KB5082123 is the cumulative update for Windows Server 2019 and Windows Server 2019 Server Core installation. It was released on 14 April, 2026 under the ‘Patch Tuesday’ release cycle.
Salient points
- KB5082123 supersedes Mar 2026 cumulative update KB5078752.
- KB5082123 corresponds to Windows server build 17763.8644.
- No Zero-day vulnerabilities affect Windows Server 2019 and Windows Server 2019 Server Core installation as per April security bulletin.
- 104 security vulnerabilities have been disclosed for April 2026 by Microsoft. None of these have CRITICAL severity.
- The Servicing Stack Update corresponding to KB5082123 is KB5082118 (17763.8642). It is in-built in the main cumulative update. Separate installation of the SSU or Servicing Stack is not needed.
- KB5005112 is the SSU that must be already deployed on Windows Server 2019. If you have not deployed this SSU, please download KB5005112 and apply on the server. This is a very old SSU released in August 2021. If you have followed the update release cycle, there is a high chance that you already have this patch on the server. SSU installation does not cause server reboot.
Important Reminders
Apart from this, it is important to note that the Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Secure Boot is a security feature in Unified Extensible Firmware Interface (UEFI) based firmware that helps ensure that only trusted software runs during a device’s boot (start) sequence.
Since Windows introduced Secure Boot support, all Windows-based devices have carried the same set of Microsoft certificates in the KEK and DB. These original certificates are nearing their expiration date, and your device is affected if it has any of the listed certificate versions. To continue running Windows and receiving regular updates for your Secure Boot configuration, you will need to update these certificates.
Download KB5082118
KB5082118 is the Servicing Stack Update for Windows Server 2019 released in April 2026 alongside the main cumulative update KB5082123.
If you intend to deploy cumulative updates through Windows Update or Windows Update for Business, no action is needed to install the Servicing Stack Update. The Servicing Stack Update is part of the security update that will be installed on Windows Server 2019.
For manual installation of KB5082123, there is no separate installation of KB5082118 as it is included in the main cumulative security update.
Download KB5082123
You may download the offline installer file for KB5082123 from the catalog site link shared below:
Upon installation of KB5082123, the server would restart. The Servicing Stack Update is already included in the main update and will be downloaded and installed as part of the installation process.
Zero-day vulnerabilities
No zero-day vulnerability has been reported for Windows Server 2019 in April 2026.
Critical vulnerabilities
The April security bulletin for Windows Server 2019 reports 104 security vulnerabilities. There are four CRITICAL vulnerabilities that affect Windows Server 2019.
| Vulnerability | CVSS | Impact | Comments |
|---|---|---|---|
| CVE-2026-33824 | 9.8 | Remote Code Execution | Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network. |
| CVE-2026-33826 | 8 | Remote Code Execution | Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network. |
| CVE-2026-33827 | 8.1 | Remote Code Execution | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows TCP/IP allows an unauthorized attacker to execute code over a network. |
| CVE-2026-32157 | 8.8 | Remote Code Execution | Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network. |
Changelog – KB5082123
The following changes or improvements are part of KB5082123 for Windows Server 2019:
- The update addresses security improvements for Windows Server 2019 and Windows Server 2019 Server Core installation.
- [Internal Windows OS] This update contains miscellaneous security improvements to internal Windows OS functionality.
- [PowerShell (known issue)] Fixed: After installing Windows updates released on or after January 13, 2026, Japanese language installations of Windows Server 2019 might not correctly display Japanese characters in the PowerShell console.
- [Remote Desktop] This update improves protection against phishing attacks that use Remote Desktop (.rdp) files. When you open an .rdp file, Remote Desktop shows all requested connection settings before it connects, with each setting turned off by default. A one-time security warning also appears the first time you open an .rdp file on a device. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.
- [Windows Deployment Services (WDS)] This update disables the “Hands-Free Deployment” feature in WDS by default and is no longer a supported feature. For more information about this change, see Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance related to CVE-2026-0386.
- [Kerberos protocol] This update changes the default DefaultDomainSupportedEncTypes value for Kerberos Key Distribution Center (KDC) operations to leverage AES-SHA1 for accounts that do not have an explicit msds-SupportedEncryptionTypes Active Directory attribute defined. For more information see, How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833.
- [Secure Boot] This update enables dynamic status reporting for Secure Boot states in the Windows Security App (Settings > Update & Security > Windows Security). Learn more about the status alerts via badges and notifications. Note that these enhancements are disabled by default on commercial devices and servers.
- This update fixes an issue that could cause a device to enter BitLocker Recovery after Secure Boot updates.
- With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
Simplifying technology, one step at a time.