April 14, 2026 - KB5082123 (OS Build 17763.8644) Security Update

Summary

KB5082123 is a cumulative security update for Windows Server 2019 and Windows 10 Enterprise LTSC 2019, producing OS build 17763.8644. Released on April 14, 2026, it delivers security fixes and quality improvements that build on the March 10, 2026 update (KB5078752). A combined servicing stack update (KB5082118, version 17763.8642) is included. Source: Microsoft Support

Important - Secure Boot certificate expiration: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been deploying updated certificates to consumer and non-managed business devices. Devices that have not yet received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. IT administrators should consult the Secure Boot Playbook for Windows clients and Windows Server.

Improvements and fixes

The following changes apply to Windows Server 2019 with this update:

• PowerShell (known issue fix): Corrects a problem introduced by updates released on or after January 13, 2026, where Japanese language installations of Windows Server 2019 failed to display Japanese characters correctly in the PowerShell console.
• Remote Desktop: Adds phishing protection for Remote Desktop (.rdp) files. When a user opens an .rdp file, all requested connection settings are shown before the connection is established, with each setting off by default. A one-time security warning appears on first use per device.
• Vulnerable driver blocklist: Adds known vulnerable kernel drivers to the Microsoft vulnerable driver blocklist as a security hardening measure. Backup applications that depend on blocked drivers may fail when trying to mount or manage disk images and may show errors such as "The backup has failed because Microsoft VSS has timed out during the snapshot creation" or VSS_E_BAD_STATE. Affected users should update to newer application versions that use compliant drivers.
• Windows Deployment Services (WDS): Disables the "Hands-Free Deployment" feature in WDS by default. This feature is no longer supported, in response to CVE-2026-0386.
• Kerberos protocol: Changes the default DefaultDomainSupportedEncTypes value for Kerberos Key Distribution Center (KDC) operations to use AES-SHA1 for accounts that do not have an explicit msds-SupportedEncryptionTypes Active Directory attribute defined, addressing CVE-2026-20833.
• Secure Boot: Enables dynamic status reporting for Secure Boot states in the Windows Security app (Settings > Update & Security > Windows Security). These enhancements are disabled by default on commercial devices and servers. Also fixes an issue that could cause devices to enter BitLocker Recovery after Secure Boot updates. Additionally, quality updates now include higher-confidence device targeting data to widen automatic Secure Boot certificate rollout in a controlled, phased manner.

The following changes apply to Windows 10 Enterprise LTSC 2019 with this update:

• Remote Desktop: Same phishing protection improvements for .rdp files as described above for Windows Server 2019.
• Secure Boot: Same dynamic status reporting, BitLocker Recovery fix, and improved certificate targeting data as described above.
• Vulnerable driver blocklist: Same kernel driver blocklist hardening as described above, with the same potential impact on backup applications.

Known issues

Domain controllers might restart repeatedly after installing this update

Symptom: After installing this update, domain controllers in environments with multiple domains in the forest that use Privileged Access Management (PAM) might experience LSASS crashes during startup. Affected domain controllers may restart repeatedly, preventing authentication and directory services from functioning and potentially rendering the domain unavailable. This issue affects Windows Server 2019 only.

Workaround: This issue is addressed in out-of-band update KB5091573.

Remote Desktop security warnings might not display correctly

Symptom: After installing this update, the security warning that appears when opening Remote Desktop (.rdp) files might not display correctly in some cases. This can occur when using more than one monitor with different display scaling settings (for example, one display at 100% and another at 125%). When this happens, the warning window may show overlapping text or partially hidden buttons, making the message difficult to read or interact with.

Workaround: This issue is resolved in Windows updates released on and after May 12, 2026, such as KB5087538. Microsoft recommends installing the latest Windows update for your device.

How to get this update

Prerequisite: You must have installed the August 10, 2021 servicing stack update (KB5005112) before installing this cumulative update.

This update is available through the following channels:

• Windows Update: Downloaded and installed automatically.
• Windows Update for Business: Downloaded and installed automatically in accordance with configured policies.
• Microsoft Update Catalog: Standalone package available for manual download.
• Windows Server Update Services (WSUS): Syncs automatically when configured with Product set to Windows 10 LTSB, Windows Server 2019 and Classification set to Security Updates.

A combined servicing stack update (KB5082118, version 17763.8642) is included in this package. Note that once the combined SSU and LCU package is installed, the SSU cannot be removed. To remove only the LCU, use the DISM /Remove-Package command with the LCU package name as the argument. Running wusa.exe /uninstall on the combined package will not work.

Frequently asked questions

What should I do if backup software fails after installing this update?

The vulnerable driver blocklist change in this update may cause backup applications that rely on now-blocked kernel drivers to fail when mounting or managing disk images. Error messages may include VSS timeout errors or VSS_E_BAD_STATE. Update your backup application to a newer version that uses compliant drivers with the required protections in place.

Why are my domain controllers restarting after this update?

Windows Server 2019 domain controllers in multi-domain forests using Privileged Access Management (PAM) may experience repeated LSASS crashes and restarts after installing this update. Microsoft has released out-of-band update KB5091573 to address this issue. Install KB5091573 on affected domain controllers as soon as possible to restore normal operation.

Does this update affect how Secure Boot certificates are managed?

Yes. This update expands the automatic rollout of updated Secure Boot certificates by including higher-confidence device targeting data. Devices only receive new certificates after demonstrating sufficient successful update signals. Dynamic status reporting for Secure Boot is also enabled via the Windows Security app, though these UI enhancements are off by default on commercial devices and servers.

When does Windows Server 2019 reach end of support?

Microsoft will stop providing free software updates from Windows Update, technical assistance, and security fixes for both Windows Server 2019 and Windows 10 Enterprise LTSC 2019 on January 9, 2029. Microsoft recommends planning an upgrade to a later version of Windows Server before that date.