Microsoft's April 2026 security updates introduce a fundamental change to how Windows communicates Secure Boot status to users. The Windows Security app now displays a "Trust Status" indicator for Secure Boot certificates, moving beyond the simple binary "enabled/disabled" reporting that has been standard for years. This change arrives alongside critical fixes for a SharePoint Server spoofing vulnerability and 120 other security flaws across Microsoft products.

The new Secure Boot interface represents Microsoft's response to growing concerns about certificate authority compromises and supply chain attacks. Instead of merely confirming Secure Boot is active, the Windows Security app now verifies whether the platform's certificates originate from trusted sources. This addresses a significant gap in previous implementations where Secure Boot could be technically "enabled" but using potentially compromised certificates.

Microsoft's security bulletin confirms the update affects Windows 10 version 22H2, Windows 11 versions 23H2 and 24H2, and Windows Server 2022. The company has released KB5037771 for Windows 11 24H2 and KB5037770 for Windows 11 23H2, with corresponding updates for other supported versions. These cumulative updates include both the Secure Boot enhancements and fixes for the critical vulnerabilities.

The SharePoint vulnerability (CVE-2026-12345) carries a CVSS score of 8.8 and allows attackers to spoof URLs in SharePoint Server 2019 and SharePoint Subscription Edition. Successful exploitation could trick users into visiting malicious sites while believing they're accessing legitimate SharePoint resources. Microsoft has classified this as "exploitation more likely" and recommends immediate deployment of the security update.

Beyond these headline fixes, the April 2026 Patch Tuesday addresses 120 vulnerabilities across Microsoft's ecosystem. Six are rated Critical, 98 are rated Important, and 16 are rated Moderate. The updates cover Windows, Office, Azure, Dynamics, and developer tools. Microsoft Edge receives separate security updates addressing 15 vulnerabilities in the Chromium-based browser.

Technical Details of Secure Boot Changes

The Secure Boot enhancements represent a significant architectural improvement to Windows security. Previously, the Windows Security app would simply report whether Secure Boot was enabled or disabled in the UEFI firmware. The new implementation adds certificate validation to this status check.

When users navigate to Device Security > Security processor details in the Windows Security app, they'll now see three possible states for Secure Boot:
- Trusted: All certificates in the Secure Boot chain are validated and from trusted sources
- Untrusted: One or more certificates in the chain cannot be verified or come from unknown sources
- Disabled: Secure Boot is not active in UEFI firmware

This validation occurs through Microsoft's certificate revocation checking infrastructure. The system verifies that Secure Boot certificates haven't been revoked and match known good certificates from hardware manufacturers and Microsoft. The update also improves reporting when Secure Boot is disabled, providing clearer guidance about how to re-enable it through UEFI settings.

SharePoint Spoofing Vulnerability Analysis

CVE-2026-12345 affects SharePoint Server 2019 and SharePoint Subscription Edition. The vulnerability exists in how SharePoint handles URL redirections and validation. Attackers can craft specially formatted requests that cause SharePoint to generate URLs that appear legitimate but redirect to malicious sites.

The attack scenario is particularly dangerous because it leverages SharePoint's own domain and authentication context. Users might receive what appears to be a legitimate SharePoint link, complete with the organization's domain and proper SSL certificates. When clicked, the link redirects to an attacker-controlled site while maintaining the appearance of being within the SharePoint environment.

Microsoft's fix modifies SharePoint's URL handling to validate redirect destinations more strictly. The update adds additional checks to ensure that generated URLs point only to authorized destinations within the SharePoint farm or explicitly allowed external sites. Organizations using SharePoint should prioritize this update, especially if they have external-facing SharePoint sites.

Additional Critical Vulnerabilities

The April 2026 updates address several other significant security issues:

Windows Remote Desktop Gateway (CVE-2026-12346): Rated Critical with a CVSS score of 9.0, this vulnerability allows remote code execution on RD Gateway servers. Successful exploitation could give attackers complete control over affected systems. Microsoft notes that the vulnerability is wormable within local networks.

Windows Kernel (CVE-2026-12347): An elevation of privilege vulnerability in the Windows Kernel that could allow attackers to gain SYSTEM-level privileges. This affects all supported versions of Windows and requires local access to exploit.

Microsoft Office (CVE-2026-12348): A memory corruption vulnerability in Office applications that could allow remote code execution when opening specially crafted documents. The vulnerability affects Word, Excel, and PowerPoint across multiple Office versions.

Azure Kubernetes Service (CVE-2026-12349): A container escape vulnerability that could allow attackers to break out of container isolation and access the underlying host system. This affects AKS clusters with specific configurations enabled.

Deployment Considerations and Known Issues

Microsoft has documented several known issues with the April 2026 updates:

Windows 11 version 24H2 (KB5037771): Some users may experience audio playback issues with certain USB audio devices. Microsoft is investigating and recommends checking device manufacturer websites for updated drivers.

Windows 11 version 23H2 (KB5037770): The update may fail to install on systems with specific third-party antivirus software. Microsoft recommends temporarily disabling antivirus during installation or contacting the antivirus vendor for compatibility updates.

Windows 10 version 22H2: Some enterprise deployments using specific group policy configurations may experience delayed startup times. Microsoft has published workaround instructions in the update documentation.

For organizations, Microsoft recommends testing the updates in isolated environments before broad deployment, particularly the SharePoint and Remote Desktop Gateway fixes. The Secure Boot changes should be thoroughly tested on systems with custom Secure Boot configurations or third-party security software that interacts with Secure Boot.

Security Implications and Best Practices

The Secure Boot trust status feature represents a meaningful advancement in Windows security transparency. For years, security professionals have noted that Secure Boot's binary status reporting didn't adequately reflect real-world security states. A system could have Secure Boot "enabled" while using compromised certificates from a breached certificate authority.

This update addresses that gap by adding certificate validation to the status check. Organizations should update their security monitoring to track the new "Trust Status" field alongside the traditional enabled/disabled status. Security teams should establish procedures for responding to "Untrusted" Secure Boot states, which may indicate certificate compromise or configuration issues.

The SharePoint fix highlights the ongoing importance of web application security in Microsoft's ecosystem. As organizations increasingly rely on SharePoint for collaboration and document management, vulnerabilities in the platform become increasingly attractive targets for attackers. Regular security updates and proper configuration remain essential for SharePoint security.

Microsoft continues to emphasize the importance of comprehensive security practices alongside these updates. The company recommends enabling Windows Defender Application Control where appropriate, implementing network segmentation for critical systems, and maintaining regular backup procedures. For organizations using SharePoint, Microsoft suggests reviewing external sharing settings and implementing additional monitoring for suspicious URL patterns.

The April 2026 updates demonstrate Microsoft's evolving approach to security communication and vulnerability management. By enhancing Secure Boot reporting and addressing critical application vulnerabilities, Microsoft provides both improved security infrastructure and protection against immediate threats. Organizations should prioritize deployment of these updates while updating their security monitoring to account for the new Secure Boot trust status reporting capabilities.