Windows Release Notes

RSAT tools now available for Windows on Arm

Remote Server Administration Tools (RSAT) are now officially supported on Arm-based Windows 11 PCs. You can now remotely manage Windows server roles and features using Windows devices built on Arm processors, just as you would with traditional x64-based PCs. Supporting RSAT on Windows 11 on Arm marks a significant milestone and addresses one of your top requests for enterprise management.

With the February 2026 Windows non-security preview update, five of the most widely used RSAT components are available on Arm-based devices:

• Active Directory Domain Services & AD LDS Tools – Remotely manage Active Directory domains, users, and Lightweight Directory Services (AD LDS) instances.
• Active Directory Certificate Services Tools – Administer and manage certificate services and Public Key Infrastructure (PKI) on Windows Servers.
• Group Policy Management Console (GPMC) – Create, edit, and manage Group Policy Objects to control settings in Active Directory environments.
• DNS Server Tools – Configure and monitor DNS servers via the DNS Manager snap-in and command-line DNS utilities.
• DHCP Server Tools – Manage DHCP servers and scopes to administer IP address allocation in your networks.

These familiar utilities have long been available on x64 Windows clients. They're now compiled natively for the 64-bit Arm architecture and supported on Windows 11 Pro and Enterprise editions. With these tools, you can accomplish everyday system administrator tasks directly from an Arm-based Windows 11 PC. Add users to Active Directory, edit GPOs, configure DNS and DHCP servers, and more.

Why RSAT on Arm64 matters

For the past several years, if you've used Windows on Arm, you had to rely on alternative management methods (such as Windows Admin Center) or switch to an x64 device for certain tasks. Similarly, testing newer Arm-powered laptops for your enterprise highlighted the pressing need for RSAT support on Arm64 devices.

With RSAT support, Windows 11 on Arm becomes a more viable platform for enterprise IT management. It boosts confidence in the Windows on Arm ecosystem for business use. Put simply, you can now manage Windows servers from an Arm-based client, using the same robust GUI and PowerShell tools you know.

RSAT on different Windows 11 versions

Depending on your Windows 11 version, RSAT are either available as optional components or Features on Demand (FODs).

• Windows 11, versions 25H2 and 24H2 on Arm: For today's broadly released and supported Windows 11 versions, RSAT support for Arm64 is available starting with the February 2026 Windows non-security preview update. The tools are enabled as optional components.
• Windows 11, version 26H1: New Arm-based devices with the targeted Windows 11, version 26H1 release have these RSAT capabilities integrated directly as FODs. This release brings the Arm64 edition closer to parity with x64 in terms of RSAT functionality.

How to enable RSAT on Arm-based Windows 11 PCs

Optional components for Windows 11, versions 25H2 and 24H2

Your devices with an Arm64 processor must be running Windows 11, version 25H2 or 24H2 and be updated with the February 2026 Windows non-security preview update or later.

To add RSAT as optional components via the Control Panel:

1. Open the Control Panel.
2. Select Programs > Turn Windows features on or off.
3. Check the boxes for the RSAT components you need.

The RSAT components will then be installed and available for use on your Arm-based Windows 11 PC.

When you install optional components through the Control Panel user interface, you'll see the DisplayName showing RSAT.

However, when using command‑line tools, you'll only see the FeatureName . Please use the FeatureName to install a specific optional component.

Examples:

dism /online /get-features /format:table | findstr /i "Enabled"

or

Get-WindowsOptionalFeature -Online | Where-Object State -eq "Enabled"

Output sample:

FeatureName         State
-----------         -----
CertificateServices-Tools        Enabled
ServerManager-Tools           Enabled
ActiveDirectory-DS-LDS-Tools  Enabled

Commands to install:

# Enable ADLDS
Enable-WindowsOptionalFeature -Online -FeatureName ActiveDirectory-DS-LDS-Tools -All -NoRestart

# Enable ADCS
Enable-WindowsOptionalFeature -Online -FeatureName CertificateServices-Tools -All -NoRestart

Additionally, for an individual feature:

Get-WindowsOptionalFeature -Online -FeatureName <FeatureName>

The output will include the DisplayName, which shows the corresponding RSAT label.

