If you’ve noticed a mysterious new SecureBoot folder sitting in your C:/Windows directory following the May 2026 Patch Tuesday, you are not alone.
The folder, which has a subfolder named ExampleRolloutScripts that contains several PowerShell scripts, is a harmless administrative helper introduced in the latest security updates for Windows 10 and Windows 11.
According to official Microsoft guidance, these scripts are designed primarily for enterprise IT administrators to monitor the status of the upcoming UEFI CA 2023 Secure Boot certificate updates and to safely automate their deployment across Active Directory environments.
While essential for corporate networks preparing for this critical security transition, average users can safely ignore this tiny 450 KB folder for now.
The transition to the new UEFI CA 2023 Secure Boot certificates mark a critical security change for the Windows ecosystem. It is made necessary by the impending expiration of current certificates that were issued a long time ago.
Secure Boot acts as the fundamental gatekeeper against bootkits and rootkits by ensuring that only trusted, digitally signed firmware and operating system loaders can execute during startup.
Microsoft is employing a highly controlled, phased rollout strategy—which is exactly why administrative validation tools and scripts are currently being deployed.
Why Microsoft is rolling out the folder to anyone is anyone’s guess. It seems that the folder is pushed to all devices running Windows 11, even unmanaged Windows 11 Home systems.
If April 2026 was an avalanche of patches, May brings a welcome breather from zero-days but keeps the critical severity count high.
Microsoft’s fifth Patch Tuesday of 2026 has arrived, addressing 120 vulnerabilities in total. While it breaks a long-standing streak by featuring zero publicly disclosed or actively exploited zero-day flaws, the sheer volume of severe remote code execution (RCE) bugs demands attention.
The update contains 17 critical flaws affecting a wide range of enterprise products, including Windows Netlogon, DNS Client, Azure DevOps, and Microsoft Word.
Here is the breakdown of what you need to know, what to patch first, and what might break.
You can download an Excel spreadsheet with information about the patches that Microsoft released:
Key Action Item: Administrators must prioritize patching network-exposed infrastructure, specifically domain controllers affected by the Netlogon vulnerability (CVE-2026-41089) and systems running the Windows DNS Client. Simultaneously, Microsoft Office installations need immediate updates to mitigate several highly critical Remote Code Execution vulnerabilities that can be triggered simply via the Windows Preview Pane.
Important Patches
CVE-2026-41089 — Windows Netlogon Remote Code Execution Vulnerability
CVE-2026-41096 — Windows DNS Client Remote Code Execution Vulnerability
CVE-2026-42826 — Azure DevOps Information Disclosure Vulnerability
CVE-2026-40364 — Microsoft Office Word Remote Code Execution Vulnerability
CVE-2026-40402 — Windows Hyper-V Elevation of Privilege Vulnerability
Security updates addressing OS-level RCEs in Netlogon, DNS Client, and Windows Graphics components (Win32k). Also resolves various Elevation of Privilege flaws across the Windows Kernel.
Deep Dive: The Critical Vulnerabilities
Microsoft confirmed that it patched zero 0-day vulnerabilities this Patch Day, but addressed a heavy enterprise focus of critical remote code execution and information disclosure flaws.
A critical stack-based buffer overflow flaw (CVSS 9.8) affecting Windows Netlogon. A remote, unauthenticated attacker could exploit this by sending a crafted network request to a Windows server running as a domain controller. If successful, this causes the Netlogon service to improperly handle the request, allowing the attacker to execute malicious code without requiring any prior access or credentials.
CVE-2026-41096 (Windows DNS Client Remote Code Execution Vulnerability)
This critical heap-based buffer overflow vulnerability (CVSS 9.8) affects the Windows DNS service. It allows remote code execution over the network and can be exploited by sending a malicious DNS response, triggering memory corruption within the Windows DNS client. Depending on the configuration, an unauthenticated attacker can achieve full RCE.
CVE-2026-42826 (Azure DevOps Information Disclosure Vulnerability)
This is the highest-rated flaw this month, boasting a perfect CVSS score of 10.0. While Microsoft withheld specific exploitation details, a perfect severity score indicates that unauthenticated attackers could potentially access highly sensitive enterprise data, credentials, and source code stored or handled in Azure DevOps.
