Windows Updates & Release Notes

Follow

74 updates curated from 96 sources by the Releasebot Team. Last updated: Jul 7, 2026

Get this feed:
  • Jul 6, 2026
    • Date parsed from source:
      Jul 6, 2026
    • First seen by Releasebot:
      Jul 7, 2026
    Microsoft logo

    Windows by Microsoft

    Windows settings backup becoming a new resilience baseline

    Windows adds default-on backup for eligible managed devices, making Windows settings backup and Microsoft Store app recovery a built-in baseline. The change is available now to Windows Insiders and will roll out with Windows 11, version 26H2, while restore stays admin-controlled.

    Resilience is about to get easier for the Windows devices you manage! Eligible devices will now have the backup function on by default with Windows settings backup and restore (previously called Windows Backup for Organizations). Today, it's available to Windows Insiders and will be generally available starting with Windows 11, version 26H2. A recoverable list of settings and Microsoft Store apps is becoming a baseline part of the Windows experience rather than an opt-in configuration step.

    Note: Restore behavior is unchanged and isn't enabled by default. You still need explicit admin configuration to restore Windows devices

    A baseline designed with IT admins in mind

    Staying resilient today is no longer a nice-to-have for businesses. Resetting, replacing, and reimaging a PC is fundamental to onboarding and user experience. It's also a baseline for staying resilient.

    Imagine a lost laptop, a hardware refresh, or an unexpected reset. These are some of the moments when your users need backup most. And that's rarely when anyone wants to discover that backup was never turned on.

    Making backup the baseline shifts it from a best-effort configuration step to a standard capability across your eligible fleet.

    • Recovery without configuration: Eligible devices with the backup policy in a Not Configured state under Windows settings backup and restore[1] will back up automatically. Users' settings and Microsoft Store app list are captured out of the box. Note: Restore behavior still requires configuration to be enabled.
    • Explicit policy always wins: If you have already enabled or disabled the policy, your setting is honored. The default applies only when policy state is Not Configured.
    • Restore stays admin-managed: The default-on change applies to backup only. The restore function continues to require explicit admin configuration and is off by default.
    • User choice preserved: End user settings are protected automatically, and they keep full flexibility — they can run a backup at any time from the Windows Backup app and choose which settings are included from the Windows Settings page, all in line with the admin's policy.

    We've experienced these benefits first-hand at Microsoft, when we made backups automatic for employees across the organization.

    "Windows Backup for Organizations[1] is changing how device refresh works. Pressure tested inside Microsoft on a global scale, it enables Microsoft Store apps and user settings to move seamlessly with our people and free IT teams from the heavy lifting of device reimaging. The result is a simpler, more resilient experience." - Brian Fielder, Vice President, Microsoft Digital

    The operational benefit is simple: When a device needs to be reset, replaced, or reimaged, you can move forward immediately. No need to rush checking whether backup was ever configured for the users. Their familiar setup is already captured and ready to come back with them.

    The scope of the default-on Windows backup

    The default-on behavior applies to devices that meet all these conditions:

    • Running Windows 11, version 26H2[2] or later
    • In countries or regions not regulated by the EU Digital Markets Act (DMA)Not in sovereign or restricted cloud environments
    • With the backup policy in a Not Configured state under Windows settings backup and restore*

    Devices outside this scope keep their existing behavior:

    • Devices in privacy sensitive countries or regions remain off by default.
    • Devices in sovereign or restricted cloud environments remain off by default.
    • Devices with the backup policy explicitly enabled or disabled continue to honor that explicit setting.
    • Devices running previous supported Windows 11 versions (except for version 26H1) remain off by default.
    • Devices originally running Windows 11, version 26H1 will receive the same default-on treatment starting with the following feature update.

    Getting started

    If your environment is already in scope and in the state you want, you're ready. No action required. Otherwise, here's how to pick the behavior that fits your organization:

    • Keep backup on (recommended): No action required. Eligible devices with the backup policy in a Not Configured state under Windows settings backup and restore* will enable backup automatically at general availability of Windows 11, version 26H2.
    • Opt out: Explicitly disable the backup policy through Microsoft Intune, Group Policy, or your MDM solution. Explicit disablement always takes precedence over the default.
    • Make intent explicit: Set the backup policy to enabled today. This is functionally equivalent to the new default but provides an unambiguous, audit-friendly admin signal, and the ability for user-targeted enablement only.
    • Control restore behavior separately: Configure the restore policy on its own. The default-on change applies to backup only.

    You can validate the experience early. The default-on behavior is available with Windows 11, version 26H2 in Windows Insider Program Experimental channel starting July 2026. It takes broad effect for eligible devices at Windows 11, version 26H2 general availability later this year. Devices originally running Windows 11, version 26H1 will receive the same default-on treatment starting with the following feature update.

    Watch this video for a quick tour of the experience:

    Ready for broader Windows resiliency

    Thank you for your feedback that shaped this change. Making backup the baseline is one step in a broader Windows resiliency effort. We'll keep sharing what's coming next, so you can plan with confidence.

    Catch up and learn more:

    • Windows settings backup and restore
    • Configure backup and restore policies in Microsoft Intune
    • Windows Insider Blog
    • Windows Insider release notes
    • Windows first sign-in restore experience now available
    • Windows Backup for Organizations is now available

    [1] Windows Backup for Organizations is now Windows settings backup and restore. You'll start seeing the new name alongside the original name while we update documentation and policy surfaces.

    [2] Windows 11, version 26H2 is the annual feature update for Windows 11, versions 25H2 and 24H2. It will be released in the second half of the 2026 calendar year.

    Continue the conversation. Find best practices. Bookmark the Windows Tech Community. Looking for support? Visit Windows on Microsoft Q&A.

    Original source
  • Jun 23, 2026
    • Date parsed from source:
      Jun 23, 2026
    • First seen by Releasebot:
      Jun 24, 2026
    Microsoft logo

    Windows by Microsoft

    Best practices for deploying Secure Boot certificate updates

    Windows expands Secure Boot certificate updates across the ecosystem, with automatic Windows Update delivery, new Windows Security app status messages, and stronger guidance for home users and IT teams to complete deployment with confidence.

    Deploying Secure Boot certificate updates across the Windows ecosystem has required coordination across operating systems, device manufacturers, and firmware vendors. The steady and coordinated rollout is strengthening the platform root of trust worldwide.

    Many individuals and organizations have already successfully updated certificates for client devices, servers, and virtual machines, with others close behind. Proven deployment and validation tools, automatic certificate installation via Windows updates, and firmware support from our OEM partners are helping us all move forward with confidence. However close you are, finishing Secure Boot certificate deployment remains important. If you're still on the path to finishing your Secure Boot certificate deployment, stay the course.

    What we've seen work in practice

    Every individual device and organization's environment is different.

    In the commercial realm, across customer conversations, Ask Microsoft Anything (AMAs) events, and hands-on deployments, a few consistent patterns have emerged:

    • Early testing builds confidence. Many organizations start with pilots, validate results, and expand rollouts as confidence grows for both Windows and IT teams.
    • Layered deployment approaches work best. Teams have successfully deployed OEM firmware updates with Windows security updates, using a mix of automation and staged rollout.
    • Multiple tools can lead to success. From Microsoft Intune to Group Policy, Azure automation, and PowerShell, there isn't a single "right" tool, only the right fit for your environment.

    From talking with many of you, we learned that the diversity of tools and deployment approaches is a key reason the transition has succeeded at scale. Organizations are using a flexible resource set that meets their needs where they are.

    For home users and organizations that allow Microsoft to manage Windows updates, the experience has been equally straightforward. A few takeaways stand out:

    • Keeping devices up to date delivers the best experience. Individuals running supported versions of Windows and receiving regular Windows updates have generally received the newer certificates automatically. Don't pause Windows updates; keep them coming!
    • Built-in protections simplify the update. Secure Boot is enabled by default on most modern PCs, helping these devices receive the newer certificates without manual configuration. Simply keep Secure Boot enabled or re-enable it if needed.
    • Built-in tools help you be ready. The Windows Security app can help you track progress. It can show whether the new certificates have reached your device and whether Secure Boot remains enabled. If anything is preventing devices from receiving and applying the certificates, you can follow embedded instructions to make progress. Note: In enterprise environments, the Windows Security app is disabled by default.

