 2025 | Out-of-Band (OOB) | Addresses a startup failure on Windows containers running in Hyper-V isolation mode when the container patch level diverges from the hosting utility VM. Not directly PKI-impacting. WHfB Key Trust / Event 45/21 false-alarm resolved in KB5060526. | CVE-2025-26647 |
| KB5060526 | June 10, 2025 | Cumulative Update | [DHCP Server] Fixed: DHCP Server service might intermittently stop responding, affecting IP renewal for clients. [Language] Fixed: Chinese characters compliance issue with GB18030. Resolves WHfB Key Trust / Machine PKINIT false Event ID 45/21 regression from KB5055526. | CVE-2025-26647 |
| KB5062572 | July 8, 2025 | Cumulative Update | [DHCP Server] Fixed: Intermittent DHCP Server stop-responding issue. [Language] Fixed: Chinese character compliance with GB18030-2022 standard. [Performance] Fixed: Unused language packs and Feature on Demand packages not fully removed. Known issue introduced: Changjie IME issues for Traditional Chinese (resolved in KB5063880). | CVE-2025-26647 |
| KB5065432 | September 9, 2025 | Cumulative Update (Critical) | [App compatibility] Fixed: Unexpected UAC prompts for standard users running MSI repair operations (introduced by the August 2025 update for CVE-2025-50173). Affects Autodesk AutoCAD and similar apps. [SMB/NetBIOS] Known issue introduced: After installing KB5065432, connections to SMBv1 shares using NetBIOS over TCP/IP (NetBT) could fail. Microsoft resolved this issue in KB5066782. | CVE-2022-26931, CVE-2022-26923 |
| KB5066782 | October 14, 2025 | Cumulative Update (Critical) | [Chinese IME] Fixed: Characters not displaying correctly and compliance issue with GB18030. [Networking] Fixed: SMB v1 over NetBT shared file connection failure introduced by KB5065432. Known issue introduced: Smartcard authentication issues related to a security change for Windows Cryptographic Services (resolved October 22, 2025). | CVE-2025-26647 |
| KB5068787 | November 11, 2025 | Cumulative Update | [App compatibility] Fixed: Unexpected UAC prompts for some apps, including Autodesk AutoCAD (introduced by August 2025 security hardening). [Security] Fixed: After domain controller promotion, changes to Microsoft Defender for Endpoint registry permissions disrupted cloud-based communication. | N/A (Quality fix) |
| KB5073457 | January 13, 2026 | Cumulative Update | [Windows App / Remote Desktop] Known issue introduced: Credential prompt failures during Remote Desktop connections using Windows App on Azure Virtual Desktop and Windows 365 (resolved by KB5077800). | N/A (Quality fix) |
| KB5077800 | January 17, 2026 | Out-of-Band (OOB) | [Windows App / Remote Desktop] Fixed: Resolves credential prompt failures introduced by KB5073457 during Remote Desktop connections using Windows App on Azure Virtual Desktop and Windows 365. (Cumulative supersedes KB5073457). | N/A (Quality fix) |
| KB5075906 | February 10, 2026 | Cumulative Update | [File Explorer] Fixed: Folder renaming with desktop.ini files not working correctly; the LocalizedResourceName setting was being ignored. [Fonts] Updated: Chinese fonts to support GB18030-2022A standard. [Graphics] Fixed: Certain GPU configurations are experiencing dxgmms2.sys KERNEL_SECURITY_CHECK_FAILURE error. | KB5025885 enforcement phase |
| KB5078766 | March 10, 2026 | Cumulative Update | [Secure Boot] New: Additional high-confidence device targeting data increases coverage of devices eligible to automatically receive new Secure Boot CA certificates. [Windows System Image Manager] Improved: Reliability of choosing trusted catalog files. | KB5025885 enforcement phase |
| KB5082142 | April 14, 2026 | Cumulative Update | [Kerberos protocol] Changed: Default DefaultDomainSupportedEncTypes value for KDC operations now leverages AES-SHA1 for accounts without an explicit msds-SupportedEncryptionTypes AD attribute. [Audio] Improved: Reduces system unresponsiveness related to audio activity. [Kernel] Improved: System stability during large file operations. Known issue introduced: LSASS startup failures on DCs in multi-domain PAM environments (resolved by KB5091575). | N/A (Regression) |
| KB5091575 | April 19, 2026 | Out-of-Band (OOB) | [Active Directory] Fixed: After installing the April 2026 security update, DCs in multi-domain forests using Privileged Access Management (PAM) may experience LSASS startup failures, preventing authentication and directory services from functioning. | N/A (Emergency fix) |
Windows Server 2019
Windows Server 2019 reached General Availability on October 2, 2018. Mainstream support ended January 9, 2024; extended support continues until January 9, 2029. The table below covers PKI/ADCS/certificate-impacting updates from the origin KB5014754 (May 2022) through June 2026. This includes 19 hotfixes (including the origin KB5014754).