A cluster of critical vulnerabilities in Microsoft Word (CVSS 8.4) that allow an unauthorized attacker to execute code locally. Notably, these flaws can be triggered through the Windows Preview Pane, meaning a user only needs to preview a specially crafted document to be compromised, without ever fully opening the file.
CVE-2026-40402 (Windows Hyper-V Elevation of Privilege Vulnerability)
A severe flaw (CVSS 9.3) allowing for a guest-to-host escape in Windows Hyper-V. By targeting certain hardware device registers, an attacker operating from within a guest virtual machine can escape the isolated environment and gain SYSTEM privileges on the underlying host system.
First Steps: Your Patch Tuesday Strategy
Prioritize Domain Controllers (Netlogon) and DNS Client services
Another one? That could be the reaction of veteran Windows users who read the headline. Microsoft confirmed another BitLocker related issue in Windows 11. This one may be caused by installing the most recent cumulative update for the operating system.
In the Known issues section of the update, Microsoft confirms that devices might boot into the BitLocker Recovery screen and not the desktop.
According to the description, the issue is caused by an “unrecommended BitLocker Group Policy configuration”. Only a “limited number of systems” are affected according to Microsoft. The company says that the issue affects only systems for which all of the following conditions are true:
BitLocker is enabled on the OS drive.
The Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as “Not Possible”.
The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
The device is not already running the 2023-signed Windows Boot Manager.
Devices that meet the conditions may boot into recovery mode after installing the KB508376 for Windows 11, versions 24H2 or 25H2.
A workaround is available to remove the Group Policy configuration before installing the update.
Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console.
Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
Set “Configure TPM platform validation profile for native UEFI firmware configurations” to “Not Configured“.
Run the following command on affected devices to propagate the policy change: gpupdate /force
Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C:
Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C:
This updates the BitLocker bindings to use the Windows-selected default PCR profile.
Microsoft plans to release a permanent fix in the future to address this. Windows users who use a Microsoft Account can look up the recovery key for BitLocker online.
If March 2026 was a marathon of infrastructure updates, April is a massive avalanche of patches.
Microsoft’s fourth Patch Tuesday of 2026 has arrived, addressing a massive 165 vulnerabilities in total. The sheer volume demands attention. It contains two 0-day vulnerabilities — one of which is actively exploited in the wild — and eight critical flaws affecting a wide range of products, including Office, SharePoint, Microsoft Defender, and Azure.
Here is the breakdown of what you need to know, what to patch first, and what might break.
The April 2026 Patch Day overview
Executive Summary
Release Date: April 14, 2026
Total Vulnerabilities: 165
Critical Vulnerabilities: 8
Zero-Days: 2 (SharePoint [Actively Exploited], Microsoft Defender [Publicly Disclosed])
Key Action Item: Administrators must prioritize patching internet-facing SharePoint servers due to the actively exploited spoofing zero-day. Simultaneously, network infrastructure and Active Directory components need immediate updates to mitigate several highly critical Remote Code Execution vulnerabilities.
Important Patches
CVE-2026-32201 — Microsoft Office SharePoint Spoofing Vulnerability
CVE-2026-33825 — Microsoft Defender Elevation of Privilege Vulnerability
CVE-2026-33824 — Windows Internet Key Exchange (IKE) Extension Remote Code Execution Vulnerability
CVE-2026-33827 — Windows TCP/IP Remote Code Execution Vulnerability
CVE-2026-33826 — Windows Active Directory Remote Code Execution Vulnerability
Security updates addressing OS-level RCEs in TCP/IP, IKE, and Active Directory components. Also resolves numerous Elevation of Privilege (EoP) flaws across Windows Kernel, Boot Loader, and BitLocker.
Microsoft SharePoint Server
Patches for SharePoint 2016, 2019, and Subscription Edition to address the actively exploited CVE-2026-32201 spoofing flaw.
Microsoft Office
Security updates addressing multiple Critical Use-After-Free and Untrusted Pointer Dereference vulnerabilities resulting in local code execution
Deep Dive: The Critical Vulnerabilities
Microsoft confirmed that it patched two 0-day vulnerabilities this Patch Day and several critical remote code execution flaws.
This actively exploited zero-day allows an unauthorized attacker to perform spoofing over a network due to improper input validation in Microsoft Office SharePoint. An attacker who successfully exploits this can view sensitive information and make changes to disclosed information.