    Overall, for most supported Windows Home and Pro PCs and business devices managed by Microsoft, staying protected has been as simple as keeping Windows up to date and Secure Boot enabled.

    NOTE: While most Secure Boot-enabled PCs receive the newer certificates through the monthly Windows update process, a small number might require a firmware update from the device manufacturer. The Windows Security app can help identify whether your device is waiting for a firmware update. In some cases, the firmware updates needed to support these changes might not be available for older device models, depending on the manufacturer's support lifecycle. Reach out to your device manufacturer if you encounter this case.

    Our experience at Microsoft

    Microsoft's internal deployment followed many of the same principles described throughout this post. We began with limited deployments, used validation and deployment signals to build confidence, and expanded over time. This phased approach helped us identify issues early, validate readiness, and scale deployment in a measured way.

    Along the way, we encountered many of the same edge cases and scenarios that many of you are navigating. Those experiences shaped the tools and guidance we've continued to share externally, including:

    • New Secure Boot status messages in the Windows Security app that help users understand certificate readiness and identify issues that might require attention.
    • Secure Boot certificate update playbooks for both Windows Client and Windows Server, along with tailored guidance for Windows 365 and Azure Virtual Desktop.
    • Multiple Ask Microsoft Anything sessions, now available on demand.
    • Expanded tools for IT-managed environments, including event logs, PowerShell scripts, Microsoft Intune remediations, Microsoft Defender insights, and Windows Autopatch reporting.

    Microsoft has been learning alongside you and turning those lessons into resources that you can use.

    Keep going; you're on the right path

    If you're an IT administrator still deploying Secure Boot certificate updates, you're not alone. Organizations and individuals are progressing at different speeds, based on their environments and requirements. This flexibility is intentional.

    What we've seen consistently is that success comes from staying the course:

    1. Keep your devices up to date with the latest Windows updates.
    2. Check that the latest firmware version is installed. You can visit your OEM's support page or use their official support channels.
    3. Continue with your phased rollout. Gradual deployment of certificates, boot managers, and updated OEM firmware, along with validation, remains the most reliable approach.
    4. Use the tools available to you. Whether built into Windows, such as the Windows Security app, or designed for IT-managed environments, these tools help you monitor progress and make informed decisions.

    Focus on progress over perfection. Each step forward strengthens your environment's platform root of trust.

    Devices with older certificates will continue to function and receive updates, giving you time to complete deployment. Completing this transition helps ensure that your devices stay current with evolving Secure Boot protections.

    Resources to support your next steps

    We're nearly finished with rolling out automatic certificate updates to individual PCs and business devices. If you are still in the process of rolling out updates in your organization, these resources can help:

    • Windows Secure Boot certificate expiration and CA updates
    • Secure Boot playbook for certificates expiring in 2026
    • Secure Boot playbook for Windows Server
    • Secure Boot Certificate Updates for Windows 365
    • Secure Boot Certificate Updates for Azure Virtual Desktop
    • Secure Boot update: Trusted Launch VMs (TVM) and Confidential VMs (CVM)

    In the coming weeks, there are also still opportunities to ask questions. Save the date for these upcoming events:

    • July 1 – Windows Server Secure Boot AMA
    • July 8 – Secure Boot Office Hours for virtualized environments
    • July 15 – OEM Secure Boot Office Hours

    Device owners using Windows Personal and Family accounts can use online support channels and phone numbers for additional help.

    This has been a long and meaningful journey. Together, we have strengthened the platform root of trust that modern security depends on. Wherever you are in your certificates update process, you are contributing to that shared progress.

    Original source
  • All of your release notes in one feed

    Join Releasebot and get updates from Microsoft and hundreds of other software products.

    Create account
  • Jun 23, 2026
    • Date parsed from source:
      Jun 23, 2026
    • First seen by Releasebot:
      Jun 24, 2026
    • Modified by Releasebot:
      Jun 24, 2026
    Microsoft logo

    Windows by Microsoft

    June 23, 2026—KB5095091 (OS Build 28000.2340) Preview

    Windows releases a cumulative update for Windows 11 version 26H1 with production-quality improvements, AI-powered PC experience updates, and fixes. The update rolls out gradually or broadly depending on device, and it also includes component updates and a servicing stack update.

    This cumulative update for Windows 11, version 26H1 (KB5095091), includes production-quality improvements.

    Highlights

    This update is available through two release phases: gradual rollout and normal rollout. A gradual rollout delivers an update in phases, so features reach devices over time instead of all at once, meaning availability varies by device. A normal rollout is the broad release to all eligible devices at the same time, usually when it reaches general availability (GA).

    The following summary outlines features from AI-powered Windows 11 PC experiences, along with improvements and fixes. The bold text within the brackets indicates the item or area of the change.

    Components updates

    AI components

    Servicing stack update (SSU)

    Known issues in this update

    Microsoft Office applications might fail to open from certain third-party apps

    How to get this update

    Before you install this update

    Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

    Deployment

    If you deploy dynamic updates such as this update to an existing Windows image, ensure the boot.stl file is included as part of the installation media. Failure to include the file might prevent devices from successfully starting from the installation media and can result in error code 0xc0430001.

    Note: The boot.stl file is used during Secure Boot validation and must match the Windows version and architecture of the image you are updating.

    To ensure the boot.stl file is included as part of the installation media, do one of the following:

    • Use the Update WinPE script to update an existing Windows image. (Recommended)
    • Manually copy the boot.stl file from the device Windows\Boot\EFI folder to the corresponding folder on your installation media before deploying the update.

    For information about how to apply Dynamic Update packages to existing Windows images, see Update Windows installation media with Dynamic Update.

    Install this update

    To install this update, use one of the following Windows and Microsoft release channels.

    Windows Update

    Open Start > Settings > Update & Security > Windows Update. In the Optional updates available area, you will find the link to download and install available updates. Check for optional updates

    Original source
  • Jun 23, 2026
    • Date parsed from source:
      Jun 23, 2026
    • First seen by Releasebot:
      Jun 24, 2026
    Microsoft logo

    Windows by Microsoft

    June 23, 2026—KB5095093 (OS Builds 26200.8737 and 26100.8737) Preview

    Windows releases a cumulative update for Windows 11 25H2 and 24H2 with production-quality improvements, AI-powered PC experience updates, component updates, and a servicing stack update, while also noting a known issue affecting Microsoft Office apps from some third-party apps.

    This cumulative update for Windows 11, version 25H2 and 24H2 (KB5095093), includes production-quality improvements.

    Announcements and messages

    This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

    Windows Secure Boot certificate expiration

    Important:

    Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices over the past several months. Devices that haven’t received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. Updated certificates will continue to be delivered through Windows Update in the coming months. For more information, see Windows Secure Boot certificate expiration and CA updates.

    Redesigned Start menu availability for commercial and managed devices

    End of updates

    Change log

    Highlights

    This update is available through two release phases: gradual rollout and normal rollout. A gradual rollout delivers an update in phases, so features reach devices over time instead of all at once, meaning availability varies by device. A normal rollout is the broad release to all eligible devices at the same time, usually when it reaches general availability (GA).

    The following summary outlines features from AI-powered Windows 11 PC experiences, along with improvements and fixes. The bold text within the brackets indicates the item or area of the change.

    Windows 11 PC experiences

    Components updates

    AI components

    Servicing stack update (SSU)

    Known issues in this update

    Microsoft Office applications might fail to open from certain third-party apps

    How to get this update

    Before you install this update

    Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

    Deployment

    If you deploy dynamic updates such as this update to an existing Windows image, ensure the boot.stl file is included as part of the installation media. Failure to include the file might prevent devices from successfully starting from the installation media and can result in error code 0xc0430001.