| KB Article | Release Date | Update Type | Description | CVE / Reference |
|---|---|---|---|---|
| KB5014754 | May 10, 2022 | Security Update (Origin KB) | [AD CS / KDC] Enterprise CAs begin embedding a new SID extension (OID 1.3.6.1.4.1.311.25.2) in all issued certificates. DCs start in Compatibility Mode – weak-mapped certificate authentication is allowed, but Event IDs 39/40/41 are logged. Addresses CVE-2022-26931 and CVE-2022-26923 (Kerberos certificate privilege escalation). | CVE-2022-26931, CVE-2022-26923, CVE-2022-34691 |
| KB5044277 | October 8, 2024 | Cumulative Update | [FrameShutdownDelay] Fixed: Browser ignores its value in the HKLM Internet Explorer registry key. [Remote Desktop (known issue)] Fixed: Windows Servers might disrupt Remote Desktop connections using legacy protocols such as RPC over HTTP in the Remote Desktop Gateway (occurs sporadically, approximately every 30 minutes). | CVE-2024-26248, CVE-2024-29056 |
| KB5050008 | January 14, 2025 | Cumulative Update | [Windows Kernel Vulnerable Driver Blocklist] Updated: Adds drivers at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks. Addresses security issues for the Windows OS. | CVE-2022-26931, CVE-2022-26923 |
| KB5052000 | February 11, 2025 | Cumulative Update (Critical) | [Windows Kernel Vulnerable Driver Blocklist] Updated: Adds drivers at risk for BYOVD attacks. [Certificate-based authentication] Full Enforcement Mode activated: domain controllers now deny authentication if a certificate cannot be strongly mapped to a user or device. Compatibility Mode can be restored via StrongCertificateBindingEnforcement=1 ONLY UNTIL the September 9, 2025, Patch Tuesday. After that, the registry value has no effect. | CVE-2022-26931, CVE-2022-26923, CVE-2022-34691 |
| KB5053596 | March 11, 2025 | Cumulative Update | [System] Enables system processes to store temporary files in a secure directory. Makes miscellaneous security improvements to internal OS functionality. No additional quality issues documented for this release. | N/A (Quality fix) |
| KB5055519 | April 8, 2025 | Cumulative Update (Critical) | [Authentication] Fixed: Machine password rotation failure in the PKINIT path when Kerberos is used with Credential Guard enabled. Known issue introduced: DCs may log Kerberos Event IDs 45 and 21 in WHfB Key Trust and Machine PKINIT environments after this update changes how DCs validate certificates against the NTAuth store (resolved in KB5060531). | CVE-2025-26647 |
| KB5059091 | April 16, 2025 | Out-of-Band (OOB) | Addresses a startup failure on Windows containers running in Hyper-V isolation mode when the container patch level diverges from the hosting utility VM. Not directly PKI-impacting. WHfB Key Trust / Event 45/21 false alarm (resolved in KB5060531). | CVE-2025-26647 |
| KB5060531 | June 10, 2025 | Cumulative Update | [Authentication / WHfB] Fixed: Resolves the WHfB Key Trust and Machine PKINIT false Event ID 45/21 logging regression introduced by KB5055519. DCs now correctly handle certificates chained to the NTAuth store without false-alarming on Key Trust configurations. | CVE-2025-26647 |
| KB5062557 | July 8, 2025 | Cumulative Update | Fixed: Authentication stops responding in certain RC4 encryption scenarios. [FIDO Cached Credential Logon] Fixed: Stops responding in certain cases on Hybrid Domain Joined devices. General security improvements for the OS. | CVE-2025-26647 |
| KB5065428 | September 9, 2025 | Cumulative Update (Critical) | [Certificate binding — Final Phase] StrongCertificateBindingEnforcement registry value is no longer honored by the KDC. The value may remain on disk, but has no effect (Compatibility Mode cannot be re-enabled via any registry setting). [UAC/MSI] Fixed: Unexpected UAC prompts for standard users running MSI repair operations (narrows scope from August 2025 CVE-2025-50173 hardening). [File Server] New: Auditing support for SMB client compatibility for SMB Server signing and EPA. | CVE-2022-26931, CVE-2022-26923 |
