Microsoft Windows Server 2025 Update Version OS Build 26100.32690

KB5082063 for Windows Server 2025 (OS Build 26100.32690) delivers security fixes, quality improvements, and non-security updates from KB5078740. It also adds Secure Boot rollout changes, Kerberos authentication updates related to CVE-2026-20833, and vulnerable driver blocklist hardening.

• Improves Secure Boot certificate rollout and addresses a BitLocker Recovery issue after Secure Boot updates.
• Changes Kerberos KDC default encryption behavior to use AES-SHA1 for accounts without explicit msds-SupportedEncryptionTypes, related to CVE-2026-20833.
• Improves authentication policy handling so Kerberos encryption settings are read and applied consistently across the domain.
• Improves protection against phishing attacks using Remote Desktop (.rdp) files by showing connection settings before connecting and adding a one-time warning.
• Adds known vulnerable kernel drivers to the Microsoft vulnerable driver blocklist.
• Disables WDS Hands-Free Deployment by default as part of hardening guidance related to CVE-2026-0386.

• Improves Bluetooth device management in Settings and Quick Settings.
• Improves color rendering when printing from Win32 desktop apps.
• Improves reliability of SMB compression over QUIC.
• Fixes Set-GPPrefRegistryValue so imported registry preference values preserve the final character.
• Addresses an issue where devices might enter BitLocker Recovery after Secure Boot updates.

• Adds the new Saudi Riyal currency symbol to Windows fonts.
• Introduces additional high-confidence device targeting data for phased Secure Boot certificate rollout.

• Installation might fail with error 0x800F0983 or 0x80073712; addressed by KB5091157.
• Domain controllers in multi-domain forests using PAM might restart repeatedly after installation; addressed by KB5091157 or hotpatch OOB update KB5091470.
• Devices with an unrecommended BitLocker Group Policy configuration might prompt for the BitLocker recovery key on first restart.
• WSUS does not display synchronization error details after KB5070881 or later updates.
• Remote Desktop security warnings might not display correctly on multi-monitor setups with different scaling; addressed in KB5087539.

• Release notes state that if previous updates are already installed, only new updates in this package will be downloaded and installed.
• For the BitLocker recovery-key issue, Microsoft recommends removing the TPM platform validation Group Policy, running gpupdate /force, then suspending and re-enabling BitLocker protectors on the OS drive.
• Hotpatch-enrolled devices affected by the installation failure can use KB5091157, but it requires a restart and pauses hotpatching until the July 2026 baseline update.
• Hotpatch-enrolled devices affected by the domain controller restart issue should install OOB hotpatch update KB5091470 instead of the restart-requiring OOB update.
• Microsoft warns that Secure Boot certificates used by most Windows devices begin expiring in June 2026 and recommends reviewing certificate update guidance.

Product Information

Vendor: Microsoft

Product: Windows Server 2025

Version: OS Build 26100.32690

Release date: Apr 14, 2026