Microsoft’s April 2026 Patch Tuesday release for Windows 11 is now live, and the headline update for versions 25H2 and 24H2 is
KB5083769, which advances the operating system to
build 26200.8246 for Windows 11 25H2 and
build 26100.8246 for Windows 11 24H2. This is a mandatory security update, it rolls in the March preview and out-of-band fixes, and it also serves as the
Q2 2026 hotpatch baseline—meaning a restart is required this month even on hotpatch-eligible devices.
The release lands after one of the roughest Windows update cycles in recent memory. Microsoft pulled the original March 26 preview update
KB5079391 after some devices hit installation error
0x80073712, then replaced it with the March 31 out-of-band build
KB5086672. April’s cumulative update rolls that work forward, adds new security fixes, and arrives with the Secure Boot certificate deadline now uncomfortably close.
A second Windows 11 release also shipped today for older supported builds:
Windows 11 23H2 received KB5082052, moving that branch to
OS Build 22631.6936.
What Shipped on April 14, 2026
| Release | KB | Build / Version | Notes |
|---|
| Windows 11 25H2 / 24H2 security update | KB5083769 | 26200.8246 / 26100.8246 | Main cumulative update with April security fixes plus March preview/OOB improvements |
| Windows 11 23H2 security update | KB5082052 | 22631.6936 | Separate April 2026 security release for 23H2 |
| .NET Framework security update | KB5082417 | .NET Framework 3.5 / 4.8.1 | Security and reliability servicing for legacy .NET Framework components |
| .NET 8 security update | KB5086096 | .NET 8.0.26 | Companion runtime servicing release |
| .NET 9 security update | KB5086097 | .NET 9.0.15 | Companion runtime servicing release |
The build jump from the March 31 out-of-band release
KB5086672 (
26200.8117 / 26100.8117) to today’s security release (
26200.8246 / 26100.8246) is
129 builds, which helps explain why this month feels more like a consolidated platform refresh than a routine security rollup.
Package Sizes: Manual Catalog Downloads Are Still Huge
Windows Latest reports the standalone Microsoft Update Catalog packages remain unusually large when downloaded manually:
| Build | Size | Version | Architecture | Source |
|---|
| 26200.8246 | 5116.0 MB | Windows 11 25H2 | x64 | Windows Latest |
| 26200.8246 | 5116.0 MB | Windows 11 25H2 | arm64 | Windows Latest |
| 26100.8246 | 4598.9 MB | Windows 11 24H2 | x64 | Windows Latest |
| 26100.8246 | 4598.9 MB | Windows 11 24H2 | arm64 | Windows Latest |
That matters most to admins pulling full offline packages from the Catalog rather than relying on the much smaller differential delivery Windows Update typically uses.
What Microsoft Officially Added or Fixed in KB5083769
Microsoft’s official KB for April 14 calls out several changes that were missing from early write-ups and are worth elevating to the top of the story.
Secure Boot Status, Rollout Expansion, and BitLocker Fixes
The highest-profile platform work in this release centers on
Secure Boot certificate servicing. Windows Security can now surface the status of Secure Boot certificate updates under
Settings > Privacy & security > Windows Security. On enterprise-managed and other commercial devices, those user-facing status indicators are
disabled by default, which is important for IT admins who expect to manage this centrally.
Microsoft also says April’s quality update includes
additional high-confidence device targeting data to expand the set of devices eligible to automatically receive the new 2023 Secure Boot certificates in a controlled, phased rollout. Just as importantly, KB5083769
fixes an issue where Secure Boot updates could push some systems into BitLocker Recovery.
Networking: SMB Compression Over QUIC
KB5083769 improves reliability when Windows uses
SMB compression over QUIC. Microsoft says compression requests now complete more consistently, which should reduce timeout risk in environments using modern SMB over QUIC scenarios.
Remote Desktop: Better Protection Against Malicious .RDP Files
Remote Desktop gets one of the most security-relevant client changes in this release. When a user opens an
.rdp file, Remote Desktop now shows the requested connection settings before connecting, with each setting turned
off by default. A one-time security warning also appears the first time an .rdp file is opened on a device. That is a meaningful anti-phishing hardening step for organizations that distribute remote access profiles by file.
Reset This PC Fix After March Hotpatching
Microsoft also fixed a
Reset this PC problem that could cause device reset to fail when using either
Keep my files or
Remove everything after installing the March 2026 hotpatch security update
KB5079420.