| KB5066586 | October 14, 2025 | Cumulative Update (Critical) | [NTAuth / AllowNtAuthPolicyBypass] Full Enforcement: AllowNtAuthPolicyBypass registry value no longer honored; NTAuth-store enforcement is now mandatory. All Kerberos authentication certificates must be issued by a CA in the NTAuth store with no registry bypass remaining. General security improvements. | CVE-2025-26647 |
| KB5068791 | November 11, 2025 | Cumulative Update | [Internal Windows OS] Contains miscellaneous security improvements to internal OS functionality. Note: This update ships under Extended Support (Mainstream Support ended January 9, 2024). Extended Security Updates continue until January 9, 2029. | N/A (Quality fix) |
| KB5073723 | January 13, 2026 | Cumulative Update | [Credentials autofill] Security hardening restricts certain applications from autofilling credentials during remote support sessions or automated authentication workflows. [Compatibility] Removes legacy modem drivers (agrsm64.sys, smserl64.sys, etc.). Known issue introduced (1): Credential prompt failures during Remote Desktop connections using Windows App on Azure Virtual Desktop and Windows 365 (resolved by KB5077795). Known issue introduced (2): Secure Launch / VSM-enabled devices restart instead of shutting down or hibernating (resolved by KB5075904). | N/A (Quality fix) |
| KB5077795 | January 17, 2026 | Out-of-Band (OOB) | [Windows App / Remote Desktop] Fixed: Resolves credential prompt failures introduced by KB5073723 during Remote Desktop connections using Windows App on Azure Virtual Desktop and Windows 365. Cumulative for the RDP issue only. Secure Launch/VSM restart bug requires KB5075904. | N/A (Quality fix) |
| KB5075904 | February 10, 2026 | Cumulative Update | OS Security (known issue) Fixed: Secure Launch-capable PCs with Virtual Secure Mode (VSM) enabled were unable to shut down or enter hibernation after January 2026 updates, device restarted instead. [Fonts] Updated: Chinese fonts to meet GB18030-2022A compliance. [Secure Boot] New: Begins distribution of new Secure Boot CA certificates to eligible Server 2019 devices with high-confidence device targeting data ahead of June 2026 certificate expiration. | KB5025885 enforcement phase |
| KB5078752 | March 10, 2026 | Cumulative Update | [Secure Boot] Updated: Additional high-confidence device targeting data increases coverage of devices eligible to automatically receive new Secure Boot CA certificates. Phased rollout expanding on Server 2019. Â [Windows System Image Manager] Improved: Warning dialog added to help users confirm trusted catalog file source. Miscellaneous security improvements to internal OS functionality. | KB5025885 enforcement phase |
| KB5082123 | April 14, 2026 | Cumulative Update | [Kerberos protocol] Changed: Default DefaultDomainSupportedEncTypes value for KDC operations now leverages AES-SHA1 for accounts without an explicit msds-SupportedEncryptionTypes AD attribute. [Secure Boot] Improved: Dynamic status reporting in Windows Security settings; fixes for BitLocker Recovery issues following Secure Boot updates. [Remote Desktop] Improved: RDP security warning dialog rendering. Known issue introduced: LSASS startup failures on DCs in multi-domain PAM environments (resolved by KB5091573). | N/A (Regression) |
| KB5091573 | April 19, 2026 | Out-of-Band (OOB) | [Active Directory] Fixed: After installing the April 2026 security update (KB5082123), DCs in multi-domain forests using Privileged Access Management (PAM) may experience LSASS startup failures, preventing authentication and directory services. Also prepares devices for the upcoming Secure Boot certificate expiration in June 2026. | N/A (Emergency fix) |
If this guide surfaced gaps in your current PKI posture, Encryption Consulting offers services specifically designed to address them.