    Note: The boot.stl file is used during Secure Boot validation and must match the Windows version and architecture of the image you are updating.

    To ensure the boot.stl file is included as part of the installation media, do one of the following:

    • Use the Update WinPE script to update an existing Windows image. (Recommended)
    • Manually copy the boot.stl file from the device Windows\Boot\EFI folder to the corresponding folder on your installation media before deploying the update.

    For information about how to apply Dynamic Update packages to existing Windows images, see Update Windows installation media with Dynamic Update.

    Install this update

    To install this update, use one of the following Windows and Microsoft release channels.

    Windows Update

    Business

    Catalog

    Server Update Services

    Gradual rollout

    Available

    Next Step

    Included

    Open Start WindowsLogo icon > Settings Settings icon > Windows Update > Advanced options > Optional updates. In the Optional updates available area, you will find the link to download and install available updates. Check for optional updates.

    File information

    For a list of the files provided in this update, download the file information for cumulative update 5095093.

    For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5095182) - version 26100.8733.

    Related topics

    Windows monthly updates explained

    Description of the standard terminology used for Microsoft software updates

    Microsoft Store for Business and Education with Configuration Manager

    Get updates for apps and games in Microsoft Store

    Original source
  • Jun 19, 2026
    • Date parsed from source:
      Jun 19, 2026
    • First seen by Releasebot:
      Jun 20, 2026
    Microsoft logo

    Windows by Microsoft

    Get ready for Windows 11, version 26H2

    Windows prepares the next Windows 11 annual update, version 26H2, with a predictable, low-disruption servicing model for organizations. It’s already available to Windows Insiders and focuses on easier adoption, faster installs, and simpler rollout planning.

    A familiar update experience, refined

    Windows 11, version 26H2 uses the same shared servicing model as recent releases available annually in the second half of the calendar year. Supported devices get this feature update as a small enablement package instead of a full OS replacement.

    If your organization is already on Windows 11, version 24H2 or 25H2, the update to 26H2 is similar to a regular monthly update in most environments:

    • A small, quick installation
    • Minimized disruption to users
    • No need for full reimaging or complex deployment motions

    Note: Devices running Windows 11, version 26H1 won't be able to update to version 26H2. Instead, they'll have a path to update to a future Windows release. This is because Windows 11, version 26H1 is based on a different Windows core than Windows 11, versions 24H2, 25H2, and 26H2. Here's What to know about Windows 11, version 26H1.

    This is possible because multiple versions of Windows 11 share a common servicing branch, including:

    • The same source code base
    • The same security and quality updates
    • The same compatibility validation

    The difference between versions is simply which features are enabled.

    Shared servicing branch progression

    Why this matters for IT organizations

    The shared servicing model isn't just a technical detail. It directly impacts how you manage updates across your environment. Compared to full OS upgrades of the past, Windows 11, version 26H2 comes with reduced deployment complexity, improved compatibility confidence, and faster time to value.

    Reduced deployment complexity

    Because features are delivered continuously and enabled later, there's no large "upgrade event." This makes planning easier and reduces operational overhead.

    Improved compatibility confidence

    Devices moving between versions on the same servicing branch typically benefit from:

    • Existing application compatibility validation
    • Lower risk of regressions
    • Fewer surprises during rollout

    Faster time to value

    With smaller updates and faster installations, organizations can move more quickly to the most current release. New features reach you without lengthy deployment cycles.

    Support lifecycle considerations

    As with previous annual feature updates, moving to Windows 11, version 26H2 resets the Windows support lifecycle for your devices.

    This provides:

    • 24 months of support for Home, Pro, Pro EDU, and Pro for Workstations editions
    • 36 months of support for Enterprise, Education, IoT Enterprise, and Enterprise Multi-session editions

    What does it mean for your servicing strategy? The annual update becomes a key milestone for maintaining a supported and secure environment.

    How to prepare for Windows 11, version 26H2

    Already managing Windows 11 in your organization? Preparing for 26H2 should align with your existing update processes.

    1. Validate today

    Begin testing with devices running recent versions of Windows 11 to confirm compatibility with your apps, policies, and infrastructure.

    If you'd like to get a peak of what's coming and begin previewing version 26H2 on devices now, the update is available through the Windows Insider Program in the Experimental channel. Otherwise, your organization might prefer to wait for the update to become available in Release Preview before doing more extensive testing. At that stage, the experience is closer to final shipping quality. We'll have more information to share when version 26H2 is in Release Preview.

    1. Use your existing deployment tools

    Windows 11, version 26H2 will be available through familiar channels, including:

    • Windows Autopatch
    • Microsoft Intune
    • Windows Server Update Services (WSUS)
    1. Plan your rollout rings

    Use your standard deployment rings to:

    1. Pilot the update with a small group of devices.

    2. Expand gradually based on validation results.

    3. Stay current

    Windows features are delivered continuously. Stay up to date with monthly updates to help ensure a smoother transition when the feature update becomes available.

    Feature delivery over time with enablement moment

    Looking ahead and staying informed

    Windows 11, version 26H2 continues the move toward a more predictable and efficient servicing model. This model helps reduce disruption while helping your organization stay secure and up to date. By building on a shared platform and delivering innovation continuously, Windows enables you to focus less on large upgrade projects and more on delivering value to your users.

    We'll continue to share updates and guidance as Windows 11, version 26H2 becomes available. In the meantime, test it in the Windows Insider Program's Experimental channel and use the updated plan-prepare-deploy learning path to get ready.

    Be sure to follow the Windows IT Pro Blog and join us on the Windows Tech Community for the latest information and best practices.

    Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

    Original source
  • Similar to Windows with recent updates:

  • Jun 9, 2026
    • Date parsed from source:
      Jun 9, 2026
    • First seen by Releasebot:
      Jun 11, 2026
    Microsoft logo

    Windows by Microsoft

    June 9, 2026—KB5095051 (OS Build 28000.2269)

    Windows releases a cumulative update for Windows 11 version 26H1 with the latest security fixes, non-security improvements from the optional preview, stronger BitLocker reliability, and a security hardening change for folder customization. It also includes servicing stack quality improvements.

    Announcements and messages

    This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

    Change log

    Improvements

    This update includes new features and quality improvements that were part of the following update:

    • May 12, 2026—KB5089548 (OS Build 28000.2113)
    • May 26, 2026—KB5089570 (OS Build 28000.2179)

    This update addresses security vulnerabilities documented in the following guide:

    • June 2026 Security Updates

    The following summary outlines key quality improvements addressed by this update. The bold text within the brackets indicates the item or area of the change.

    • [BitLocker] This update improves the reliability of BitLocker Drive Encryption testing by ensuring that all required files are available for the USB BIOS logo test.
    • [Folder customization] This update introduces a security hardening change to how Windows processes desktop.ini files. As a result, some users might notice missing custom folder icons or localized folder names for content from downloaded or remote locations. Note that access to folders is not affected. For more information, see Custom folder icons or localized folder names might not appear after installing the June 2026 Windows security update.

    If you've already installed previous updates, your device will download and install only the new updates included in this package.

    AI Components

    This release updates the following AI components:

    AI Component Version

    Image Search 1.2604.515.0
    Content Extraction 1.2604.515.0
    Semantic Analysis 1.2604.515.0
    Settings Model 1.2604.515.0

    Windows 11 servicing stack update (KB5101277)- 28000.2263

    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

    Known issues in this update

    Microsoft is not currently aware of any issues with this update.

    How to get this update

    Before you install this update

    Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

    Deployment

    If you deploy dynamic updates such as this update to an existing Windows image, ensure the boot.stl file is included as part of the installation media. Failure to include the file might prevent devices from successfully starting from the installation media and can result in error code 0xc0430001.

    Note: The boot.stl file is used during Secure Boot validation and must match the Windows version and architecture of the image you are updating.

    To ensure the boot.stl file is included as part of the installation media, do one of the following:

    • Use the Update WinPE script to update an existing Windows image. (Recommended)
    • Manually copy the boot.stl file from the device Windows\Boot\EFI folder to the corresponding folder on your installation media before deploying the update.

