A large, dynamic April Patch Tuesday

This is a large (126 patches), broad and unfortunately very dynamic update for this April Patch Tuesday. With several re-releases, missing files and broken patches affecting both the Windows and Microsoft Office platforms. Reports of an exploited Windows vulnerability (CVE-2025-29824) leads to a “Patch Now” recommendation for Windows while this month’s Office updates will require immediate testing and some time to ensure all the patches are present and correct. SQL Server updates affect only the SQL Server Management Studio application, reducing the need for server updates this month. Both the browser and development tool’s patches can be deployed according to a standard release schedule. The team at Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this April update cycle. 

Known Issues 

This April Patch Tuesday is a big, broad update for the Microsoft Windows and Office platforms, with many updates this month addressing issues (aka problems) created by last month’s March patch cycle. In addition to our standard Windows known issues, we also have Microsoft Office issues to address including:

• Microsoft Word, Microsoft Excel, and Microsoft Outlook might stop responding after you install the KB5002700 security update for Office 2016. This issue is fixed in the April 10, 2025, update for Office 2016 (KB5002623).
• Citrix (System Guard Runtime Monitor Broker Service) The Windows Event Viewer might display an error related to SgrmBroker.exe, on devices that have installed Windows updates released January 14, 2025, or later. Microsoft has not published a fix for this reported issue yet, however there are several registry keys which can be added to the target system to mitigate this issue.
• Microsoft Active Directory: Audit Logon/Logoff events in the local policy of the Active Directory Group Policy might not show as enabled on the device even if they are enabled and working as expected. Microsoft is working on a resolution to this administrative function while mitigating actions can be found on this Microsoft bulletin (KB5055519).
• Windows Hello. Microsoft has reported what is described as an edge case where; 

“After installing this update and performing a Push button reset or Reset this PC from Settings > System > Recovery and selecting Keep my Files and Local install, some users might be unable to login to their Windows services using Windows Hello facial recognition or PIN.”

Microsoft advises that systems with Secure Launch or DRTM enabled prior to this update, or those with these features disabled, are not impacted by this issue.

Major Revisions and Mitigations

This is a huge week for delayed patches (Windows 10) and real changes to Microsoft updates that require additional attention.

The following Microsoft CVE entries have documentation updates only:

• CVE-2025-21204 : Windows Process Activation Elevation of Privilege Vulnerability
• CVE-2025-26647 : Windows Kerberos Elevation of Privilege Vulnerability
• CVE-2025-27740: Active Directory Certificate Elevation of Privilege Vulnerability

The following two updates have documented mitigations, that may help with their respective update deployments:

• CVE-2025-26647: Windows Kerberos Elevation of Privilege Vulnerability. Microsoft is very concerned that non-valid input validation in Windows Kerberos may allow an unauthorized attacker to elevate privileges over a network. While no specific mitigations have been offered, Microsoft has publicly recommended that you follow the Update, Monitor and Act methodology offered for all Kerberos implementations.

• CVE-2025-21197: Windows NTFS Information Disclosure Vulnerability. This is Microsoft’s second attempt in addressing this file system vulnerability. Unfortunately, there may be unexpected application compatibility issues raised with the introduction of this latest change. You can find more information on the potential impact and how to enable/disable this change here : KB5058189.

The following updates to this month’s patches may require attention as they relate to failed installs and missing files:

• CVE-2025-27745: Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-27747: Microsoft Word Remote Code Execution Vulnerability
• CVE-2025-27748: Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-27749: Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-27752: Microsoft Excel Remote Code Execution Vulnerability
• CVE-2025-29791: Microsoft Excel Remote Code Execution Vulnerability
• CVE-2025-29792: Microsoft Office Elevation of Privilege Vulnerability
• CVE-2025-29793: Microsoft SharePoint Remote Code Execution Vulnerability
• CVE-2025-29794: Microsoft SharePoint Remote Code Execution Vulnerability
• CVE-2025-29820: Microsoft Word Remote Code Execution Vulnerability

This is a lot of patches to review, and the Readiness team recommends reading the latest patch guidance for these updates found here: KB5002700. 

Windows Lifecycle and Enforcement Updates 

Microsoft has not published any enforcement updates this month, but we have the following Microsoft products reaching their end of service lifecycles:

• Windows 11 Enterprise (Home, Education and IoT) Version 22H2 reaches end of services on October 14, 2025
• Windows Server Annual Channel, Version 23H2 reaches end of service on October 24, 2025

For those who were expecting the Microsoft virtualisation technology App-V to expire last April, this now ageing technology has had its servicing and support extended to April 2026. Microsoft has promised not to deprecate the App-V sequencer (like ever) – which makes me smile.

Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a comprehensive analysis of the Microsoft patches and their potential impact on Windows platforms and application deployments.

April’s Patch Tuesday release brings broad but non-disruptive changes across the Windows platform. While there are no functional changes reported, this update cycle touches critical components across security, networking, media, and core system services. Here’s what enterprise IT teams and testers need to look out for.