How Can Encryption Consulting Help
Encryption Consulting provides specialized services to identify vulnerabilities and mitigate risks by providing PKI Services. Our strategic guidance aligns PKI solutions with organizational objectives, enhancing efficiency and minimizing costs. By partnering with Encryption Consulting, organizations can unlock the full potential of PKI solutions, realizing tangible financial benefits while maintaining strong security measures.
Our PKI Assessment Services provide a comprehensive evaluation of your existing ADCS environment, identifying gaps in CA hygiene, backup practices, CRL/AIA configuration, and database health. Whether your CA database has grown unchecked over time or your maintenance processes lack structure, our team delivers a detailed risk report along with a prioritized roadmap to bring your PKI back into a healthy and auditable state.
CertSecure Manager
If you’re managing this at scale across hundreds of machines, manual monitoring becomes untenable. One of the most comprehensive solutions in the CLM space is CertSecure Manager by Encryption Consulting. Designed to address the growing complexity of certificate environments, CertSecure Manager offers a centralized, automated, and policy-driven approach to CLM.
- Centralized Certificate Inventory: Automatically discovers and inventories certificates across cloud, on-prem, and hybrid environments.
- Automated Lifecycle Management: Handles issuance, renewal, and revocation of certificates with minimal human intervention.
- Policy Enforcement Engine: Ensures compliance with enterprise security policies and industry standards.
- Role-Based Access Control (RBAC): Provides granular access management to ensure only authorized users can manage certificates.
- Integration With Leading CAs and DevOps Tools: Seamlessly integrates with public and private Certificate Authorities, as well as CI/CD pipelines.
- Real-Time Monitoring and Alerts: Offers dashboards and alerts for expiring or misconfigured certificates.
- Audit and Reporting: Maintains detailed logs and reports for compliance and forensic analysis.
Conclusion
For enterprise administrators, the practical takeaway is straightforward: patch management for PKI infrastructure can no longer be treated as routine. A single Patch Tuesday release can activate a new enforcement phase, revoke a registry escape hatch, or, as April 2026 demonstrated, cause every domain controller in a multi-domain forest to crash on reboot.
The five OOB emergency updates Microsoft released on April 19, 2026 (seven total, including Azure Edition hotpatches, within five days of the April 14, 2026, Patch Tuesday) are a reminder that even well-tested updates can produce serious, environment-specific failures when complex authentication systems are involved.
The Windows Production PCA 2011 certificate used by most Windows devices for Secure Boot is set to expire starting June 2026. Microsoft has been phasing out new Secure Boot CA certificates via cumulative updates since February 2026 (KB5075899, KB5078740, KB5075906, KB5078766, KB5075904, KB5078752) using high-confidence device targeting. Administrators should:
- Confirm all Server 2019, 2022, and 2025 systems have received the February or March 2026 cumulative updates.
- Verify new Secure Boot CA certificates were distributed
- Check that BitLocker Recovery has been tested post-update. Devices that do not receive the new certificates before expiration may fail Secure Boot on the next restart.
The best defense is staying informed before updates hit production:
- Verify every CA that issues WHfB Key Trust or Machine PKINIT certificates is registered in the NTAuth store. Run: certutil -enterprise -store NTAuth to enumerate current NTAuth CAs. Since the October 2025 enforcement, certificates from CAs outside NTAuth will fail Kerberos authentication on domain controllers.
- Audit your certificate templates for weak mappings well in advance of enforcement milestones.
- When a new Patch Tuesday lands, cross-reference it against this guide before deploying to domain controllers.
- Run a pre-enforcement posture check before each major quarterly baseline, not after the rollout has already started
