Flexis April 2026 Patch Recommendation

Improvements 

This security update contains fixes and quality improvements from KB5078766 ​​​​​​​(released March 10, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change. 

• [Connectivity] This update improves the reliability of audio features in Windows, helping reduce system unresponsiveness related to sound or audio activity. 

• [Kernel] This update improves system stability during large file operations. Users should experience fewer unexpected interruptions while working with or transferring large files. 

• [Kerberos protocol] This update changes the default DefaultDomainSupportedEncTypes value for Kerberos Key Distribution Center (KDC) operations to leverage AES-SHA1 for accounts that do not have an explicit msds-SupportedEncryptionTypes Active Directory attribute defined. For more information see, How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833. 

• [Networking] This update improves reliability when Windows uses SMB compression over QUIC. After you install this update, SMB compression requests over QUIC complete more consistently, reducing the likelihood of timeouts and supporting smoother, more dependable performance. 

• [Remote Desktop] This update improves protection against phishing attacks that use Remote Desktop (.rdp) files. When you open an .rdp file, Remote Desktop shows all requested connection settings before it connects, with each setting turned off by default. A one-time security warning also appears the first time you open an .rdp file on a device. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.  
• [Secure Boot] 
• With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
• This update addresses an issue where the device might enter BitLocker Recovery after the Secure Boot updates. 
• [Texts and Fonts] This update improves Windows fonts by adding the new Saudi Riyal currency symbol. This change helps keep text clear, accurate, and visually consistent across your Windows apps and experiences. 
• [Windows Deployment Services (WDS)] This update disables the “Hands-Free Deployment” feature in WDS by default and is no longer a supported feature. For more information about this change, see Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance related to CVE-2026-0386.

Known issues in this update  

Domain Controllers might restart repeatedly after installing this update 

Symptom 

After installing this update, domain controllers in environments with multiple domains in the forest that use Privileged Access Management (PAM), might experience LSASS crashes during startup. As a result, affected domain controllers might restart repeatedly, preventing authentication and directory services from functioning, and potentially rendering the domain unavailable. 

Resolution 
This issue is addressed in out-of-band update KB5091575.

Devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key 

Symptom 

Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update. 

This issue only affects a limited number of systems in which ALL of the following conditions are true. These conditions are unlikely to be found on personal devices not managed by IT departments. 

1. BitLocker is enabled on the OS drive. 
2. The Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually). 
3. System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as “Not Possible“. 
4. The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default. 
5. The device is not already running the 2023-signed Windows Boot Manager. 

In this scenario, the BitLocker recovery key only needs to be entered once — subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged. For help finding your BitLocker recovery key, see the article, Find your BitLocker recovery key. 

Enterprises are recommended to audit their BitLocker group policies for explicit PCR7 inclusion and check msinfo32.exe for their PCR7 binding status before installing this update. (See Option 1 below.) 

Workaround 

Option 1: Remove the Group Policy configuration before installing the update (Recommended)  

1. Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. 
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. 
3. Set “Configure TPM platform validation profile for native UEFI firmware configurations” to “Not Configured“. 
4. Run the following command on affected devices to propagate the policy change: gpupdate /force 
5. Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C:  
6. Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C:  
7. ​​​​​​​This updates the BitLocker bindings to use the Windows-selected default PCR profile. 

Option 2: Apply the Known Issue Rollback (KIR) before installing the update 

A Known Issue Rollback (KIR) is available for customers who cannot remove the PCR7 group policy before deploying this update. The KIR prevents the automatic switch to the 2023 Boot Manager, avoiding the BitLocker recovery trigger. The KIR should be deployed before installing the update on affected devices. Contact Microsoft’s Support for business to obtain this KIR.

Next steps 

A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available. 

Windows Server Update Services WSUS does not display error details 

After installing KB5070884 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.