April 14, 2026—KB5082198 (OS Build 14393.9060)
Applies To
Release Date:
4/14/2026
Version:
OS Build 14393.9060
Windows Secure Boot certificate expiration
Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time. To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance.
For details and preparation steps for Windows devices, see Windows Secure Boot certificate expiration and CA updates.
For details and preparation steps for Windows servers, see the following resources:
Summary
This article lists the security issues and quality improvements included in this security update.
Applies to: Windows Server 2016
This security update includes fixes and improvements that are a part of the following update:
The following is a summary of the issues that this update addresses. The bold text within the brackets indicates the item or area of the change we are documenting.
-
[Windows Configuration System (WinCS)] This update addresses an issue that affects Windows Configuration System (WinCS) on Windows 10, version 1607 and Windows Server 2016. Some WinCS components were missing. Because of this, you could not turn on Secure Boot using WinCS.
-
[Remote Desktop] This update improves protection against phishing attacks that use Remote Desktop (.rdp) files. When you open an .rdp file, Remote Desktop shows all requested connection settings before it connects, with each setting turned off by default. A one-time security warning also appears the first time you open an .rdp file on a device. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.
-
[Windows Deployment Services (WDS)] This update disables the “Hands-Free Deployment” feature in WDS by default and is no longer a supported feature. For more information about this change, see Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance related to CVE-2026-0386.
-
[Kerberos protocol] This update changes the default DefaultDomainSupportedEncTypes value for Kerberos Key Distribution Center (KDC) operations to leverage AES-SHA1 for accounts that do not have an explicit msds-SupportedEncryptionTypes Active Directory attribute defined. For more information see, How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833.
-
[Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
For more information about security vulnerabilities, please refer to the new Security Update Guide website and the April 2026 Security Updates.
For more information about Windows 10, version 1607, see its update history page.
For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types.
Known issues in this update
Domain controllers might restart repeatedly after installing this update
|
Symptoms |
Resolution |
|
After installing this update, domain controllers in environments with multiple domains in the forest that use Privileged Access Management (PAM), might experience LSASS crashes during startup. As a result, affected DCs might restart repeatedly, preventing authentication and directory services from functioning, and potentially rendering the domain unavailable. |
This issue is addressed in out-of-band update KB5091572. |
Warnings related to Remote Desktop might not display correctly
|
Symptoms |
Workaround |
Notes |
|
After installing this update, the security warning that appears when opening Remote Desktop (RDP) files might not display correctly in some cases. This issue might occur when you use more than one monitor with different display scaling settings (for example, one display set to 100% and another set to 125%). When this happens, the warning window might show overlapping text or partially hidden buttons, which can make the message difficult to read or interact with. |
To help the warning window display correctly, set the same display scaling on all monitors.
Next step We are working on a resolution and will provide more information when it is available. |
Keyboard accessibility option If buttons or text are difficult to select with a mouse, you can use the keyboard to interact with the warning message:
|
Applies to: Windows 10 Enterprise LTSB 2016 and Windows 10 IoT Enterprise 2016 LTSB
This security update includes fixes and improvements that are a part of the following update:
The following is a summary of the issues that this update addresses. The bold text within the brackets indicates the item or area of the change we are documenting.
-
[Windows Configuration System (WinCS)] This update addresses an issue that affects Windows Configuration System (WinCS) on Windows 10, version 1607 and Windows Server 2016. Some WinCS components were missing. Because of this, you could not turn on Secure Boot using WinCS.
-
[Remote Desktop] This update improves protection against phishing attacks that use Remote Desktop (.rdp) files. When you open an .rdp file, Remote Desktop shows all requested connection settings before it connects, with each setting turned off by default. A one-time security warning also appears the first time you open an .rdp file on a device. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.
-
[Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
For more information about security vulnerabilities, please refer to the new Security Update Guide website and the April 2026 Security Updates.
For more information about Windows 10, version 1607, see its update history page.
For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types.
Known issues in this update
Warnings related to Remote Desktop might not display correctly
|
Symptoms |
Workaround |
Notes |
|
After installing this update, the security warning that appears when opening Remote Desktop (RDP) files might not display correctly in some cases. This issue might occur when you use more than one monitor with different display scaling settings (for example, one display set to 100% and another set to 125%). When this happens, the warning window might show overlapping text or partially hidden buttons, which can make the message difficult to read or interact with. |
To help the warning window display correctly, set the same display scaling on all monitors.
Next step We are working on a resolution and will provide more information when it is available. |
Keyboard accessibility option If buttons or text are difficult to select with a mouse, you can use the keyboard to interact with the warning message:
|
How to get this update
Before you install this update
To install updates released on or after January 14, 2025, we recommend you first install the latest Servicing Stack Update (SSU). If your device or offline image does not have the latest SSU installed, you might not be able to install this update.
Caution Until you install the SSU, this update might not be offered to your device. To reduce your security risk, install the SSU as soon as possible.
-
If you use Windows Update, the latest SSU (KB5082089) will be offered to you automatically. If the latest SSU is not installed, you might not be able to install this update.
-
If you use Windows Update for Business, the latest SSU (KB5082089) will be offered to you automatically. If the latest SSU is not installed, you might not be able to install this update.
-
If you use the Update Catalog, we recommend you download and install the latest SSU (KB5082089). If the latest SSU is not installed, you might not be able to install this update.
-
If you are a Windows Server Update Services (WSUS) administrator, you must approve SSU KB5082089 and this update KB5082198.
For general information about SSUs, see Servicing stack updates.
Install this update
To install this update, use one of the following Windows and Microsoft release channels.
|
Available |
Next Step |
|
|
This update will be downloaded and installed automatically from Windows Update. |
|
Available |
Next Step |
|
|
This update will be downloaded and installed automatically from Windows Update for Business in accordance with configured policies. |
|
Available |
Next Step |
|
|
To get the standalone package for this update, go to the Microsoft Update Catalog website. For information about how to download and install updates from the Update Catalog, see How to download updates that include drivers and hotfixes from the Windows Update Catalog. |
|
Available |
Next Step |
|
|
This update will automatically sync with Windows Server Update Services (WSUS) if you configure Products and Classifications as follows:
To set up your WSUS server to sync based on products and classifications, see Synchronizing Update by Product and Classification. To manually import updates into WSUS, see Import updates into WSUS by using PowerShell. |
File information
A list of the files that are included in this update are provided in a CSV (Comma delimited) (*.csv) file. The file can be opened in a text editor such as Notepad or in Microsoft Excel.
Note: The English (United States) version of this software update might contain files for additional languages.
Related information
Notice for Microsoft Store application updates
Windows updates do not install Microsoft Store application updates. If you are an enterprise user, see Microsoft Store apps - Configuration Manager. If you are a consumer user, see Get updates for apps and games in Microsoft Store.
End of support information
Windows Server 2016 and Windows 10 2016 LTSB end of support
Microsoft will no longer provide free software updates from Windows Update, technical assistance, or security fixes on the following end dates:
♦ Windows 10 Enterprise LTSB 2016: October 13, 2026
♦ Windows 10 IoT Enterprise 2016 LTSB: October 13, 2026
♦ Windows Server 2016: January 12, 2027
For more information, see Plan for Windows Server 2016 and Windows 10 2016 LTSB end of support.
Change log
|
Change date |
Change description |
|
April 23, 2026 |
|
|
April 22, 2026 |
|
|
April 19, 2026 |
|
|
April 17, 2025 |
|
|
April 16, 2026 |
|
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
