Testing Guidance

May 2026 Patch Tuesday Testing Guidance

By Greg Lambert ·

Microsoft’s May 2026 Patch Tuesday flags two components as High Risk: the Ancillary Function Driver for WinSock, with an explicit Bluetooth focus, and the Telnet client. Microsoft also ships a pre-release security fix to the Common Log File System driver, and Secure Boot key rolling continues under CVE-2023-24932. TCP/IP is the most-patched component this cycle with six separate updates. Lower-risk patches touch graphics, storage, virtualisation, VPN, and Office MSI editions.

Ancillary Function Driver for WinSock (High Risk)

The WinSock kernel driver (afd.sys) mediates every TCP and UDP socket on Windows, and the May update lands a regression-sensitive change to the Bluetooth interaction path. A failure here typically surfaces as audio dropouts, paired-device drops on sleep, slow reconnect on Wi-Fi handover, or a clean AFD-referenced bug check during sustained load. Watch the System event log for new errors from afd, tcpip, or BTHUSB sources during your test window.

Success looks silent: no stutters, no event-log churn, no handle leaks.

  • Browse the web over HTTP and HTTPS on both IPv4 and IPv6; download a multi-gigabyte file and verify it completes without stalls
  • Establish a Remote Desktop session, idle 30+ minutes, then resume; place a Teams call with audio, video, and screen share
  • Disable and re-enable the NIC, switch between Wi-Fi and Ethernet, and sleep/resume the machine; expect the network to return cleanly with no AFD-referenced bug check
  • Toggle Bluetooth on and off from Settings and Action Center; pair and unpair headphones, mouse, keyboard, and phone, repeating through several cycles
  • Play audio over a Bluetooth headset for 10+ minutes during a Teams call; expect zero dropouts and clean mic/speaker switching as devices toggle
  • Transfer a file to and from a phone over Bluetooth; connect a Bluetooth keyboard and mouse, leave idle, and resume input
  • Sleep and resume the machine with Bluetooth peripherals connected; verify they reconnect without manual intervention
  • Leave the machine running overnight with network and Bluetooth devices active; check handle.exe or Task Manager for handle and memory growth on the System process

Telnet Client (High Risk)

The Telnet client (telnet.exe) is an optional Windows feature, rarely enabled on modern endpoints. The High Risk flag matters wherever the feature is installed. Check first with Get-WindowsCapability -Online -Name "Telnet.Client~~~~0.0.1.0". If installed, launch telnet.exe against a known good endpoint and confirm it opens, accepts input, and exits cleanly. If the feature is not in use, treat this update as an opportunity for attack-surface reduction and remove it.

Common Log File System Security Fix

Microsoft corrected two integer underflow vulnerabilities in the CLFS driver (clfs.sys) that could trigger a system crash or elevation of privilege. Regression risk is low, but CLFS underpins transaction logging across SQL Server, DTC, Failover Clustering, Hyper-V, Active Directory, and Event Log. Validate where these run. A bug check referencing clfs.sys after the update is the clearest red flag.

  • Reboot, run a representative workload for 24 to 48 hours, and check System and Application logs for new errors referencing clfs, ntfs, dtc, or FailoverClustering
  • On SQL Server, restart the service, run standard transactions, perform a backup and restore, and confirm Always On replication stays healthy
  • Patch each cluster node, verify all nodes return as Up, and move a clustered role across nodes
  • On a patched domain controller, run repadmin /replsummary and dcdiag /v; verify Group Policy still applies on clients
  • Confirm VSS writers report Stable via vssadmin list writers, then run a full backup and a test restore

Secure Boot & BitLocker (Continuing)

Secure Boot validation continues under the CVE-2023-24932 key rolling work. The risk is a recovery prompt or an unbootable device. Run only on dedicated test machines with the recovery key backed up.

  • Enable BitLocker on the OS drive, verify TPM protectors with manage-bde -protectors -get c:, then disable and confirm clean decryption
  • With Secure Boot enabled, trigger recovery via reagentc /boottore 1, unlock with the recovery key, and verify normal next boot
  • With both enabled, apply the Windows UEFI CA 2023 key update and confirm the system boots without a recovery prompt
  • Hibernate with Secure Boot and BitLocker on (powercfg /hibernate on, shutdown -h), then resume and confirm no recovery screen

Other Windows Components

TCP/IP carries the highest patch volume; the rest received routine updates with no functional changes flagged.

  • Networking: run sustained file transfers, VPN sessions, and stable throughput over IPv4 and IPv6 to cover tcpip.sys (six updates), the Native WiFi driver, and the LLDP driver
  • VPN and filtering: exercise IKEv2 tunnels through sleep/wake and verify Windows Firewall rules to cover IKEEXT.dll and BFE
  • Graphics and shell: run sustained UI activity and GPU-accelerated workloads to cover the Desktop Window Manager, graphics memory manager, and the graphics kernel; watch for artefacts or flickering
  • Virtualisation: exercise VM start/save/resume/stop and external/internal/private virtual switches to cover Hyper-V vmswitch.sys
  • Storage and sync: exercise cloud sync hydration, Storage Spaces pool operations, and RDP printer/clipboard redirection

Office & SharePoint

May’s Office updates target MSI editions only: Excel 2016 (KB5002865), Word 2016 (KB5002858), Office 2016 shared libraries (KB5002866), and SharePoint Server 2016, 2019, Online Server, and Subscription Edition. Click-to-Run estates are unaffected.

  • Open complex Excel workbooks with formulas, macros, and external data connections; save and reopen to verify integrity
  • Edit Word documents with embedded objects, tracked changes, and complex formatting
  • Across patched SharePoint editions, validate document library operations, co-authoring, and workflow execution
  • Confirm Office add-ins and line-of-business integrations continue to operate

May 2026 Patch Tuesday Testing Priorities

Lead with the two High Risk items. The WinSock driver update warrants a Bluetooth-heavy regression pass across peripherals, audio, file transfer, and sleep/wake. The Telnet client flag is narrow but applies wherever the optional feature is enabled. The CLFS security fix is low regression risk, but its blast radius is wide: validate SQL Server, failover clusters, Hyper-V, Active Directory, and event logging where they exist. Secure Boot and BitLocker validation remains essential as CVE-2023-24932 key rolling continues. Office is MSI-only this cycle.

#patch-tuesday#testing-guidance#windows-11#windows-server