Each month, the team at Readiness analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. April’s release covers 56 component updates across Windows. Microsoft flagged two as High Risk — Kerberos authentication and the Remote Desktop client — and delivered five patches to the Projected File System driver affecting cloud sync scenarios. Secure Boot and BitLocker validation expands to seven scenarios this cycle, including a new Windows Hello PIN persistence check. Prioritise Kerberos infrastructure, Remote Desktop stability, and cloud sync before broad deployment.
Kerberos & KDC (High Risk)
The Kerberos Key Distribution Centre (kdcsvc.dll) and client library (kerb3961.dll) carry the High Risk flag this month. Microsoft’s guidance targets environments using keytab-based authentication with RC4 encryption — a legacy configuration common in mixed Windows and non-Windows service environments. The client-side update affects only Windows 10 1607, but server-side changes apply to all editions from Windows Server 2022 through 2025.
- After installing the update on domain controllers, open Event Viewer and review the System and Security logs for events with IDs 201–209
- Capture full event details for any new events in that range — text, timestamp, and affected account or service
- Focus testing on long-running services authenticating via RC4 keytabs, as these are most likely to surface failures after the update
Remote Desktop Client (High Risk)
The Remote Desktop ActiveX control (mstscax.dll) is also flagged as High Risk. The update affects clipboard redirection, printer redirection, and session reconnection stability across all supported Windows versions. A separate update to mstsc.exe covers SmartScreen behaviour for .rdp file handling, RemoteApp, and Hyper-V Enhanced Session mode.
- Connect to a remote device using mstsc.exe and check that the session establishes and remains stable
- Copy and paste between local and remote sessions — both text and files — expecting correct transfer in both directions
- Redirect a local printer into the remote session, print a test page, and confirm the job completes
- Disconnect, reconnect, and verify clipboard and printer redirection survive the reconnection
- Expect RemoteApp resources to launch normally and Hyper-V Enhanced Session mode to connect without error
Secure Boot & BitLocker (Continuing)
Secure Boot and BitLocker testing continues from previous months, now expanded to seven scenarios including a new Windows Hello PIN persistence test. These validate Secure Boot state, BitLocker encryption, and key rolling related to the ongoing CVE-2023-24932 mitigation. Perform only on dedicated test devices with recovery keys backed up.
- Enable BitLocker on the OS drive, verify TPM protectors are present using manage-bde -protectors -get c:, then disable and verify the drive is fully decrypted
- Enable BitLocker on a data drive, verify protectors, then disable and verify decryption completes
- With Secure Boot enabled, enable BitLocker, trigger the recovery screen using reagentc /boottore, and verify the recovery key unlocks the drive
- With Secure Boot disabled, enable BitLocker, force recovery via BCD test signing changes, unlock with recovery key, suspend BitLocker, and verify normal boot resumes
- With both enabled, apply the Secure Boot key update (CVE-2023-24932) and verify the system boots without triggering recovery
- Test hibernation with Secure Boot and BitLocker both enabled — verify clean resume without recovery prompts
- On a device running March 2026, enable Windows Hello PIN and BitLocker, install the April update, and confirm the PIN still works
Networking
The Ancillary Function Driver for WinSock (afd.sys) received two separate updates — one paired with the TDX transport driver and one standalone — making it the most patched network component this month. A separate patch to HTTP.sys affects HTTP/3 on Windows 11 23H2 and 22H2.
- Browse websites, download and upload files (including large files), and test VPN and Remote Desktop connections over both IPv4 and IPv6
- Check that Teams, Outlook, and other messaging applications sign in, send messages, and reconnect after network blips
- Test sandboxed and low-privilege processes — Edge, Store apps, and Electron apps — to confirm their network requests succeed
- Generate sustained network load and confirm no BSODs, no new errors in Event Viewer, and no throughput degradation
VPN & IPsec
Two VPN components received patches: the Windows Filtering Platform driver (wfplwfs.sys) and the IKE Extensions service (ikeext.dll). The WFP update targets UWP VPN plug-in stability, sleep/wake recovery, and Always On VPN. The IKE update covers IKEv2 tunnels, IPsec security associations, and Connection Security Rules.
