KB5082200: April 14, 2026 Security Update for Windows 10 (OS Builds 19045.7184 and 19044.7184)

Summary

KB5082200 is a cumulative security update for Windows 10, released on April 14, 2026, targeting Windows 10 ESU (version 22H2), Windows 10 Enterprise LTSC 2021, and Windows 10 IoT Enterprise LTSC 2021. It produces OS builds 19045.7184 and 19044.7184. This is a Patch Tuesday security release that also delivers quality improvements. See the Microsoft Support page for full details.

Highlights

• A sign-in failure affecting Microsoft accounts - where a false "no Internet" error blocked access to services such as Microsoft Teams - is now fixed.
• Remote Desktop gains stronger anti-phishing protections: all connection settings in an .rdp file are displayed before connecting, each off by default, plus a one-time security warning on first use.
• Secure Boot receives dynamic status reporting in the Windows Security app, a fix for a bug that could trigger BitLocker Recovery after Secure Boot updates, and expanded device targeting for automatic Secure Boot certificate rollout.
• Known vulnerable kernel drivers are now added to the Microsoft vulnerable driver blocklist, which may affect some backup applications.

Improvements and fixes

• Sign-In fix: Resolves a problem introduced in the March 10, 2026 update where some users received a false "no Internet" error when signing in to apps with a Microsoft account, blocking access to services including Microsoft Teams.
• Remote Desktop anti-phishing: When opening an .rdp file, Remote Desktop now displays all requested connection settings before establishing the connection, with each setting disabled by default. A one-time security warning appears the first time an .rdp file is opened on a device.
• Secure Boot - dynamic status reporting: Enables dynamic reporting of Secure Boot states within the Windows Security app (Settings > Update & Security > Windows Security) via badges and notifications. This feature is disabled by default on commercial devices and servers.
• Secure Boot - BitLocker Recovery fix: Resolves an issue that could cause a device to enter BitLocker Recovery after Secure Boot updates were applied.
• Secure Boot - certificate targeting: Quality updates now include additional high-confidence device targeting data, broadening the set of devices eligible to receive new Secure Boot certificates automatically. Devices receive the certificates only after sufficient successful update signals are confirmed, keeping the rollout controlled and phased.
• Vulnerable driver blocklist hardening: Adds known vulnerable kernel drivers to the Microsoft vulnerable driver blocklist. Backup applications depending on blocked drivers may fail when mounting or managing disk images, displaying errors such as "The backup has failed because Microsoft VSS has timed out during the snapshot creation" or VSS_E_BAD_STATE. Affected users should update to a newer application version that uses drivers with the required protections.
• LTSC only - Licensing/DISM fix: Resolves an issue where DISM offline operations on Windows 10 IoT Enterprise LTSC 2021, Windows 10 Enterprise G SKU, and Windows 10 Enterprise N LTSC could not apply security updates because of licensing enforcement limits. DISM can now add security packages during offline image creation for these LTSC editions.

Known issues

BitLocker recovery key prompt after update on certain Group Policy configurations

Symptom: Some devices with an unrecommended BitLocker Group Policy configuration may be required to enter their BitLocker recovery key on the first restart after installing this update. All of the following conditions must be true simultaneously: BitLocker is enabled on the OS drive; the Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is set with PCR7 included in the validation profile (or via an equivalent registry key); System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible"; the Windows UEFI CA 2023 certificate is present in the Secure Boot Signature Database (DB); and the device is not already running the 2023-signed Windows Boot Manager. The recovery key is required only once - subsequent restarts will not trigger the recovery screen provided the Group Policy configuration remains unchanged.

Workaround: Microsoft is working on a resolution. The recommended temporary workaround is to remove the Group Policy configuration before installing the update: open Group Policy Editor (gpedit.msc) or the Group Policy Management Console; navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives; set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured"; run gpupdate /force to propagate the change; run manage-bde -protectors -disable C: to suspend BitLocker; then run manage-bde -protectors -enable C: to resume it. This updates the BitLocker bindings to use the Windows-selected default PCR profile. Enterprises should audit their BitLocker Group Policies for explicit PCR7 inclusion and check msinfo32.exe for PCR7 binding status before deploying this update.

Remote Desktop security warnings may not display correctly on multi-monitor setups

Symptom: After installing this update, the security warning that appears when opening Remote Desktop (.rdp) files may not display correctly in some cases. The problem can occur when using more than one monitor with different display scaling settings - for example, one display at 100% and another at 125%. In such cases, the warning window may show overlapping text or partially hidden buttons, making the message difficult to read or interact with.

Resolution: This issue is resolved in Windows updates released on and after May 12, 2026 (such as KB5087544). Microsoft recommends installing the latest Windows update for your device.

How to get this update

This update is available through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. If you have already installed earlier updates, only the new components in this package will be downloaded and installed. For Windows 10 version 22H2, use enablement package KB5015684 to upgrade. For Windows 10 version 21H2 on supported editions, use KB5003791. Microsoft recommends ensuring the latest servicing stack update is installed before applying this update, as noted in the March 10, 2026 predecessor update KB5078885.

Frequently asked questions

Will my device need a BitLocker recovery key after installing this update?

Most devices will not be affected. The issue only occurs when a specific combination of five conditions is true: BitLocker is enabled, a non-recommended Group Policy explicitly includes PCR7 in the TPM validation profile, msinfo32.exe reports PCR7 Binding as "Not Possible," the Windows UEFI CA 2023 certificate is in the Secure Boot DB, and the 2023-signed Boot Manager is not yet active. Auditing Group Policy and msinfo32.exe output before deploying is recommended for enterprises.

What is changing with Remote Desktop and .rdp file security?

This update adds anti-phishing protections for .rdp files. When a user opens an .rdp file, Remote Desktop now shows all requested connection settings before connecting, with every setting turned off by default. A one-time security warning is also displayed the first time an .rdp file is opened on a device. Note that a display rendering issue with the warning on mixed-scaling multi-monitor setups is resolved in the May 12, 2026 update KB5087544.

What should I do if our backup software breaks after this update?

This update adds vulnerable kernel drivers to the Microsoft vulnerable driver blocklist. If your backup application relies on a newly blocked driver, it may fail to mount or manage disk images and may surface VSS timeout errors or VSS_E_BAD_STATE messages. Microsoft advises updating the backup application to a newer version that uses drivers meeting the required protections. See the April 2026 Windows security updates article on known vulnerable kernel drivers for details.

Does this update change anything for LTSC image deployments with DISM?

Yes, for Windows 10 Enterprise LTSC 2021 and IoT Enterprise LTSC 2021 editions specifically. A licensing enforcement issue previously prevented DISM offline operations from applying security updates to Windows 10 IoT Enterprise LTSC 2021, Windows 10 Enterprise G SKU, and Windows 10 Enterprise N LTSC images. This update resolves that, so administrators can now use DISM to inject security packages during offline image creation for these editions.