CVE-2026-33825 (Microsoft Defender Elevation of Privilege Vulnerability)
A publicly disclosed zero-day flaw in Microsoft Defender that allows privilege escalation to SYSTEM privileges. Microsoft has addressed the flaw in the Microsoft Defender Antimalware Platform update version 4.18.26050.3011, which should be downloaded to (most) systems automatically.
CVE-2026-33824 (Windows Internet Key Exchange (IKE) Extension RCE)
A critical double-free vulnerability in the Windows IKE extension. An unauthenticated attacker can send specially crafted packets to a Windows machine with IKE version 2 enabled to potentially achieve remote code execution. If IKE is not in use, blocking inbound traffic on UDP ports 500 and 4500 acts as a mitigation.
A critical race condition vulnerability in Windows TCP/IP that can result in remote code execution. An unauthenticated actor can send specially crafted IPv6 packets to a Windows node where IPSec is enabled to potentially achieve RCE.
CVE-2026-33826 (Windows Active Directory Remote Code Execution)
A critical improper input validation flaw in Windows Active Directory. It allows an authenticated attacker to execute code over an adjacent network.
If you’ve ever felt completely lost in the web of Windows testing tiers or frustrated by slow A/B feature rollouts, relief may finally have arrived.
Microsoft announced a big overhaul of the Windows Insider Program this week designed to simplify how users test development builds of the operating system.
The company is cutting down the channel list to just two primary ones — Beta and Experimental — and is finally changing how experimental features land on test systems.
Here is a breakdown of the major changes:
Two Streamlined Channels: The previously confusing multi-tier system is being condensed into just two primary tracks: Experimental (which replaces the Dev and Canary channels) and Beta (for features that are closer to being ready for the public).
The End of A/B Testing: Microsoft is officially dropping its Controlled Feature Rollout (CFR) system for Beta channel participants. This means no more waiting in the dark while other testers randomly receive new features before you do.
Manual Feature Flags: You are finally getting direct control over your testing experience. Moving forward, Insiders can manually toggle new features on or off directly within Windows Settings as soon as they are documented in the changelogs.
No More “Clean Install” Trap: Historically, leaving the Insider program or dropping down to a more stable channel often required a complete, data-wiping OS reinstall. Microsoft is fixing this by allowing in-place upgrades (IPU), meaning you can transition channels or exit the program while keeping your files and apps intact.
Clearer Communication: Release notes and documentation will be much more explicit about who features are for and which channel they belong to, giving IT admins, developers, and enthusiasts a much more transparent roadmap of what to expect.
From a testing perspective, Microsoft is launching several improvements. First, Beta users get access to features directly. No more waiting or using of third-party tools like ViVeTool to enable them.
Second, users in the experimental channel get options to turn certain features on, if they are not already enabled.
Third, switching between channels should get easier and less cumbersome.
Last but not least, more documentation is always welcome, as Microsoft’s attempts have been lackluster at best until now.
While the announcement may instill hope in Windows testers who have been disappointed by Microsoft so far, it is clear that Microsoft has to deliver. If the company does, it could improve its Windows Insider program significantly in the process.
VeraCrypt is a popular cross-platform encryption software that is available for Windows, Linux and macOS. It is one of the successors of TrueCrypt and can be used to encrypt hard drives, including system drives, and to create data containers on drive that are encrypted.
The developer of the application, Mounir Idrassi, published a project update on Sourceforge a few days ago. There, he explained why the project had been silent for the past few months.
According to his description, Microsoft terminated the account that he used to sign Windows drivers and the bootloader. This affects the Windows version of the encryption software, as updates can’t be signed anymore because of this. The Linux and macOS versions of the software are not affected by this.
To make matters worse, a screenshot with a message by Microsoft suggests that an appeal is not available. It is unclear what that means for the project. While a solution may be found eventually, likely through enough outside pressure to get a Microsoft representative to look at the case, it is certainly problematic when a company that operates its own encryption software — Microsoft with BitLocker — is blocking a competitor from releasing updates for his.
The next Windows Patch Day is just a week away and it is unclear whether it will include a fix for a recently disclosed 0-day vulnerability.
The new security vulnerability has been disclosed on GitHub, including proof of concept code to exploit the issue. However, there is no explanation how the issue works.
Well-known security researcher Will Dormann commented on the issue and confirmed that it is working. He admitted that it “may not be 100%” reliable though. It seems that frustration with MSRC, the Microsoft Security Research Center, and how it operates, was the reason for the public disclosure of the vulnerability. Whether that is true or not can’t be verified though.
