Microsoft carries the full risk load this week across two distinct product families. Defender faces active zero-day exploitation with two vulnerabilities lacking patches as of April 17, 2026, creating a confirmed detection blind-spot window for endpoint teams. Separately, a patched but widely unaddressed Kerberos-to-AD CS relay vulnerability enables durable certificate-based persistence in Active Directory environments that believed NTLM hardening was sufficient defense against relay-class attacks.