- Connect and disconnect your UWP VPN plug-in client repeatedly (10+ cycles) and confirm the client remains usable and the system stays stable
- Keep the VPN connected for 30+ minutes during active use; verify it survives network changes (Wi-Fi to Ethernet) and sleep/wake cycles
- If using Always On VPN, confirm it connects at sign-in and reconnects after network loss
- Establish IKEv2 VPN connections and verify the tunnel is stable and internal resources are reachable
- Validate that Connection Security Rules negotiate IPsec correctly and that protected traffic remains protected
Authentication & Security
The SSPI kernel drivers (ksecdd.sys, ksecpkg.sys) received patches spanning NTLM, Kerberos, CredSSP, and TLS/SSL. The Windows Hello for Business stack also received updates for Enhanced Sign-in Security.
- Exercise end-to-end sign-in and resource-access flows for applications that use NTLM, Kerberos, CredSSP, or TLS/SSL authentication
- Test both success and failure cases: correct versus incorrect credentials, allowed versus denied accounts, and expired certificates
- Verify Windows Hello for Business authentication with Enhanced Sign-in Security across sign-in, lock, unlock, and reboot cycles
Graphics, Shell & Desktop
Updates span Direct3D, the Desktop Window Manager, and the graphics kernel (win32kbase.sys, win32kfull.sys). The Windows Shell (shell32.dll) received a patch affecting Mark-of-the-Web preservation for downloaded shortcuts, and COM Automation (oleaut32.dll) was updated.
- Run stress tests with sustained UI activity: rapid open/close of windows, snap layouts, virtual desktop switching, and multi-monitor connect/disconnect
- Test GPU-accelerated workloads — video playback, 3D applications, browser hardware acceleration — and check for visual artefacts or flickering
- Download a .lnk shortcut file from the internet and confirm SmartScreen displays a warning when the shortcut is opened — verifying Mark-of-the-Web is preserved
- Run COM Automation workflows — VBA, PowerShell, and Office automation — and confirm they execute correctly
Hyper-V & Virtualisation
Both Hyper-V compute layers received updates (computecore.dll, vmcompute.dll, vmwp.exe), along with the hypervisor binary (hvax64.exe) for Windows 11 25H2 and 24H2.
- Start, save, resume, and stop a VM using Hyper-V Manager or PowerShell — repeat the cycle multiple times
- Export a VM, import it, and confirm the imported VM boots and runs normally
- Launch Windows Sandbox and confirm it starts without error
Windows Installer, Cloud Sync & MDM
Updates to Windows Installer (msi.dll), the Cloud Files filter (cldflt.sys), and the MDM management layer affect installation workflows, cloud sync, and device management.
- Install, uninstall, and repair MSI packages to verify the Windows Installer functions correctly
- Connect and disconnect your cloud sync provider (e.g. OneDrive) multiple times and confirm sync functions after restarts
- Enrol a device in Intune or your MDM solution, verify compliance status, and trigger a policy sync
Common Log File System & Storage
The Common Log File System driver (clfs.sys) — subject of March’s major hardening change — received a follow-up patch. Storage Spaces (spaceport.sys) and app isolation file system drivers (bfs.sys, wcifs.sys) were also updated.
- Run Windows Update install and rollback cycles, then power-cycle the machine multiple times — confirm the system boots normally each time
- Install and uninstall a set of representative applications through multiple cycles and confirm each completes without error
- Perform a backup using your normal solution, restore from it, and verify data integrity
- If using Storage Spaces, create a pool with mirrored and thin virtual disks, write data, and verify clean deletion
Office & SharePoint
April’s Office updates target MSI editions: Excel 2016 (KB5002860), PowerPoint 2016 (KB5002808), Office 2016 shared libraries (KB5002859), and SharePoint Server 2016, 2019, and Subscription editions. These will not install on Click-to-Run deployments such as Microsoft 365 Apps.
- Open and edit complex Excel workbooks with formulas, macros, and external data connections — save and reopen to verify integrity
- Create and edit PowerPoint presentations with embedded media and transitions
- Across all patched server editions, validate SharePoint document library operations, co-authoring, and workflow execution
- Verify that Office add-ins and line-of-business applications integrating with Office continue to operate correctly
Testing Priorities
April’s two High Risk components should top every testing queue. Kerberos changes could disrupt long-running services using RC4 keytabs — monitor event IDs 201–209 and keep rollback plans ready. The Remote Desktop client update warrants thorough validation of clipboard, printer redirection, and session reconnection, particularly in RDP-dependent environments. Secure Boot and BitLocker validation remains essential as CVE-2023-24932 key rolling continues. Five patches to the Projected File System driver elevate cloud sync testing this cycle. The dual afd.sys updates and VPN/IPsec patches warrant regression testing across remote-access infrastructure. Office updates are confined to MSI editions.
