KB5082142: Windows Server 2022 Cumulative Update - April 14, 2026 (OS Build 20348.5020)

Summary

This is the April 14, 2026 security cumulative update for Windows Server 2022, released as KB5082142 and bringing the OS to build 20348.5020. It is a monthly security update that incorporates the latest security fixes plus non-security improvements carried forward from last month's optional preview release. See Microsoft Support for the full official page.

Highlights

• Remote Desktop now shows all requested connection settings before connecting when opening an .rdp file, with each setting off by default, plus a one-time security warning - improving protection against phishing attacks that use .rdp files.
• Secure Boot certificate coverage is expanded, with this update including additional high-confidence device targeting data to increase the number of devices eligible to automatically receive new Secure Boot certificates.
• Windows Deployment Services (WDS) Hands-Free Deployment is disabled by default and is no longer a supported feature, as part of hardening related to CVE-2026-0386.

Improvements and fixes

• [Connectivity] Improved reliability of audio features in Windows to help reduce system unresponsiveness tied to sound or audio activity.
• [Kernel] Improved system stability during large file operations, reducing unexpected interruptions when working with or transferring large files.
• [Kerberos protocol] Changed the default DefaultDomainSupportedEncTypes value for Kerberos Key Distribution Center (KDC) operations to use AES-SHA1 for accounts that do not have an explicit msds-SupportedEncryptionTypes Active Directory attribute defined. This relates to CVE-2026-20833.
• [Networking] Improved reliability when Windows uses SMB compression over QUIC, making SMB compression requests over QUIC complete more consistently and reducing the likelihood of timeouts.
• [Remote Desktop] Added phishing protection for .rdp files: Remote Desktop now displays all requested connection settings before connecting, each turned off by default, plus a one-time security warning on first use on a device.
• [Secure Boot] Windows quality updates now include additional high-confidence device targeting data to broaden automatic Secure Boot certificate rollout coverage. Devices receive new certificates only after demonstrating sufficient successful update signals, keeping rollout controlled and phased. This update also addresses a separate issue where a device could enter BitLocker Recovery after Secure Boot updates.
• [Texts and Fonts] Added the new Saudi Riyal currency symbol to Windows fonts to keep text clear, accurate, and visually consistent across apps.
• [Vulnerable driver blocklist] Added known vulnerable kernel drivers to the Microsoft vulnerable driver blocklist. Backup applications that rely on blocked drivers may fail when attempting to mount or manage disk images, potentially showing errors such as "The backup has failed because Microsoft VSS has timed out during the snapshot creation" or VSS_E_BAD_STATE. Affected users should update to a newer application version that uses drivers with the required protections.
• [Windows Deployment Services (WDS)] Disabled the Hands-Free Deployment feature in WDS by default; this feature is no longer supported. This change relates to CVE-2026-0386.

This security update contains fixes and quality improvements from KB5078766 (released March 10, 2026). A bundled servicing stack update, KB5082137 (SSU version 20348.5021), is also included.

Known issues

Domain controllers might restart repeatedly after installing this update

Symptom: After installing this update, domain controllers in environments with multiple domains in the forest that use Privileged Access Management (PAM) might experience LSASS crashes during startup. Affected domain controllers may restart repeatedly, preventing authentication and directory services from functioning, and potentially rendering the domain unavailable.

Workaround: This issue is addressed in out-of-band update KB5091575. If your Windows Server 2022 device is enrolled in hotpatching, install the OOB hotpatch update KB5091576 instead. That hotpatch OOB update is released through Windows Update and does not require a device restart.

Devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key

Symptom: Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update. This only affects devices where ALL of the following conditions are true: BitLocker is enabled on the OS drive; the Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is configured with PCR7 included; System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible"; the Windows UEFI CA 2023 certificate is present in the device's Secure Boot Signature Database (DB); and the device is not already running the 2023-signed Windows Boot Manager. The recovery key is only required once - subsequent restarts will not trigger a BitLocker recovery screen as long as the group policy configuration remains unchanged.

Workaround: The recommended approach is to remove the Group Policy configuration before installing the update. Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console, navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives, and set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured". Then run gpupdate /force to propagate the change, followed by manage-bde -protectors -disable C: to suspend BitLocker and manage-bde -protectors -enable C: to resume it. This updates the BitLocker bindings to use the Windows-selected default PCR profile. A permanent resolution is planned in a future Windows update.

Windows Server Update Services (WSUS) does not display error details

Symptom: After installing KB5070884 or later updates, WSUS does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability CVE-2025-59287.

Workaround: No workaround is listed by Microsoft for this issue at the time of writing.

Warnings related to Remote Desktop might not display correctly

Symptom: After installing this update, the security warning that appears when opening Remote Desktop (RDP) files might not display correctly in some cases. This can occur when using more than one monitor with different display scaling settings - for example, one display at 100% and another at 125%. When this happens, the warning window may show overlapping text or partially hidden buttons, making the message difficult to read or interact with.

Workaround: This issue is addressed in KB5087545.

How to get this update

Microsoft now combines the latest servicing stack update (SSU) with the latest cumulative update (LCU) into a single package. Before servicing an offline OS image, confirm the image includes KB5030216 (09/12/2023) or a later LCU. That update sets the minimum required SSU version to 20348.1960, which is necessary to prevent error 0x800f0823 (CBS_E_NEW_SERVICING_STACK_REQUIRED).

This update is available through the following channels:

• Windows Update / Microsoft Update: Downloads and installs automatically.
• Windows Update for Business: Downloads and installs automatically in accordance with configured policies.
• Microsoft Update Catalog: Download the standalone package directly from the Microsoft Update Catalog website.
• Windows Server Update Services (WSUS): Syncs automatically when Products and Classifications are set to Product: "Microsoft Server operating system-21H2" and Classification: "Security Updates".

To remove the LCU after installing the combined SSU and LCU package, use the DISM /Remove-Package command with the LCU package name as the argument. Running wusa.exe with the /uninstall switch on the combined package will not work because the package contains the SSU, which cannot be removed after installation.

Frequently asked questions

Does this update include changes from previous months?

Yes. This cumulative update contains fixes and quality improvements from KB5078766, released March 10, 2026. If previous updates are already installed, Windows will download and install only the new components included in this package, not the full cumulative payload.

What should I do if domain controllers restart repeatedly after installing this update?

Install out-of-band update KB5091575 to resolve the issue. If your Windows Server 2022 devices are enrolled in hotpatching, use KB5091576 instead, which is delivered through Windows Update and does not require a device restart. The root cause is LSASS crashes at startup in multi-domain forests using Privileged Access Management (PAM).

Should I be concerned about the Secure Boot certificate expiration notices?

Devices that have not yet received newer Secure Boot certificates will continue to start and operate normally, and standard Windows updates will continue to install. Microsoft is rolling out the updated certificates in a phased approach via Windows Update. IT administrators should follow the guidance in the Secure Boot Playbook for Windows clients and Windows Server. You can check device status in the Windows Security app.

How does this update affect backup applications?

This update adds known vulnerable kernel drivers to the Microsoft vulnerable driver blocklist. Backup applications that rely on any of those blocked drivers may fail to mount or manage disk images and may show VSS timeout errors or VSS_E_BAD_STATE. Affected organizations should update their backup software to a version that uses drivers with the required protections, as described in Microsoft's April 2026 Windows security updates guidance.