    For information about how to apply Dynamic Update packages to existing Windows images, see Update Windows installation media with Dynamic Update.

    Install this update

    To install this update, use one of the following Windows and Microsoft release channels.

    Windows Update

    Available Next Step

    Included This update downloads and installs automatically from Windows Update and Microsoft Update.

    File information

    For a list of the files provided in this update, download the file information for cumulative update 5095051

    For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5101277) - version 28000.2263.

    Related topics

    Windows monthly updates explained

    Description of the standard terminology used for Microsoft software updates

    Windows release health

    Original source
  • Jun 9, 2026
    • Date parsed from source:
      Jun 9, 2026
    • First seen by Releasebot:
      Jun 11, 2026
    Microsoft logo

    Windows by Microsoft

    June 9, 2026—KB5093998 (OS Build 22631.7219)

    Windows releases the June 2026 cumulative update for Windows 11 version 23H2 with security fixes, quality improvements, Secure Boot enhancements, a BitLocker recovery fix, better File Explorer search, and improved device management reliability.

    Windows Secure Boot certificate expiration

    Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices over the past several months. Devices that haven’t received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. Updated certificates will continue to be delivered through Windows Update in the coming months.

    End of updates

    Change log

    Improvements

    This update addresses security issues for your Windows operating system.

    Important: Use EKB KB5027397 to update to Windows 11, version 23H2.

    This security update contains fixes and quality improvements from KB5087420 (released May 12, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

    [Secure Boot]

    • With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
    • This update adds the LimitSecureBootRequiredServiceData Group Policy and mobile device management (MDM) setting under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When enabled, Windows limits the Secure Boot service data it sends by suppressing the event normally sent to Microsoft. This policy is included in the Windows Restricted Traffic Limited Functionality Baseline. For information about the policy, see Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services.

    [Boot manager servicing update (Known issue)]

    Fixed: This update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 (Platform Configuration Register 7) configurations. This might occur after installing the April 2026 security update (KB5082052).

    [Country and Operator Settings Asset (COSA)]

    This update brings profiles up to date for certain mobile operators.

    [Device management]

    • This update improves connectivity for devices enrolled in both Microsoft Management Platform Configuration and Secure Lifecycle Device Management, helping devices reliably sync and renew their certificates.
    • This update improves reliability for dual‑enrolled devices managed by mobile device management platforms, including the Modern Management Platform Connector. It helps devices successfully sync and renew their certificates.

    [File Explorer]

    This update improves File Explorer search, including support for Chinese text, and UTF 8–encoded files without a byte order mark (BOM). Text now displays more clearly and consistently across search results, Content view, and tooltips.

    [Folder customization]

    This update introduces a security hardening change to how Windows processes desktop.ini files. As a result, some users might notice missing custom folder icons or localized folder names for content from downloaded or remote locations. Note that access to folders is not affected. For more information, see Custom folder icons or localized folder names might not appear after installing the June 2026 Windows security update.

    If you've already installed previous updates, your device will download and install only the new updates included in this package.

    For more information about security vulnerabilities, see the Security Update Guide and the June 2026 Security Update.

    Windows 11 servicing stack update (KB5094146) - 22621.7209

    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

    Known issues in this update

    Microsoft is not currently aware of any issues with this update.

    How to get this update

    Before you install this update

    Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

    Deployment

    If you deploy dynamic updates such as this update to an existing Windows image, ensure the boot.stl file is included as part of the installation media. Failure to include the file might prevent devices from successfully starting from the installation media and can result in error code 0xc0430001.

    Note: The boot.stl file is used during Secure Boot validation and must match the Windows version and architecture of the image you are updating.

    To ensure the boot.stl file is included as part of the installation media, do one of the following:

    • Use the Update WinPE script to update an existing Windows image. (Recommended)
    • Manually copy the boot.stl file from the device Windows\Boot\EFI folder to the corresponding folder on your installation media before deploying the update.

    For information about how to apply Dynamic Update packages to existing Windows images, see Update Windows installation media with Dynamic Update.

    Install this update

    To install this update, use one of the following Windows and Microsoft release channels.

    Windows Update

    This update downloads and installs automatically from Windows Update and Microsoft Update.

    Original source
  • Jun 9, 2026
    • Date parsed from source:
      Jun 9, 2026
    • First seen by Releasebot:
      Jun 11, 2026
    Microsoft logo

    Windows by Microsoft

    June 9, 2026—KB5094126 (OS Builds 26200.8655 and 26100.8655)

    Windows releases a cumulative update for Windows 11 25H2 and 24H2 with the latest security fixes, non-security improvements, stronger Secure Boot certificate targeting, a virtualization stop error fix, and a security hardening change for desktop.ini folder customization.

    This cumulative update for Windows 11, version 25H2 and 24H2 (KB5094126) includes the latest security fixes and improvements, along with non-security updates from last month's optional preview release.

    Visit the Windows release health dashboard for the latest status on this release.

    Announcements and messages

    This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

    Windows Secure Boot certificate expiration

    Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices over the past several months. Devices that haven’t received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. Updated certificates will continue to be delivered through Windows Update in the coming months.

    Change log

    Improvements

    This update includes new features and quality improvements that were part of the following update:

    • May 12, 2026—KB5089549 (OS Builds 26200.8457 and 26100.8457)
    • May 26, 2026—KB5089573 (OS Builds 26200.8524 and 26100.8524)

    This update addresses security vulnerabilities documented in the following guide:

    • June 2026 Security Updates.

    The following summary outlines key quality improvements addressed by this update. The bold text within the brackets indicates the item or area of the change.

    • [Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
    • [Virtualization] Fixed: This update addresses an issue that could result in Stop errors HYPERVISOR_ERROR (0x20001) and KMODE_EXCEPTION_NOT_HANDLED (0x1E) after installing KB5089573 on some devices during system restarts, virtual machine operations, or while running some gaming applications.
    • [Folder customization] This update introduces a security hardening change to how Windows processes desktop.ini files. As a result, some users might notice missing custom folder icons or localized folder names for content from downloaded or remote locations. Note that access to folders is not affected. For more information, see Custom folder icons or localized folder names might not appear after installing the June 2026 Windows security update.

    If you've already installed previous updates, your device will download and install only the new updates included in this package.

    AI Components

    This release updates the following AI components:

    AI Component Version Image Search 1.2605.856.0 Content Extraction 1.2605.856.0 Semantic Analysis 1.2605.856.0 Settings Model 1.2605.856.0

    Windows 11 servicing stack update (KB5094135)- 26100.8648

    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

    Known issues in this update

    Microsoft is not currently aware of any issues with this update.

    How to get this update

    Before you install this update

    Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

    Deployment

    If you deploy dynamic updates such as this update to an existing Windows image, ensure the boot.stl file is included as part of the installation media. Failure to include the file might prevent devices from successfully starting from the installation media and can result in error code 0xc0430001.

    Note: The boot.stl file is used during Secure Boot validation and must match the Windows version and architecture of the image you are updating.

    To ensure the boot.stl file is included as part of the installation media, do one of the following:

    • Use the Update WinPE script to update an existing Windows image. (Recommended)
    • Manually copy the boot.stl file from the device Windows\Boot\EFI folder to the corresponding folder on your installation media before deploying the update.

    For information about how to apply Dynamic Update packages to existing Windows images, see Update Windows installation media with Dynamic Update.

    Install this update

    To install this update, use one of the following Windows and Microsoft release channels.

    Windows Update

    Available

    Next Step

    Included

    This update downloads and installs automatically from Windows Update and Microsoft Update.

    File information

    For a list of the files provided in this update, download the file information for cumulative update 5094126.

    For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5094135) - version 26100.8648.