So, what do we know about the vulnerability so far?
What it is: “BlueHammer” is an unpatched zero-day Local Privilege Escalation (LPE) vulnerability affecting Microsoft Windows.
Impact: It allows a local attacker with limited, low-level user access to escalate their permissions to SYSTEM or elevated administrator rights. This effectively grants the attacker full control over the compromised machine.
Current Status: Microsoft has not yet released an official patch or mitigation, making it a true zero-day.
Security experts (such as Will Dormann) describe it as a flaw that combines a TOCTOU (Time-of-Check to Time-of-Use) vulnerability with path confusion. At a high level, it appears to weaponize Windows Defender-related interfaces (the leaked source code contains files like windefend.idl and windefend_c.c). By bypassing the system’s original validation, a local attacker can gain access to the Security Account Manager (SAM) database, which stores local account password hashes, ultimately allowing them to spawn SYSTEM-level shells.
Good news is that the flaw is a local privilege escalation, which means that attackers can’t exploit it to hack into Windows PCs remotely. However, if they were to gain access to a Windows system, they could use it to expand access or even take over a system completely.
File archives serve plenty of purposes. They compress one or multiple files and folders and make them available as a single file; ideal for distribution and storage.
Many backup tools, for instance, support compressing backups to save storage space.
But how do you ensure that the archives are not corrupt? There are several options, including generating hashes and running verifiers.
However, if you have not created hashes in first place or find this too time consuming or unmanageable, you could test the archives directly using archivers.
PeaZip is an open source archiver for several operating systems. Version 11.0 was released recently and it includes a batch testing option.
Throw any number of support archive formats at the app and it will check each archive. It does so automatically and the only exception to that is when it encounters a password protected archive, as it will prompt for the password in that case.
You get a full list of results in the end that you can go through to find any archives that are damaged.
PeaZip supports all major archive formats. To name a few: ZIP, 7z, BR, TAR, ZipX, RAR, APK, CAB, ISO, and ACE.
Here is how you run the test:
Download and install the latest version of the archiver. You can download a portable version or use winget install -e peazip to install it from the command line.
Open the application and use the file manager to navigate to the folder with the archives that you want to test.
Select them all, for instance by holding down Ctrl and left-clicking on each archive, using Ctrl-A, or right-clicking and picking “select all” from the context menu.
Right-click on the selection and select More > Test to start the verification process.
PeaZip tests one archive after another, displaying results in a separate window. You could move all archives into a single folder to make this operation easier, or switch folders to continue testing archives.
All in all, this is a straightforward option to batch test archives on Windows (or any other of the supported operating systems).
If February 2026 was the sprint, March is a marathon of essential infrastructure updates.
Microsoft’s third Patch Tuesday of 2026 has arrived, addressing 84 vulnerabilities in total. While the total count is typical, the release demands close attention: it contains two publicly disclosed zero-day vulnerabilities and eight critical flaws affecting a wide range of enterprise products, including SQL Server, Office, and Azure components.
Here is the breakdown of what you need to know, what to patch first, and what might break.
Key Action Item: Administrators must prioritize database and application servers due to the SQL Server elevation of privilege flaw and the .NET denial of service vulnerability. Simultaneously, ensure Office updates are deployed to workstations to prevent potential zero-click remote code execution via the Preview Pane.
Important Patches
CVE-2026-21262 — Microsoft SQL Server Elevation of Privilege Vulnerability
Security updates. Includes a GPU stability fix and Secure Boot updates.
Deep Dive: The Critical Vulnerabilities
Microsoft confirmed two publicly disclosed zero-day vulnerabilities are fixed this month. Furthermore, Microsoft fixed several critical remote code execution (RCE) and elevation of privilege (EoP) flaws.
Attackers may exploit the issues on systems that have not been patched to bypass protections, elevate privileges, or execute malicious payloads remotely.
Here is the critical overview:
CVE-2026-21262 (Microsoft SQL Server Elevation of Privilege)
This publicly disclosed zero-day allows an authorized attacker to elevate privileges over a network. Due to improper access control, a logged-in user can quietly elevate to become a full database administrator (sysadmin). With that level of control, they can read, modify, or delete data without user interaction.
