On 12 May 2026, Microsoft rolls out the next Patch Tuesday. April was an exceptionally busy month with 167 patches and two actively exploited zero-days, including BlueHammer and the SharePoint spoofing bug. What should IT administrators preparing for May focus on?
On Tuesday 12 May 2026, Microsoft rolls out the next Patch Tuesday. For IT administrators this is a fixed monthly moment to assess, test and deploy Microsoft's security updates. April was exceptionally busy with 167 patches and two actively exploited zero-days. Reason enough to look back and plan ahead now.
Patch Tuesday on 8 April 2026 contained 167 security updates, eight of which were classified as critical. Two are particularly important because they were being actively exploited at release time: CVE-2026-32201, the SharePoint spoofing bug we covered earlier, and CVE-2026-33825, better known by its nickname BlueHammer.
BlueHammer is a local privilege escalation in Microsoft Defender. An attacker who already has a foothold on a Windows system can obtain SYSTEM rights via Defender's signature update procedure. It is a worrying vulnerability because the tool meant to provide protection is here the attack surface. Researchers published details on 3 April, five days before Microsoft's patch.
Beyond these two zero-days, April also contained serious remote code execution flaws in Windows IKE Service Extensions, with a CVSS score of 9.8, and in the Windows TCP/IP stack with a score of 8.1. Both require no authentication, which makes them prime targets for worm-style propagation in a network.
Microsoft does not publish advance information for Patch Tuesday releases. What we can say based on patterns from earlier months is that volume in the second half of the year tends to be higher than in the early months, and that focus areas increasingly lie in identity management (Entra ID), endpoint security (Defender) and the cloud connections between on-premises and Azure.
Three actions are worth completing before 12 May. First, verify that the April patches have been fully rolled out across your environment. Devices that are not yet on the April baseline cannot receive hotpatch updates when that feature becomes default in May.
Second, revisit your patch strategy for SharePoint Server on-premises if you still run it. CVE-2026-32201 was added to CISA's Known Exploited Vulnerabilities list in April. If you have not yet patched, this is the moment for an emergency inventory.
Third, verify that Microsoft Defender is fully patched on all endpoints and running the most recent engine and signature version. BlueHammer only impacted environments running an outdated Defender engine. This is a good time to validate your Defender engine update cadence.
An important point for May: from 12 May 2026, Microsoft enables Windows Hotpatch by default for all devices managed via Windows Autopatch that meet the hardware and licence requirements. Hotpatch installs security updates without a restart, applied directly to running processes in memory.
For IT administrators who deliberately want to prevent this automatic activation, an opt-out button has been available in the Intune admin centre since 1 April. Anyone who takes no action automatically transitions to the new update stream.
A practical workflow for the May release looks like this. On 12 May around 19:00 CET, Microsoft publishes the updates. On 13 May in the morning, read the summary from CrowdStrike, ZDI or Krebs. The same day, check whether any CVEs affect your critical systems and assess whether the standard test ring suffices or an emergency rollout is needed.
On Thursday 14 May, start the rollout to the test ring. On Monday 19 May, review the logs and user reports from the test ring. Between 20 and 23 May, roll out to the broader production environment. By the end of May, verify that all devices are on the May baseline using Update Compliance or a comparable report.
Want advice on the patch strategy for your organisation or help setting up Windows Autopatch and a test ring? Contact Zarioh.