Features Rolled Forward from the March Preview and Out-of-Band Builds
Most of the visible user-facing improvements in April were actually introduced in the March preview path and then preserved in the March 31 out-of-band build. April is the month those changes become part of the mainstream mandatory security update.
Smart App Control No Longer Requires Reinstallation
This remains one of the standout changes in the release.
Smart App Control (SAC) can now be turned on or off without reinstalling Windows. Previously, SAC was effectively a one-way setup decision tied to a clean installation. In the new model, users can manage it under
Settings > Windows Security > App & Browser Control > Smart App Control settings.
That is a major operational shift for both enthusiasts and IT admins. SAC still relies heavily on Microsoft’s reputation systems, which means internal line-of-business tools, unsigned utilities, and niche software can still create friction in some environments. The difference now is that testing and reversibility are far less painful.
Narrator Image Descriptions Expand Beyond Copilot+ PCs
Narrator’s
rich image descriptions are no longer confined to Copilot+ hardware. On any supported Windows 11 device, users can press
Narrator key + Ctrl + D to describe the focused image or
Narrator key + Ctrl + S to describe the full screen using Copilot. Copilot+ PCs still get faster on-device descriptions, but the capability now reaches mainstream devices as well.
Settings App Improvements
April’s build also consolidates a broad set of Settings app refinements:
- Microsoft 365 Family subscribers can switch to another Microsoft 365 plan from Settings > Accounts
- The Other users dialogs now use the modern Windows 11 visual style and support dark mode
- The Pen settings page adds a “Same as Copilot key” option for the tail button
- The Settings > About page has a more structured device-specification layout with easier navigation to related components, including Storage
- The device info card on the Settings Home page has been refined for easier scanning
- Opening the Settings Home page is more reliable and responsive
- Downloading required updates from Settings > System > Advanced is more reliable
File Explorer, Display, and Quality-of-Life Fixes
File Explorer now supports
Voice Typing while renaming files, improves reliability when previewing files downloaded from the internet, and adds sorting by
Principal in Advanced Security Settings.
Display-related changes are broader than they may first appear. Windows can now recognize monitor refresh rates
above 1000 Hz, improves native
USB4 monitor sleep behavior, improves
auto-rotation reliability after resume, improves
HDR handling for non-compliant DisplayID 2.0 blocks, and reports monitor size more accurately through
WMI monitor APIs.
The same March code path also brought a long list of less flashy but still important fixes across the platform: safer
Start menu JSON layout application through Group Policy, better
Voice Access number detection in English, better
Windows Hello fingerprint reliability, improved
Safe Mode taskbar loading, more accurate
Application Control for Business app ID tagging, better
MIDI short-message handling, removal of an extraneous
sfc /scannow error message, better
ARM64 Windows RE stability for x64 apps, improved support for
WUSA installing .msu packages from network shares, updated
printer downlevel baseline support to Windows 10 version 1607 / Server 2016, and recognition of
DisableSeamlessLanguageBar by the
Set-RDSessionCollectionConfiguration PowerShell command.
AI Components and the Servicing Stack Update
Microsoft’s April KB also explicitly documents the bundled AI component versions:
| AI Component | Version |
|---|
| Image Search | 1.2603.377.0 |
| Content Extraction | 1.2603.377.0 |
| Semantic Analysis | 1.2603.377.0 |
| Settings Model | 1.2603.377.0 |
These AI component updates are bundled with the cumulative update, but Microsoft notes that they are
only applicable to Copilot+ PCs and do
not install on standard Windows PCs or Windows Server.
The release also includes the latest servicing stack update,
KB5088467, taking the servicing stack to
26100.8247. As with other modern cumulative updates, Microsoft combines the
SSU and
LCU into the same delivery flow.
Security Context: Why This Patch Tuesday Matters
The Windows 11 cumulative update is only one part of the broader April 2026 Patch Tuesday picture, but it lands in a month with a notably heavy security payload. Early third-party Patch Tuesday analysis published on release day puts Microsoft’s April bundle at
167 fixed flaws, including
2 zero-days and
8 critical vulnerabilities.
That follows a bruising first quarter: January brought
112 newly patched CVEs and one actively exploited zero-day, February delivered
59 CVEs including
six actively exploited zero-days, and March added
83 CVEs with two publicly disclosed vulnerabilities. In other words, April arrives after three consecutive months in which patch quality and threat intensity have both been unusually high.