    Related topics

    Windows monthly updates explained

    Description of the standard terminology used for Microsoft software updates

    Microsoft Store for Business and Education with Configuration Manager

    Get updates for apps and games in Microsoft Store

    Original source
  • Jun 2, 2026
    • Date parsed from source:
      Jun 2, 2026
    • First seen by Releasebot:
      Jun 2, 2026
    Microsoft logo

    Windows by Microsoft

    Reducing NTLM Dependency: IAKerb and LocalKDC in Windows Insider Preview

    Windows expands Kerberos authentication with IAKerb and LocalKDC in public preview for Insiders, reducing NTLM fallback in more enterprise and local account scenarios. IAKerb is enabled by default, LocalKDC is disabled by default, and both are registry-configurable.

    Today, Windows expands where Kerberos works—reducing the need for NT LAN Manager (NTLM) fallback with IAKerb and LocalKDC, coming to client and server public preview later this month for Windows Insiders in the Canary Channel. These capabilities extend Kerberos authentication to scenarios that previously required NTLM, helping organizations reduce their dependency on legacy protocols. For developers, this means more authentication flows can rely on modern, Kerberos-based identity (even in environments that previously required legacy protocols), reducing the need for application workarounds and helping ensure consistent behavior across managed and unmanaged environments.

    With this release:

    • IAKerb will be enabled by default
    • LocalKDC will be disabled by default
    • Both features will be configurable through registry keys

    Note: For this public preview, configuration is exposed through registry settings so you can evaluate these capabilities in Insider environments. Management surfaces, such as Group Policies and MDM-based management, will be introduced as these capabilities mature.

    Why this matters

    For many organizations, moving away from NTLM is a security priority. But in practice, NTLM often remains in use because there are still real-world scenarios where traditional Kerberos cannot be used directly, such as:

    • Devices that do not have direct line-of-sight to a domain controller
    • Authentication flows involving local accounts
    • Standalone or workgroup environments
    • Network topologies where Kerberos reachability is limited

    IAKerb and LocalKDC address many of these gaps (though not all) by extending Kerberos support, reducing reliance on NTLM fallback across customer environments.

    What is IAKerb?

    IAKerb (Initial and Pass-Through Authentication using Kerberos) enables Kerberos to work when the initiating device (Kerberos client) does not have direct connectivity to a domain controller. In a traditional Kerberos flow, the client must communicate directly with a domain controller to obtain the tickets needed for authentication. In some environments, that path is not available even though the client can still reach the target service. In those cases, IAKerb enables the target service to act as a proxy for the Kerberos exchange, allowing authentication to stay on a Kerberos-based path rather than falling back to NTLM.

    This makes IAKerb especially useful in environments with:

    • Network segmentation
    • Restricted domain controller visibility
    • Remote or cloud-connected access patterns
    • Architectures where clients can reach services but not DCs directly

    What is LocalKDC?

    LocalKDC is a local Key Distribution Center implementation in Windows that enables Kerberos-based authentication for local account scenarios. Historically, local account authentication across machines has often depended on NTLM. LocalKDC helps close that gap by allowing Windows to use Kerberos semantics for local identity scenarios that would otherwise require legacy authentication. This is especially relevant for scenarios such as:

    • Workgroup environments
    • Standalone devices
    • Local account access to remote resources
    • Peer-to-peer or small-scale environments without domain infrastructure
    • Administrative or file access scenarios where local identities are used

    How these features fit together

    IAKerb and LocalKDC address different but complementary gaps in Windows authentication, reducing reliance on NTLM across both enterprise and local identity scenarios.

    • IAKerb is meant for enterprise and corporate environments, where domain credentials are used but Kerberos authentication cannot always complete because the client lacks direct line of sight to a domain controller. By allowing authentication to remain on a Kerberos-based path in these situations, IAKerb helps reduce NTLM usage for high-value corporate credentials. This is important because reducing the use of NTLM for enterprise credentials helps strengthen defenses against credential theft and relay-based attack paths, including forms of lateral movement that have historically relied on NTLM fallback.

    • LocalKDC addresses a different class of scenarios: local and non-domain identities, including workgroup, standalone, and local account access patterns. In these cases, LocalKDC helps bring Kerberos-based protections to scenarios that traditionally depended on NTLM for local credentials.

    Together, these capabilities extend Kerberos in two directions: domain-based enterprise credentials, and local and consumer-style account scenarios, further reducing the exposure to credential theft and relay-based attacks. This matters because, as part of a broader shift toward modern and enforced authentication, simply disabling older protocols is not enough. Organizations also need secure, reliable authentication that works consistently, without falling back to legacy protocols. These features help deliver that by providing modern, compatible alternatives that reflect how customers operate today.

    Registry Configuration:

    For this public preview, IAKerb and LocalKDC can be configured using registry settings under:

    The supported values for this preview are:

    • DisableIAKerb
    • DisableLocalKDC

    Set the value to:

    • 0 to enable the feature
    • 1 to disable the feature

    Note: If a registry value is not present, Windows uses the default behavior for that release. In this preview, the defaults are:

    • IAKerb: enabled by default (0)
    • LocalKDC: disabled by default (1)

    This gives you flexibility to evaluate the features in Insider environments while controlling rollout and validation according to your needs.

    What you can do now

    With this public preview, customers participating in the Canary Channel can test these capabilities in preview environments and validate the scenarios where NTLM is still commonly used. These features are designed to address important NTLM fallback scenarios but will not eliminate every remaining NTLM dependency in Windows environments; some scenarios may still require NTLM based on application behavior, infrastructure assumptions, or legacy dependencies. Our goal with this preview is to close some of the key gaps by extending Kerberos to more scenarios, while continuing broader work to reduce NTLM dependency across the platform over time. Once available, you can use this preview to help:

    • Identify scenarios already covered by IAKerb or LocalKDC
    • Validate those scenarios in controlled environments, and use the documented configuration options to control enablement during testing
    • Understand where NTLM dependencies still remain using our enhanced NTLM Auditing
    • Check for dependencies such as name resolution, SPN configuration, or legacy assumptions
    • Prepare for future improvements that will address additional cases

    We also recommend evaluating the following areas:

    • Access to SMB shares
    • Remote administration scenarios
    • Environments with limited or no direct Domain Controller (DC) connectivity
    • Workgroup or standalone device authentication
    • Local account access patterns
    • Scenarios being prepared for NTLM reduction or eventual NTLM blocking

    This preview is an opportunity to validate application compatibility, infrastructure dependencies, and operational readiness before broader rollout decisions are made. Learn more about upcoming work in this space here: Advancing Windows security: Disabling NTLM by default - Windows IT Pro Blog.

    Troubleshooting and Feedback

    As you evaluate IAKerb and LocalKDC in preview environments, you may encounter scenarios where authentication behaves differently than expected. Windows provides built-in logging to help you understand what is happening and identify potential issues. These logs help you:

    • Verify whether Kerberos authentication is being used
    • Identify cases where IAKerb or LocalKDC is involved
    • Detect failures or fallback conditions

    You can also leverage NTLM operational logs to:

    • Identify when NTLM is still being used
    • Understand why fallback to NTLM is occurring
    • Prioritize scenarios for further investigation

    Reviewing these logs together can help you determine whether authentication is staying on a Kerberos path (via IAKerb or LocalKDC) or falling back to NTLM and why.

    When to expect fallback behavior

    Because this is a preview release, some scenarios may still fall back to NTLM due to:

    • Application-specific dependencies
    • Environmental configuration (e.g., name resolution or SPN issues)
    • Interactions between domain accounts and local accounts on the same machine

    IAKerb and LocalKDC are designed to address a subset of common NTLM fallback scenarios, and continued improvements are planned to expand coverage over time.

    Share feedback and scenarios

    If you encounter a scenario that does not behave as expected, or if you have a unique authentication flow you would like us to evaluate, we encourage you to contact us at [email protected].

    Please include details such as:

    • The scenario you are testing
    • Expected vs. actual behavior
    • Relevant event log entries (if available)

    Your feedback is critical to helping us improve coverage and ensure these capabilities work reliably across real-world environments.

    Securing today. Preparing for what’s next.

    Security in Windows is built into the platform—continuously maintained and designed to evolve as threats change.

