This May Patch Tuesday release is very much a “back-to-basics” update with just 78 patches for Microsoft Windows, Office, Visual Studio, and .NET. Notably, Microsoft has not released any patches for Microsoft Exchange Server or Microsoft SQL Server. Due to the concerns of publicly reported exploits for five Windows vulnerabilities, the Application Readiness team has recommended a “Patch Now” schedule for Windows and a standard release cadence for the other platforms. To help navigate these changes, the team from Readiness has provided a helpful infographic detailing the risks of deploying updates to each platform. Known issues There are still reports of issues with devices with Citrix Session Recording Agent (SRA) version 2411 installed on Windows 10 platforms. This is an ongoing issue, with no further reported fixes or updates from Citrix or Microsoft. Otherwise (at the time of writing), Microsoft has not reported any issues with this month’s update for its Windows desktop and server platforms. Major revisions and mitigations Microsoft has not published any major revisions or mitigations to its patches and security fixes for this May. Windows lifecycle and enforcement updates Microsoft has not published any enforcement updates this month. Testing guidance Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a comprehensive analysis of the Microsoft patches and their potential impact on Windows platforms and application deployments. We have broken the most significant changes into feature-based groupings to help with testing prioritization. The Readiness team recommends the following areas for testing for the May Patch Tuesday patch cycle: Remote Desktop, security, and identification Test your Remote Desktop Gateway configurations. Establish sessions through the gateway and reconnect a few times to ensure stability. Validate VPN creation, connection, and deletion. Also test fast reconnection and password change flows with PEAP-MSCHAPv2. Load system level crypto libraries and validate CheckSignatureInFile behavior using legacy (2011) certificates. Test secure boot scenarios, especially if running dual-boot with Linux. Ensure all logins work after this month’s updates. Run PowerShell modules with and without AppLocker policies to confirm policy enforcement integrity. Media and codecs Check your subtitles in MKV formats for Blu-ray playback. Test audio/video recording using both internal and external devices. Validate DRM-protected content, especially in Microsoft Edge and Office apps. Testing regimes should include a cycle of playback, record, and stream — then check your system logs for crashes or errors. Storage and filesystems Perform Windows error log creation, appends, and reopen scenarios using Common Log File System APIs. Simulate SMB folder access from multiple windows. Changes in one view should reflect in the other. Validate UNC path access across apps. Run these tests with Microsoft Explorer and line-of-business apps that access network shares or log files. Installation and application infrastructure Given the focus of the Readiness team, it would be remiss to forget the changes to Microsoft’s update and application infrastructure with the following tests: Conduct basic install, repair, roll-back and uninstall tests for MSI Installer packages. This process should be (mostly) automated by now. If you’re an organization that employs App Silos, you will need create a test cycle that includes invoking the BFS driver via an isolated app context Run web, file transfer, and messaging scenarios to test network throughput under load. In addition to these specific test exercises, we highly recommend a full business logic test of your internal and line-of-business applications that have significant graphics requirements. This is required due to the changes to the Windows kernel and GDI (graphic) subsystems). Readiness recommends your testing in priority in the following order: RDP and remote access, application installations, PowerShell testing, and then storage system testing. Updates by product family Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge) Microsoft Windows (both desktop and server) Microsoft Office Microsoft Exchange and SQL Server Microsoft Developer Tools (Visual Studio and .NET) Adobe (if you get this far) Browsers Microsoft has not released any native updates for its browsers this month. However, there were five Chromium updates (CVE-2025-4050, CVE-2025-4372, CVE-2025-4096, CVE-2025-4052, and CVE-2025-405) that will update Microsoft Edge. All of these low-profile changes can be added to your standard release calendar. Microsoft Windows Microsoft has released three critical updates, plus 41 patches rated as important. The critical updates affect Microsoft’s Remote Desktop platform and the Virtual Machine bus (VMBus). Unfortunately, the following Windows desktop updates have been reported as exploited in the wild: CVE-2025-30400 CVE-2025-32701 CVE-2025-32706 CVE-2025-32709 CVE-2025-30397 As a result of these zero-days, the Readiness team recommends a “Patch Now” schedule for these Windows patches. Microsoft Office Microsoft has released two critical rated updates (CVE-2025-30377 and CVE-2025-30386) for the Microsoft Office platform this month. Both of these patches were updated mid-week for documentation reasons. Following these critical patches, Microsoft has released a further 16 patches that have been rated as important; they update Microsoft Office in general (as opposed to Word or Excel). Please add these Microsoft Office updates to your standard release calendar. Microsoft Exchange Server No updates for Microsoft Exchange or Microsoft SQL server this month. Good news for all the server teams. Microsoft development platforms A single critical update (CVE-2025-29813) to the Microsoft DevOps platform and four patches rated as important by Microsoft have been released to the developer platforms this month. All of the patches rated as important affect Visual Studio and Microsoft .NET. Add these updates to your standard release schedule. Adobe Reader (if you get this far) No Adobe updates (published by Microsoft) for this May patch cycle. Given the recent security advances implemented in Windows 11 23H2 and 24H2, I think that we will see much less of Adobe in this column.