Security & Authentication

Several updates target core identity and authentication components, particularly lsasrv.dll, ci.dll, and skci.dll. These underpin scenarios involving Windows Hello, PIN logins, and certificate services. Even though labeled low risk, these areas are foundational and demand extra care in testing:

• Windows Defender Application Control (WDAC): Validate AppID tagging and policy updates post-reboot.
• LSASS (Local Security Authority Subsystem Service): Test authentication across AAD, AD, and workgroups. Use tools like runas.exe and confirm no regressions in NTLM, Kerberos, or certificate-based flows.
• BitLocker & VBS Security: Windows Hello and VPN connections should work uninterrupted. Reboot testing is essential to catch potential bootloader integrity issues.

Networking & Remote Access

This release includes updates to multiple RRAS-related DLLs (ipmontr.dll, ipsnap.dll, mprapi.dll), netbt.sys, and tcpip.sys, all of which underpin Windows’ networking stack.

• RRAS & Netsh: Validate remote configuration and scripting scenarios. Commands like netsh interface and MMC snap-ins must execute without issues.
• NetBIOS Controls: Non-admin users in the Network Configuration Operators group should only affect allowed scopes. Test firewall rules and registry protection.
• HTTP.sys & Web Services: Host internal web services and simulate browser-based traffic to confirm consistent response behavior under load.

Remote Desktop & Virtualization

Remote Desktop Protocol (RDP) support remains a high-impact area and will require validation with the following testing recommendations

• Remote Desktop Gateway (RDGW): Confirm cross-user connections, session persistence (reconnects, logins), and stability across Windows Server editions.
• Virtualization with VHDs: Validate NTFS volume mount/dismount from VHDs. Create, attach, and manipulate VHD-based virtual disks with file I/O operations.

Media, Graphics, and UI

Multimedia and UI components received several under-the-hood updates. These don’t add features, but any instability here can impact the user experience.

• Graphics Stack: Run screen sharing and capture scenarios. WinUI apps using animation shadows should behave consistently.
• Media Foundation: Playback tests on Blu-ray content with subtitles are needed. Check for regressions in rendering.
• Gaming Tools: Use the Game Bar (Win+G) to test screenshots and recordings during gameplay on Windows 11. Microsoft recommends that you install several (at least three) games to fully test out this graphics stack change. We never had it so good.

File System & Storage

This month’s patches impact how Windows file systems respond to directory change notifications and mount events. Be sure to:

• Simulate NTFS events: Monitor file creation/deletion in Explorer-style interfaces.
• Reboot & Remount: Mount VHDs, perform file operations, then reboot to ensure persistence and data integrity.

Given the large number of security related changes to the Windows platform this month, the Readiness team recommends the following general testing (in addition to the previous recommendations) using both system and user-based accounts:

• Basic authentication scenarios using passwords, PIN, and biometrics in a workgroup, AD and AAD environment
• Digital rights management applications (3rd party and Microsoft)
• SMB and IIS access that requires certificate-based authentication.
• Ensure your line-of-business applications that rely on HTTPS are still accessible. 

When working through these testing scenarios, look for memory leaks and processor spikes in the kernel.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge) 
• Microsoft Windows (both desktop and server) 
• Microsoft Office
• Microsoft Exchange and SQL Server 
• Microsoft Developer Tools (Visual Studio and .NET)
• Adobe (if you get this far) 

Browsers

We have more patches to the Microsoft browser (Edge) platform than usual this month. No critical rated updates for April as all 13 patches (nine related to Chromium) are rated as important by Microsoft. All of these low-profile changes can be added to your standard release calendar.

Microsoft Windows

This is a big month for Windows updates as Microsoft has published 6 critical updates and 85 patches rated as important. The critical patches cover the following feature groups within the Microsoft Windows platform:

• Windows Lightweight Directory Access Protocol (LDAP) Windows TCP/IP Remote Code Execution Vulnerability
• Windows Remote Desktop Services
• Windows Hyper-V 

Unfortunately, there are reports of exploitation of a core system component vulnerability (CVE-2025-29824) that will require a “Patch Now” recommendation for this April’s Windows updates.

Microsoft Office

The real focus of this month’s patch deployments should be Microsoft Office, with five critical (CVE-2025-27745, CVE-2025-27748, CVE-2025-27749, CVE-2025-27752 and CVE-2025-29791) patches released for April. In addition to these Microsoft Office patches, there are a further 16 updates rated as important by Microsoft. Unfortunately, there have been reports of missing files, downloading issues and broken updates with this April patch cycle. The Readiness team suggests that testing should start immediately, with staged patch deployments noting that further changes may be published by Microsoft over the coming days.

Microsoft Exchange and SQL Server

We have one update (CVE-2025-29803) that affects the SQL Server platform this month. This patch updates Microsoft’s SQL Server Management Studio (and also Visual Studio) and not SQL Server itself. So, the server team gets a reprieve this month. Add this patch to your standard developer release schedule.

Developer Tools

Microsoft has released five patches (CVE-2025-29803, CVE-2025-29802, CVE-2025-29804, CVE-2025-20570, CVE-2025-26682) all affecting Microsoft Visual Studio and ASP.NET Core. As application-level changes, these patches can be deployed with your standard developer release schedule.

Adobe (and 3rd party updates)

We are back on track again, with no Microsoft updates for Adobe products. That said, Microsoft has published nine Chromium updates, all of which have been included in the above Browser section.