    Learn more in the Windows Security book and Windows Server Security book or explore Windows 11, Windows Server, and Copilot+ PCs. For broader solutions, visit the Microsoft Security site, follow the Security blog, or connect with Microsoft Security on LinkedIn and @MSFTSecurity.

    Original source
  • Jun 1, 2026
    • Date parsed from source:
      Jun 1, 2026
    • First seen by Releasebot:
      Jun 2, 2026
    Microsoft logo

    Windows by Microsoft

    Windows news you can use: May 2026

    Windows brings new security, management, and productivity updates, including Secure Boot readiness reporting, hotpatch defaults, Windows Autopatch changes for GCC customers, File Explorer archive support, smarter Search, improved Task Manager, and fresh AI and Copilot experiences.

    First, as we head into June and the first set of Secure Boot certificates start to expire, there will be another Secure Boot Ask Microsoft Anything (AMA) on Thursday, June 4. Do save the date and post your questions early or at any time during the live stream if you need assistance. You can also watch the May edition on demand.

    For more general questions around Windows deployment, updates, and management, you can join the chat-based Windows Office Hours every third Thursday. The next event will be June 18 at 8:00 AM PDT.

    Now let's dive in to more Windows news you can use you might have missed this past month.

    New in Windows update and device management

    • [AUTOPATCH] [GCC] – Windows Autopatch is now included automatically for Government Community Cloud (GCC) customers using Microsoft 365 G3 GCC, Microsoft 365 GCC G5, or Microsoft 365 GCC G5 without WDATP/CAS Unified. The $0 Windows Enterprise (OLS) activation SKU is no longer required. For guidance on how to get started, read Windows Autopatch for the US government.
    • [HOTPATCH] – Starting with the May 2026 Windows security update, hotpatch updates are now on by default for those using Windows Autopatch through Microsoft Intune or the Windows updates API in Microsoft Graph. The default tenant setting; however, is only applied to devices that aren't members of a quality update policy. Windows Autopatch respects your configuration of quality update policies.
    • [BACKUP] – Start managing Enterprise State Roaming (ESR) through Windows Backup for Organizations policies. By the end of June, you'll no longer be able to access ESR policies through the Microsoft Entra portal and will instead need to use Microsoft Intune.
    • [W365] – Admin Insights for Windows 365, now in public preview, brings together important signals from existing reporting, monitoring, and alerting from Intune. Quickly understand what's happening in your environment and where to focus.
    • [ARM] – Does your organization use, or plan to adopt, Arm-based Windows devices? Check out a snapshot of companies that have recently delivered or expanded print solutions supporting Windows on Arm.
    • [SKILLING] – Still have devices running Windows 10? Need advice on optimizing how you roll out new versions of Windows and Microsoft 365 apps in your organization? Use the updated Stay current with Windows learning path to plan, prepare for, and deploy for updates across your organization.

    New in Windows security

    • [SECURE BOOT] – The updated Secure Boot status report in Windows Autopatch provides better device-level visibility into certificate status, trust configuration, and readiness for Secure Boot certificate updates. New interactive certificate-level details fit directly into your certificate rollout workflow.
    • [SECURE BOOT] – Microsoft Defender now provides centralized visibility into Secure Boot 2023 certificate readiness across your device fleet. A new assessment categorizes your devices automatically as exposed, compliant, and not applicable.
    • [FIREWALL] [NETWORKING] – Have devices that experience difficulties receiving updates? New guidance is available to help you identify potential causes and implement solutions to ensure updates roll out smoothly moving forward.
    • [PRINTING] – A new icon appears on the Printers & scanners settings page. It helps you easily understand which devices support a more secure printing experience with Windows protected print mode.
    • [PASSKEYS] – World Passkey Day was May 7. Learn how Microsoft is Advancing passwordless authentication.

    To explore what's new in security across the Microsoft platform, see What's new in Microsoft Security: May 2026.

    New in AI

    • [DEVELOPERS] – Microsoft Build runs June 2-3! It features sessions on building, modernizing, and optimizing Windows apps and developer experiences. Check out especially AI-powered capabilities, cloud integration, and next‑gen tooling like Copilot, WinUI, and GitHub Copilot.
    • [AGENTS] – Windows is adding a new way to monitor your agents from the taskbar. This experience supports agents across first- and third-party apps, with Researcher in the Microsoft 365 Copilot app as the first adopter.
    • [COPILOT] [M365] – The Copilot app has been redesigned to be faster and more responsive. What do you think about the way Copilot shows up across Microsoft 365 apps?
    • [COPILOT] [M365] – New Microsoft 365 Copilot resources are now available to help you get started with adopting Copilot capabilities across your organization.

    To learn about latest capabilities for Copilot+ PCs, visit the Windows Roadmap and filter Platform by “Copilot+ PC Exclusives.”

    New in Windows Server

    For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes.

    • [HOTPATCH] – Hotpatch updates enabled by Azure Arc are now available at no additional cost for Windows Server 2025. Read the announcement for details on eligibility and guidance on how to get started.
    • [SKILLING] – All 19 sessions from Windows Server Summit 2026 are now available on demand. Learn and improve your skills on your schedule.

    New in productivity and collaboration

    Install the May 2026 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities, which will be rolling out gradually:

    • [FILE EXPLORER] – View and Sort preferences are now preserved in folders such as Downloads and Documents when apps launch File Explorer directly to those locations. File Explorer also now supports uu, cpio, xar, and NuGet Packages (nupkg) archive formats.
    • [INPUT] – Voice typing on the touch keyboard now looks simpler and more intuitive. The updated design removes the full‑screen overlay and shows voice typing animations directly on the dictation key.

    New features and improvements are coming in the June 2026 security update. You can preview them by installing the May 2026 optional non-security update for Windows 11, versions 25H2 and 24H2. This update includes the gradual rollout of:

    • [AUDIO] – Shared audio enables two people to listen to the same audio from a single Windows 11 PC at the same time.
    • [CAMERA] – Windows 11's Multi-App Camera feature allows multiple applications to access your camera stream at the same time.
    • [MAGNIFIER] – Magnifier now provides clearer and more consistent announcements when working with a screen reader. You'll hear helpful announcements when you zoom in or out, switch views, turn color inversion on or off, or turn Magnifier on or off. In addition, Magnifier now supports magnification of permitted protected content.
    • [SEARCH] – Windows Search will now find and prioritize files with as few as two characters.
    • [PERFORMANCE] – Task Manager now provides enhanced visibility into NPU usage, including new metrics and AI activity insights.

    Lifecycle reminders

    Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025.

    Additional resources

    Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources:

    • Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name
    • Microsoft 365 Copilot release notes for latest features and improvements
    • Windows Insider Blog for what's available in the Beta and Experimental channels
    • Windows Server Insider for feature preview opportunities
    • Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders

    Join the conversation

    We are always looking to improve this monthly summary. Drop us a note in the Comments and let us know what we can do to make this more useful for you!

    Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

    Original source
  • May 26, 2026
    • Date parsed from source:
      May 26, 2026
    • First seen by Releasebot:
      Jun 2, 2026
    Microsoft logo

    Windows by Microsoft

    May 26, 2026—KB5089570 (OS Build 28000.2179) Preview

    Windows releases a cumulative update for Windows 11 version 26H1 with production-quality improvements, AI component updates, and servicing stack quality fixes. It rolls out in phases and broad availability, with no known issues reported.

    Highlights

    This cumulative update for Windows 11, version 26H1 (KB5083806), includes production-quality improvements.

    Visit the Windows release health dashboard for the latest status on this release.

    This update is available through two release phases: gradual rollout and normal rollout. A gradual rollout delivers an update in phases, so features reach devices over time instead of all at once, meaning availability varies by device. A normal rollout is the broad release to all eligible devices at the same time, usually when it reaches general availability (GA).

    Gradual rollout

    The following summary outlines features from AI-powered Windows 11 PC experiences, along with improvements and fixes. The bold text within the brackets indicates the item or area of the change.

