KB5082198 is the cumulative update for Windows Server 2016 and Windows Server 2016 Server Core installation. It was released on 14 April 2026 under the ‘Patch Tuesday’ release cycle.
Salient points
- KB5082198 supersedes March 2026 cumulative update KB5078938.
- KB5082198 corresponds to build 14393.9060.
- 85 Security vulnerabilities were disclosed by Microsoft for Windows Server 2016 in April 2026 security bulletin.
- No zero-day vulnerabilites have been reported for Windows Server 2016 in April 2026.
- Four CRITICAL vulnerabilites have been reported for Windows Server 2016 in April 2026.
- The Servicing Stack Update corresponding to KB5082198 is KB5082089. For automated deployments of security updates (Windows Update and Windows Update for Business), the installation is included in the main cumulative update installation process. For manual patching, you will need to download and install the SSU KB5082089 before installing KB5082198.
Important Reminders
- Support for cumulative updates for Windows Server 2016 will end on 12 January 2027.
- Secure booth certificates for Windows Server 2016 will expire in June 2026, Both UEFI Secure Boot DB and KEK need to be updated with the corresponding new 2023 certificate versions.
Servicing Stack Update KB5082089
KB5082089 is the Servicing Stack Update (SSU) for Windows Server 2016. For automated deployments, KB5082089 is automatically offered for installation as part of the installation of the main cumulative update.
For manual installations of KB5082198, you would need to download and install KB5082089 before installing KB5082198.
You can download the SSU KB5082089 from the Microsoft Update Catalog page:
Installing the Servicing Stack Update would not cause the server to reboot or restart. So, you could directly proceed with the installation of the main cumulative update for Windows Server 2016.
Zero-day Security vulnerabilities
No zero-day vulnerabilities have been reported for Windows Server 2016 or Windows Server 2016 Server Core installation in April 2026.
Critical vulnerabilities
The April security bulletin for Windows Server 2016 reports 85 security vulnerabilities. Four of these vulnerabilities have CRITICAL severity.
| Vulnerability | CVSS | Impact | Comments |
|---|---|---|---|
| CVE-2026-33824 | 9.8 | Remote Code Execution | Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network. |
| CVE-2026-33826 | 8 | Remote Code Execution | Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network. |
| CVE-2026-33827 | 8.1 | Remote Code Execution | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows TCP/IP allows an unauthorized attacker to execute code over a network. |
| CVE-2026-32157 | 8.8 | Remote Code Execution | Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network. |
Download KB5082198
You may download the offline installer file for KB5082198 from the catalog site link shared below:
Upon installation of KB5082198, the server would restart.
Changelog – KB5082198
The following changes or improvements are part of KB5082198 for Windows Server 2016:
- [Internal Windows OS] This update contains miscellaneous security improvements to internal Windows OS functionality. No specific issues are documented for this release.
- [Windows Component Services (WinCS)] This update addresses an issue that affects Windows Component Services (WinCS) on Windows 10, version 1607 and Windows Server 2016. Some WinCS components were missing. Because of this, you could not turn on Secure Boot using WinCS.
- [Remote Desktop] This update improves protection against phishing attacks that use Remote Desktop (.rdp) files. When you open an .rdp file, Remote Desktop shows all requested connection settings before it connects, with each setting turned off by default. A one-time security warning also appears the first time you open an .rdp file on a device. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.
- [Windows Deployment Services (WDS)] This update disables the “Hands-Free Deployment” feature in WDS by default and is no longer a supported feature. For more information about this change, see Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance related to CVE-2026-0386.
- [Kerberos protocol] This update changes the default DefaultDomainSupportedEncTypes value for Kerberos Key Distribution Center (KDC) operations to leverage AES-SHA1 for accounts that do not have an explicit msds-SupportedEncryptionTypes Active Directory attribute defined. For more information see, How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833.
- [Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
Simplifying technology, one step at a time.