For April, a large ‘dynamic’ Patch Tuesday release

This month’s Patch Tuesday release is large (126 patches), broad and unfortunately very dynamic, with several re-releases, missing files and broken patches affecting both the Windows and Office platforms. 

Reports of an exploited Windows vulnerability (CVE-2025-29824) lead to a “Patch Now” recommendation for Windows — and the Office updates will require immediate testing and some time to ensure all patches are present and correct. Fortunately, SQL Server updates affect only the SQL Server Management Studio application. Both the browser and development tool patches can be deployed on a standard release schedule. 

To help, the Readiness team crafted this useful infographic detailing the risks associated with each of the updates for this cycle. (And here’s a look at the last six months of Patch Tuesday releases.)

Known issues 

This Patch Tuesday release includes many updates addressing issues (aka problems) created by the March patch update. In addition to our standard Windows known issues, we also have Microsoft Office issues to address, including:

• Microsoft Word, Microsoft Excel, and Microsoft Outlook might stop responding after you install the KB5002700 security update for Office 2016. This issue is fixed in the update for Office 2016 (KB5002623).
• Citrix (System Guard Runtime Monitor Broker Service) The Windows Event Viewer might display an error related to SgrmBroker.exe on devices that installed Windows updates released Jan. 14, 2025 or later. Microsoft has not published a fix yet, though there are several registry keys that can be added to the target system to mitigate the issue.
• Microsoft Active Directory: Audit Logon/Logoff events in the local policy of the Active Directory Group Policy might not show as enabled — even if they are enabled and working. Microsoft is working on a resolution; mitigating actions can be found in this Microsoft bulletin (KB5055519).
• Windows Hello. Microsoft has reported what is described as an edge case: “After installing this update and performing a Push button reset or Reset this PC from Settings > System > Recovery and selecting Keep my Files and Local install, some users might be unable to login to their Windows services using Windows Hello facial recognition or PIN.”

Microsoft advises that systems with Secure Launch or DRTM enabled prior to this update, or those with these features disabled, are not affected.

Major revisions and mitigations

This is a huge week for delayed patches (Windows 10) and real changes to Microsoft updates that require additional attention.

The following Microsoft CVE entries have documentation updates only:

• CVE-2025-21204 : Windows Process Activation Elevation of Privilege Vulnerability
• CVE-2025-26647 : Windows Kerberos Elevation of Privilege Vulnerability
• CVE-2025-27740: Active Directory Certificate Elevation of Privilege Vulnerability

The following two updates have documented mitigations that might help with their deployments:

• CVE-2025-26647: Windows Kerberos Elevation of Privilege Vulnerability. Microsoft is concerned that non-valid input validation in Windows Kerberos could allow an unauthorized attacker to elevate privileges over a network. While no specific mitigations have been offered, Microsoft recommended you follow the Update, Monitor and Act methodology for all Kerberos implementations.

• CVE-2025-21197: Windows NTFS Information Disclosure Vulnerability. This is Microsoft’s second attempt in addressing this file system vulnerability. Unfortunately, there may be unexpected app compatibility issues with this latest change. You can find more information on the potential impact and how to enable/disable it here: KB5058189.

These updates may require attention as they relate to failed installs and missing files:

• CVE-2025-27745: Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-27747: Microsoft Word Remote Code Execution Vulnerability
• CVE-2025-27748: Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-27749: Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-27752: Microsoft Excel Remote Code Execution Vulnerability
• CVE-2025-29791: Microsoft Excel Remote Code Execution Vulnerability
• CVE-2025-29792: Microsoft Office Elevation of Privilege Vulnerability
• CVE-2025-29793: Microsoft SharePoint Remote Code Execution Vulnerability
• CVE-2025-29794: Microsoft SharePoint Remote Code Execution Vulnerability
• CVE-2025-29820: Microsoft Word Remote Code Execution Vulnerability

That is indeed a lot of patches to review; the Readiness team recommends reading the latest patch guidance for them here: KB5002700. 

Windows lifecycle and enforcement updates

Microsoft did not publish any enforcement updates for April, but the following Microsoft products are nearing their end-of-service life cycles:

• Windows 11 Enterprise (Home, Education and IoT) Version 22H2 reaches end of support on Oct. 14, 2025.
• Windows Server Annual Channel, Version 23H2 reaches end of service on Oct. 24, 2025

For those who were expecting the Microsoft virtualization technology App-V to expire last April, this now aging technology has had its servicing and support extended to April 2026. Microsoft has promised not to deprecate the App-V sequencer (like ever), which makes me smile.

The team at Readiness has analyzed the latest Patch Tuesday updates and provides detailed, actionable testing guidancevbased on a large application portfolio and a comprehensive analysis of the patches and their potential impact on Windows and app deployments.

This month’s release brings broad, but non-disruptive, changes across the Windows platform. While there are no functional changes reported, this update cycle touches critical components across security, networking, media, and core system services. 

Here’s what enterprise IT teams and testers need to look out for.