    Windows 11 PC experiences

    AI Components

    This release updates the following AI components:

    AI Component Version
    Image Search 1.2604.515.0
    Content Extraction 1.2604.515.0
    Semantic Analysis 1.2604.515.0
    Settings Model 1.2604.515.0

    Windows 11 servicing stack update (KB5095676)- 28000.2172

    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

    Known issues in this update

    Microsoft is not currently aware of any issues with this update.

    How to get this update

    Before you install this update

    Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

    Install this update

    To install this update, use one of the following Windows and Microsoft release channels.

    Windows Update

    Available Next Step
    Included Open Start WindowsLogo icon > Settings Settings icon Update & Security > Windows Update. In the Optional updates available area, you will find the link to download and install available updates. Check for optional updates

    If you want to remove this update

    Before you decide to remove this update, see Understanding the risks: Why you should not uninstall security updates.

    To remove this update after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

    File information

    For a list of the files provided in this update, download the file information for cumulative update 5089570.

    For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5095676) - version 28000.2172.

    Release topics

    Windows monthly updates explained

    Description of the standard terminology used for Microsoft software updates

    Original source
  • May 26, 2026
    • Date parsed from source:
      May 26, 2026
    • First seen by Releasebot:
      Jun 2, 2026
    Microsoft logo

    Windows by Microsoft

    May 26, 2026—KB5089573 (OS Builds 26200.8524 and 26100.8524) Preview

    Windows adds a cumulative update for Windows 11 25H2 and 24H2 with production-quality improvements, refreshed AI components, and servicing stack reliability updates for a smoother Windows update experience.

    This cumulative update for Windows 11, version 25H2 and 24H2 (KB5089573), includes production-quality improvements.
    Visit the Windows release health dashboard for the latest status on this release.

    Announcements and messages

    This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

    Windows Secure Boot certificate expiration

    Change log

    Highlights

    This update is available through two release phases: gradual rollout and normal rollout. A gradual rollout delivers an update in phases, so features reach devices over time instead of all at once, meaning availability varies by device. A normal rollout is the broad release to all eligible devices at the same time, usually when it reaches general availability (GA).

    Gradual rollout

    The following summary outlines features from AI-powered Windows 11 PC experiences, along with improvements and fixes. The bold text within the brackets indicates the item or area of the change.

    Windows 11 PC experiences

    AI Components

    This release updates the following AI components:

    AI Component Version Image Search 1.2605.856.0 Content Extraction 1.2605.856.0 Semantic Analysis 1.2605.856.0 Settings Model 1.2605.856.0

    Windows 11 servicing stack update (KB5092734)- 26100.8519

    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

    Known issues in this update

    Microsoft is not currently aware of any issues with this update.

    How to get this update

    Before you install this update

    Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

    Install this update

    To install this update, use one of the following Windows and Microsoft release channels.

    Windows Update

    Available Next Step

    Included Open Start WindowsLogo icon > Settings Settings icon > Windows Update. > Advanced options > Optional updates. In the Optional updates available area, you will find the link to download and install available updates. Check for optional updates

    If you want to remove this update

    Caution: Before you decide to remove this update, see Understanding the risks: Why you should not uninstall security updates.

    To remove this update after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

    File information

    For a list of the files provided in this update, download the file information for cumulative update 5089573.
    For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5092734) - version 26100.8519.

    Related topics

    Windows monthly updates explained
    Description of the standard terminology used for Microsoft software updates
    Microsoft Store for Business and Education with Configuration Manager
    Get updates for apps and games in Microsoft Store

    Original source
  • May 19, 2026
    • Date parsed from source:
      May 19, 2026
    • First seen by Releasebot:
      May 20, 2026
    Microsoft logo

    Windows by Microsoft

    Updated Secure Boot status report in Windows Autopatch

    Windows improves the Secure Boot status report in Windows Autopatch with device-level visibility into certificate status, trust configuration, confidence level, alerts, and timestamps, helping admins target remediation and manage certificate rollouts with more confidence.

    Do more with the improved Secure boot status report in Windows Autopatch

    Now, you can gain better device-level visibility into certificate status, trust configuration, and readiness for Secure Boot certificate updates. New interactive certificate-level details fit directly into your certificate rollout workflow:

    1. Identify devices that aren't up to date.
    2. Use trust configuration and certificate details to understand applicability.
    3. Check confidence level to determine your rollout strategy.
    4. Use alerts and timestamps to validate reporting freshness and prioritize action.
    5. Plan targeted remediation instead of broad deployments.

    From policy deployment to actual Secure Boot readiness

    Secure Boot is a core Windows security feature that helps ensure devices start up using only trusted, digitally signed components. It helps protect against boot-level malware and enforces a root of trust during startup. As Secure Boot certificates evolve and older certificates approach expiration, visibility into device readiness becomes critical.

    To deploy Secure Boot certificate updates, the recommended option is to enable the EnableSecurebootCertificateUpdates policy. When active, the policy automatically sends certificate updates to supported and eligible devices but requires a device restart to complete the process.

    However, before enabling a Secure Boot policy, it's important to understand:

    • Which devices have updated their certificates and are protected
    • Whether firmware configuration blocks updates
    • Whether devices are ready for rollout
    • When to take action

    The Secure Boot status report addresses this gap by giving you a data-informed view of device readiness, not just policy assignment status. The report provides a device-level view of Secure Boot across your Windows Autopatch-managed devices. Let's walk through how to quickly understand your fleet's readiness.

    Note: Certificate readiness presupposes devices with Secure Boot enabled. Devices with Secure Boot disabled are included for visibility only. They don't require any action.

    How to use the Secure Boot status report

    The report includes several key signals designed to help you make informed decisions.

    Ready to see it in action? Start here:

    1. Go to the Intune admin center.
    2. Open Reports > Windows Autopatch > Windows quality updates.
    3. Select Reports.
    4. Open Secure Boot status.

    Identify devices that aren't up to date by certificate status

    Find the new column called Certificate status. See which certificates require action based on an aggregate view. Here's what each status means:

    • Up to date: No action is required.
    • Not up to date: Devices require certificate updates.
    • Not applicable: Secure Boot isn't enabled.

    Drill into this field to see per-certificate details. No need for custom scripts or manual validation. Select the status cell for any device to see whether Secure Boot is enabled, its trust setting, and status for each of the four required certificates.

    Use trust configuration and certificate details to understand applicability

    Not all devices require the same set of Secure Boot certificates. The Secure Boot trust setting column shows whether a device trusts:

    • Microsoft-only components
    • Both Microsoft and non-Microsoft components

    This is important because certificate applicability depends on how the device is configured, not just what exists on disk. For example, a device may be fully compliant even if certain certificates aren't present. This happens if certificates aren't required for that configuration.

    Check confidence level to determine your rollout strategy

    This is one of the most important additions in the new version of the report. The Confidence level column helps guide deployment decisions based on Microsoft-observed data across similar devices and firmware configurations. Select any cell to see a flyout summary for that device. Review the description of the status and the recommended action. It also states whether the high-confidence deployment policy is allowed.

    Use this data to:

    • Confidently auto-deploy updates to high-confidence devices.
    • Manually validate devices with limited or no data.
    • Pause rollout where known issues exist.

    Here are recommendations based on confidence level labels:

    • High confidence: Deploy the certificates depending on the policy setting:
      • If the high-confidence policy is allowed: No action is required. Devices will automatically receive Secure Boot certificate updates through Windows Update.
      • If the high-confidence policy isn't allowed: Deploy certificate updates manually when ready.
    • Under observation: Test certificate updates in controlled rollout.
    • No data observed: Carefully validate certificate updates before broad deployment. Microsoft hasn't observed this type of device in Secure Boot update data.
    • Temporarily paused: Don't deploy. Devices in this group are affected by a known issue. Consult with your OEM for possible firmware updates.
    • Not supported: Exclude these devices from automation.

    Use the confidence level data to take out guesswork from your Secure Boot certificate rollout strategy and turn it into data-informed deployment.