BlueHammer and Other Watch Items Outside the Official KB
One reason admins are watching April especially closely is the appearance of
BlueHammer, a publicly released local privilege escalation exploit that reportedly abuses Windows Defender’s signature-update process. Independent security write-ups say the proof of concept can escalate a low-privileged local user to
NT AUTHORITY\SYSTEM, and as of publication Microsoft has not publicly assigned a CVE or confirmed a fix. There is no indication in Microsoft’s KB5083769 release notes that BlueHammer is addressed here.
Another important correction to earlier reporting involves
CAPI/CSP smart card guidance. Earlier Windows guidance said support for the
DisableCapiOverrideForRSA workaround would be removed in April 2026, but Microsoft updated that support article in February 2026 and moved the removal target to
February 2027. That means admins still relying on the workaround have more time than first expected, though migration planning should still be active.
Secure Boot Certificates: The June 2026 Deadline Is Real
The Secure Boot certificate clock is still one of the most important background stories in Windows servicing right now. Microsoft’s 2011-era certificates begin expiring in
June 2026, with the
Microsoft Corporation KEK CA 2011 and
Microsoft UEFI CA 2011 expiring first, while
Microsoft Windows Production PCA 2011 follows later in
October 2026.
Microsoft’s current guidance is nuanced but important: devices that have not yet received the newer 2023 certificates should
continue to boot and continue receiving standard Windows updates. However, those systems will
no longer receive new early-boot protections, including future updates to Windows Boot Manager, Secure Boot databases, revocation lists, and mitigations for newly discovered boot-level threats. That distinction matters. A machine may appear to keep working normally while quietly falling behind the trusted-boot security baseline.
This is why the new Windows Security status surfacing, the phased automatic rollout, and the BitLocker Recovery fix all matter. For IT departments, this is no longer a background firmware housekeeping topic—it is a near-term operational deadline.
.NET and Hotpatch Context
Alongside the Windows cumulative update, Microsoft shipped companion security servicing for
.NET Framework 3.5 / 4.8.1 and modern
.NET runtimes. That keeps April aligned with the broader Patch Tuesday release train rather than treating Windows and .NET as separate maintenance events.
April is also a
hotpatch baseline month. Devices eligible for hotpatch still need this month’s full rebooting baseline update before they can take advantage of restart-free security updates later in the quarter. Microsoft has separately confirmed that
hotpatch will be enabled by default in Windows Autopatch / Intune for eligible devices starting with the May 2026 security update. In practical terms, that makes April the setup month administrators need to get right.
Known Issues Status
This is one area where the April release is refreshingly simple:
Microsoft currently lists no known issues for KB5083769. That is a welcome change after March’s failed preview, emergency replacement build, and broader confidence hit.
Deployment Guidance
For enterprise rollout, the best reading of April’s release is “important, broader than it looks, and worth staged deployment.”
- Verify BitLocker recovery keys before widespread deployment, especially on fleets likely to receive Secure Boot certificate updates
- Check Secure Boot certificate status on pilot devices and verify whether managed-device indicators are intentionally disabled by policy
- Validate any workflows that distribute or rely on .rdp files, because the new Remote Desktop warning and default-off behavior change user experience
- Pilot the update on representative hardware, especially devices using ARM64, USB4 displays, custom smart card stacks, or hotpatch readiness policies
- Do not skip April’s baseline if you intend to use hotpatch in May and June
The broader takeaway is that KB5083769 is not just another Patch Tuesday rollup. It is a security release, a Secure Boot servicing milestone, a hotpatch prerequisite, a Remote Desktop hardening update, and the formal production landing zone for many of the features Microsoft tested through March’s rocky preview cycle.
Windows 11 24H2 / 25H2 Build Timeline for 2026
| Month | KB | Build (25H2 / 24H2) | Notes |
|---|
| December 2025 | KB5072033 | 26200.7462 / 26100.7462 | Year-end security release |
| January 2026 | KB5074109 | 26200.7623 / 26100.7623 | January Patch Tuesday baseline |
| February 2026 | KB5077181 | 26200.7840 / 26100.7840 | February security release |
| March 2026 | KB5079473 | 26200.8037 / 26100.8037 | March security release |
| March 2026 | KB5085516 | 26200.8039 / 26100.8039 | Out-of-band fix after March issues |
| March 2026 | KB5079391 | 26200.8116 / 26100.8116 | Preview build later pulled for installation problems |
| March 2026 | KB5086672 | 26200.8117 / 26100.8117 | Out-of-band replacement for the pulled preview |
| April 2026 | KB5083769 | 26200.8246 / 26100.8246 | Current Patch Tuesday security release and Q2 hotpatch baseline |