Security and authentication

Several updates target core identity and authentication components, particularly lsasrv.dll, ci.dll, and skci.dll. These underpin scenarios involving Windows Hello, PIN logins, and certificate services. Even though labeled low risk, these areas are foundational and demand extra care in testing:

• Windows Defender Application Control (WDAC): Validate AppID tagging and policy updates post-reboot.
• LSASS (Local Security Authority Subsystem Service): Test authentication across AAD, AD, and workgroups. Use tools like runas.exe and confirm no regressions in NTLM, Kerberos, or certificate-based flows.
• BitLocker and VBS Security: Windows Hello and VPN connections should work uninterrupted. Reboot testing is essential to catch potential bootloader integrity issues.

Networking and remote access

This release includes updates to multiple RRAS-related DLLs (ipmontr.dll, ipsnap.dll, mprapi.dll), netbt.sys, and tcpip.sys, all of which underpin Windows’ networking stack.

• RRAS and Netsh: Validate remote configuration and scripting scenarios. Commands like netsh interface and MMC snap-ins must execute without issues.
• NetBIOS Controls: Non-admin users in the Network Configuration Operators group should only affect allowed scopes. Test firewall rules and registry protection.
• HTTP.sys and Web Services: Host internal web services and simulate browser-based traffic to confirm consistent response behavior under load.

Remote desktop and virtualization

Remote Desktop Protocol (RDP) support remains a high-impact area and will require validation with the following testing recommendations:

• Remote Desktop Gateway (RDGW): Confirm cross-user connections, session persistence (reconnects, logins), and stability across Windows Server editions.
• Virtualization with VHDs: Validate NTFS volume mount/dismount from VHDs. Create, attach, and manipulate VHD-based virtual disks with file I/O operations.

Media, graphics and UI

Multimedia and UI components received several under-the-hood updates. These don’t add features, but any instability here can affect the user experience.

• Graphics Stack: Run screen-sharing and capture scenarios. WinUI apps using animation shadows should behave consistently.
• Media Foundation: Playback tests on Blu-ray content with subtitles are needed. Check for regressions in rendering.
• Gaming Tools: Use the Game Bar (Win+G) to test screenshots and recordings during gameplay on Windows 11. Microsoft recommends that you install several (at least three) games to fully test out this graphics stack change. We never had it so good.

File system and storage

This month’s patches affect how Windows file systems respond to directory change notifications and mount events. Be sure to:

• Simulate NTFS events: Monitor file creation/deletion in Explorer-style interfaces.
• Reboot & Remount: Mount VHDs, perform file operations, then reboot to ensure persistence and data integrity.

Given the large number of security-related changes to Windows this month, the Readiness team recommends the following general testing (in addition to the earlier recommendations) using both system and user-based accounts:

• Basic authentication scenarios using passwords, PIN, and biometrics in a workgroup, AD and AAD environment
• Digital rights management applications (third-party and Microsoft)
• SMB and IIS access that requires certificate-based authentication.
• Line-of-business applications that rely on HTTPS to ensure they’re still accessible. 

When working through these scenarios, look for memory leaks and processor spikes in the kernel.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge) 
• Microsoft Windows (both desktop and server) 
• Microsoft Office
• Microsoft Exchange and SQL Server 
• Microsoft Developer Tools (Visual Studio and .NET)
• Adobe (if you get this far) 

Browsers

We have more patches for the Microsoft browser (Edge) platform than usual this month — none are rated critical for April as all 13 (nine of them related to Chromium) are tagged as important. All of these low-profile changes can be added to your standard release calendar.

Microsoft Windows

This is a big month for Windows updates, as Microsoft published six critical updates and 85 patches rated important. The critical patches cover the following feature groups within the Microsoft Windows platform:

• Windows Lightweight Directory Access Protocol (LDAP) Windows TCP/IP Remote Code Execution Vulnerability
• Windows Remote Desktop Services
• Windows Hyper-V 

Unfortunately, there are reports of exploits of a core system component vulnerability (CVE-2025-29824) that requires a “Patch Now” recommendation.

Microsoft Office

The real focus of this month’s deployments should be Office, with five critical (CVE-2025-27745, CVE-2025-27748, CVE-2025-27749, CVE-2025-27752 and CVE-2025-29791) patches. In addition to these, there are another 16 updates rated important by Microsoft. Unfortunately, there have been reports of missing files, downloading issues and broken updates. The Readiness team suggests that testing start immediately, with staged patch deployments (noting that further changes might arrive over the coming days).

Microsoft Exchange and SQL Server

We get one update (CVE-2025-29803) that affects the SQL Server platform. This patch updates Microsoft’s SQL Server Management Studio (and Visual Studio), not SQL Server itself. So, the server team gets a reprieve. Add this patch to your standard developer release schedule.

Developer tools

Microsoft released five patches (CVE-2025-29803, CVE-2025-29802, CVE-2025-29804, CVE-2025-20570, CVE-2025-26682) all affecting Microsoft Visual Studio and ASP.NET Core. As application-level changes, these patches can be deployed with your standard developer release schedule.

Adobe (and third-party updates)

We are back on track again, with no Microsoft updates for Adobe products. That said, Microsoft published nine Chromium updates, all of which are included in the Browser section above.