CVE-2026-26127 (.NET Denial of Service)
The second publicly disclosed zero-day is an out-of-bounds read flaw in the .NET platform (versions 9.0 and 10.0). It allows an unauthenticated remote attacker to crash .NET applications over the network, resulting in a denial of service for any app running on the affected runtime libraries.
CVE-2026-21536 (Microsoft Devices Pricing Program Remote Code Execution)
Scoring a critical 9.8 out of 10 on the CVSS scale, this is the most severe flaw of the month. It allows remote attackers to execute arbitrary code over the network without privileges or user interaction. Notably, this flaw was discovered by an autonomous AI penetration testing agent. Microsoft notes that the vulnerability has been fully mitigated on their end, requiring no direct action from users.
These type confusion and untrusted pointer dereference flaws in Microsoft Office enable remote code execution when malicious files are processed. They are particularly dangerous because they can potentially allow zero-click exploitation if a user simply views a booby-trapped document in the Outlook Preview Pane.
CVE-2026-25187 (Windows Winlogon Elevation of Privilege)
Discovered by Google Project Zero, this vulnerability leverages improper link resolution in the Winlogon process. A locally authenticated attacker with low privileges could exploit a link-following condition to effortlessly escalate to SYSTEM privileges.
Significant Changes in the March 2026 updates
Sysmon is now built-in: Previously a manual download from Sysinternals, Sysmon is now included as a native component in Windows 11 for better security auditing and monitoring of malicious activity.
Quick Machine Recovery (QMR) expansion: QMR is now turned on automatically on more hardware. This feature allows administrators to revert endpoints to a working state if a disastrous third-party update takes down the system.
RSAT on Arm64: Remote Server Administration Tools are finally supported on Windows 11 Arm64 devices, allowing administrators to manage Windows Server environments directly from Arm-powered PCs.
First Steps: Your Patch Tuesday Strategy
Prioritize the zero-days: Map your exposure and prioritize the two zero-day vulnerabilities, focusing heavily on SQL Server environments and .NET application servers.
Update Office installations: Deploy Microsoft Office updates to all workstations immediately to mitigate the risk of zero-click remote code execution via the Preview Pane.
Prepare for Secure Boot changes: Ensure your enterprise environment allows the new Secure Boot allowed Key Exchange Key (KEK) updates to install properly to avoid boot issues in the coming months.
Have you ever heard of the Userchoice Protection Driver (UCPD.sys) that Microsoft added to its Windows 10 and Windows 11 operating systems in 2024? It is a protective driver designed to prevent third-party applications or scripts from making changes to Registry keys that fall into the UserChoice category. This includes system defaults, such as the web browser, PDF viewer, or widgets.
Before the introduction, apps or scripts could make changes to default settings on Windows by editing certain keys in the Registry directly. With UCPD active, Microsoft implemented a check that allows or disallows changes to these keys.
If the change comes from a legitimate Microsoft process, it is allowed. If the change comes from a non-Microsoft process,, it is not allowed.
So, using the Settings application works, while using a script to make the changes does not.
While Microsoft has not revealed much about the motivation behind the introduction of the driver, it was at least partially introduced to make hijacking of important user settings difficult.
Granted, this had the added effect that it would be harder for competitors to change the defaults, even when users wanted it to happen.
The Impact
Most users may never notice that Microsoft introduced the feature in the first place. Changing defaults via the Settings app is not prevented and so is not a direct edit to the Registry using the Registry Editor.
However, for system administrators and some advanced users, UCDP has been a major headache as it broke command line tools and scripts.
How to check if the driver is running
Here is one easy method to check if the driver is active on your Windows PC:
Open the Start menu.
Type cmd and press the Enter-key to load the Command Prompt.
Type sc query ucpd.
If you see running next to state, then you have confirmation that the service is active.
Can you do something about it? (Should you?)
The short answer: yes, you can turn this off, but it is not as straightforward as you might want it to be.
Here are the required steps:
Run sc config UCPD start= disabled from an elevated command prompt window.
Open Task Scheduler, navigate to \Microsoft\Windows\AppxDeploymentClient, and disable the UCDP velocity task so that it does not turn the driver back on.
Reboot the system.
I suggest you check whether UCDP is running using the command prompt again to make sure.
Should you disable the feature? My advice: if you did not notice any issues so far, you might not need to disable it. If you have run into problems recently running scripts or apps, then you could consider it, especially if you run them regularly.
Keep in mind though that this is also blocking malicious scripts and apps from making those changes.