    Use alerts and timestamps to prioritize action

    A new Alerts column helps you validate reporting freshness and prioritize action. The report surfaces the following operational signals:

    • Devices missing diagnostic data
    • Devices requiring action
    • Timestamp of last reported diagnostic data

    Important! To avoid false assumptions when validating rollout progress, note these important limitations:

    • Status updates can take up to 12 hours after restart to be reflected.
    • Devices must send required diagnostic data to appear correctly in the report.
    • Inactive devices might show up as Unknown.

    Plan targeted remediation of Secure Boot certificates

    Secure Boot certificate updates are not uniform across devices. They depend on firmware, configuration, and trust models. Due to this variation, applying Secure Boot updates sometimes sees unexpected results.

    Without clear visibility, organizations risk:

    • Missing required updates
    • Deploying updates too broadly
    • Misinterpreting device readiness

    The Secure Boot status report gives you a more precise, device-level understanding of readiness, so you can act confidently and help reduce risk across your estate. Together, these improvements focus on one thing: making the data actionable. If needed, make data-informed decisions on targeted remediations instead of broad deployments.

    Note on Secure Boot updates and hotpatch updates

    If you're using hotpatch updates, plan for a one-time change in strategy. More devices become eligible for Secure Boot certificate updates over time based on high-confidence diagnostic data. High-confidence deployment relies on data included in monthly non-security preview updates, which are typically released the fourth week of the month. By definition, devices receiving hotpatch updates don't receive these preview updates. As such, these devices might not progress at the same rate as other devices. Here's the implication:

    • Devices might not receive updated high-confidence data in May or June.
    • Some devices might not become eligible for automatic deployment during that time.

    In addition, applying Secure Boot updates requires device restarts to complete changes to:

    • Secure Boot certificates
    • The Windows Boot Manager

    As a result of this design, devices receiving hotpatch updates will only receive updates automatically during the next baseline month (for example, April or July).

    To move forward sooner, your organization can:

    • Install the latest monthly non-security preview update (instead of a hotpatch update) to pick up updated high-confidence data.
    • Restart the devices to complete the update process.
    • Optional: Temporarily pause hotpatch updates and plan maintenance windows during Secure Boot rollout. Then resume hotpatch updates.

    Learn more or bookmark these resources:

    • Secure Boot status report in Windows Autopatch
    • Windows Secure Boot certificate expiration and CA updates
    • Secure Boot playbook for certificates expiring in 2026
    • Windows Server Secure Boot playbook for certificates expiring in 2026

    Continue the conversation. Find best practices. Bookmark the Windows Tech Community. Looking for support? Visit Windows on Microsoft Q&A.

    Original source
  • May 12, 2026
    • Date parsed from source:
      May 12, 2026
    • First seen by Releasebot:
      May 13, 2026
    Microsoft logo

    Windows by Microsoft

    May 12, 2026—KB5087420 (OS Build 22631.7079)

    Windows releases a cumulative update for Windows 11, version 23H2 that brings the latest security fixes, quality improvements and non-security updates. It also improves Secure Boot rollout, SmartScreen reputation checks, Enterprise State Roaming and Remote Desktop.

    Announcements and messages

    This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

    Windows Secure Boot certificate expiration

    Improvements

    This update addresses security issues for your Windows operating system.

    Important: Use EKB KB5027397 to update to Windows 11, version 23H2.

    This security update contains fixes and quality improvements from KB5082052 (released April 14, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

    • [Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
    • [Country and Operator Settings Asset (COSA)] This update brings profiles up to date for certain mobile operators.
    • [Daylight saving time (DST)] This update supports the 2023 DST change for the Arab Republic of Egypt.
    • [Enterprise State Roaming (ESR)] ESR can now be managed through Windows Backup for Organizations policies. This makes setup easier for IT administrators. To learn more, see Enterprise State Roaming.
    • [Microsoft Defender SmartScreen] This update enables Microsoft Defender SmartScreen in the Windows shell to send file hashes for unsigned files. This support allows SmartScreen to use newer reputation models and improves the quality of application reputation checks.
    • [Remote Desktop (known issue)] Fixed: This update addresses an issue that affects the Remote Desktop Connection security warning dialog. The dialog could render incorrectly in multi-monitor scenario when the monitors had different scaling set. This might occur after installing the April 2026 (KB5082052) security update. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.

    If you've already installed previous updates, your device will download and install only the new updates included in this package.

    For more information about security vulnerabilities, see the Security Update Guide and the May 2026 Security Update.

    Windows 11 servicing stack update (KB5086307) - 22621.6937

    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

    Known issues in this update

    Devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key

    How to get this update

    Before you install this update

    Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

    Install this update

    To install this update, use one of the following Windows and Microsoft release channels.

    This update downloads and installs automatically from Windows Update and Microsoft Update.

    If you want to remove this update

    Before you decide to remove this update, see Understanding the risks: Why you should not uninstall security updates.

    To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

    File information

    For a list of the files provided in this update, download the file information for cumulative update 5087420.

    For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5086307) - versions 22621.6937.

    Related topics

    Microsoft Store for Business and Education with Configuration Manager

    Get updates for apps and games in Microsoft Store

    Original source
  • May 12, 2026
    • Date parsed from source:
      May 12, 2026
    • First seen by Releasebot:
      May 13, 2026
    Microsoft logo

    Windows by Microsoft

    May 12, 2026—KB5089549 (OS Builds 26200.8457 and 26100.8457)

    Windows releases a cumulative update for Windows 11 24H2 and 25H2 that brings the latest security fixes and quality improvements, including stronger Secure Boot certificate targeting, better boot reliability, improved SSDP responsiveness, and an updated servicing stack.

    This cumulative update for Windows 11, version 25H2 and 24H2 (KB5089549) includes the latest security fixes and improvements, along with non-security updates from last month's optional preview release.

    Visit the Windows release health dashboard for the latest status on this release.

    Windows 11 May 12, 2026, KB5089549

    Announcements and messages

    This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

    Windows Secure Boot certificate expiration

    Improvements

    This update includes new features and quality improvements that were part of the following update:

    • April 14, 2026—KB5083769 (OS Builds 26200.8246 and 26100.8246)
    • April 30, 2026—KB5083631 (OS Builds 26200.8328 and 26100.8328) Preview

    This update addresses security vulnerabilities documented in the following guide:

    • May 2026 Security Updates

    The following summary outlines key quality improvements addressed by this update. The bold text within the brackets indicates the item or area of the change.

    • [Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
    • [Boot manager servicing update]
    • This update improves startup reliability after boot file updates, so devices start normally without entering BitLocker recovery.
    • (Known issue) Fixed: This update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 (Platform Configuration Register 7) configurations. This might occur after installing the April 2026 security update (KB5083769).
    • [Connectivity] This update improves the reliability of Simple Service Discovery Protocol (SSDP) notifications to help prevent the service from becoming unresponsive.

    If you've already installed previous updates, your device will download and install only the new updates included in this package.

    AI Components

    This release updates the following AI components:

    AI Component Version Image Search 1.2604.515.0 Content Extraction 1.2604.515.0 Semantic Analysis 1.2604.515.0 Settings Model 1.2604.515.0

    Windows 11 servicing stack update (KB5092762)- 26100.8456

    This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

    Known issues in this update

    Microsoft is not currently aware of any issues with this update.

    How to get this update

    Before you install this update

    Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

    Install this update

    To install this update, use one of the following Windows and Microsoft release channels.

    If you want to remove this update

    Before you decide to remove this update, see Understanding the risks: Why you should not uninstall security updates.

    To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

    Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

    File information

    For a list of the files provided in this update, download the file information for cumulative update 5089549.

    For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5092762) - version 26100.8456.

    Related topics

    • Windows monthly updates explained
    • Description of the standard terminology used for Microsoft software updates
    • Windows release health
    • Microsoft Store for Business and Education with Configuration Manager
    • Get updates for apps and games in Microsoft Store
    Original source
Releasebot

Curated by the Releasebot team

Releasebot is an aggregator of official product update announcements from hundreds of software vendors and thousands of sources.

Our editorial process involves the manual review and audit of release notes procured with the help of automated systems.