Features on Demand for Windows 11, version 26H1

The RSAT components are available to you as Windows features on devices with Windows 11, version 26H1.

To add RSAT tools as FODs via Windows Settings:

1. Navigate to Settings > System > Optional Features > Add an optional feature.
2. Find and select the desired "RSAT" components to install, such as RSAT: Active Directory Domain Services and LDS Tools, RSAT: DNS Server Tools, etc.

This is what RSAT as FODs look like on Windows 11, version 26H1:

Manage Windows infrastructure more efficiently

We hope you will take advantage of these newly available RSAT components on your Arm64 devices and let us know how this investment helps your team manage Windows infrastructure more efficiently.

By introducing RSAT for Windows 11 on Arm, the platform takes another step toward giving you a consistent management experience across more of your Windows devices. This removes a key barrier for your organization to adopt Arm-powered PCs for benefits like battery life and connectivity. Just use your preferred server management workflows on any Windows 11 PC.

This update underscores our commitment to support Windows on Arm for enterprise use cases. We'll continue welcoming feedback as we enhance Windows 11 for all platforms.

Happy server managing, now on Arm!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

[1] Non-Arm, x64 devices on Windows 11, versions 25H2 and 24H2 are Features on Demand.

[2] As a shortcut for installing optional components via the Control Panel, press Win + R, type optionalfeatures.exe, and press Enter.

Original source Report a problem

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Change log

Improvements and fixes

• This Hotpatch update includes security and quality improvements.

• The following summary outlines key issues addressed by this update. The bold text within the brackets indicates the item or area of the change.

• This update makes miscellaneous security improvements to internal OS functionality.

Note:
Secure Boot certificate updates will be delivered with the next baseline Windows update in April 2026.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the hotpatch update. For general information about SSUs, see

• Servicing stack updates and
• Servicing Stack Updates (SSU): Frequently Asked Questions.

If you are using Windows Update, the latest SSU installs with this update.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Release Channels Available Next step Windows Update Included This update downloads and installs automatically from Windows update and Microsoft Update Catalog Not included See the other options. Server Update Services Not included See the other options.

File information

For a list of the files provided in this update,
download the file information for cumulative update 5079420.

For a list of the files provided in the servicing stack update,
download the file information for the SSU (KB5083532) - version 26100.8035.

Original source Report a problem

Windows 11 March 10, 2026, KB5079473

This cumulative update for Windows 11, version 25H2 and 24H2 (KB5079473), includes the latest security fixes and improvements, along with non-security updates from last month’s optional preview release. To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see
Windows monthly updates explained
. For information on Windows update terminology, see the different types of
Windows software updates
.

To view the latest updates about this release, visit the
Windows release health dashboard
or the update history page for Windows 11, version
25H2
and
24H2
.

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Change log

Improvements

This security update contains fixes and quality improvements from
KB5077181
(released February 10, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

■
[Secure Boot]
With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.

■
[File Explorer]
Improved: This update improves File Explorer search reliability when searching across multiple drives or "This PC".

■
[Windows Defender Application Control]
Improved: This update improves how Windows Defender Application Control (WDAC) handles COM objects allowlisting policies. COM objects were blocked when the endpoint security policy was set higher than the allowlisting policy. With this update, COM objects are allowed as expected.​

■
[Windows System Image Manager​​​​​​​]
Improved: This update improves the reliability of choosing trusted catalog files. It adds a warning dialog that helps you confirm that the file you select comes from a trusted source. ​​​​​​​

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, see the
Security Update Guide
and the
March 2026 Security Updates
.

AI Components

This release updates the following AI components:

AI Component | Version
Image Search | 1.2602.1451.0
Content Extraction | 1.2602.1451.0
Semantic Analysis | 1.2602.1451.0
Settings Model | 1.2602.1451.0

Windows 11 servicing stack update (KB5083532)- 26100.8035

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see
Simplifying on-premises deployment of servicing stack updates
.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see
Servicing stack updates
and
Servicing Stack Updates (SSU): Frequently Asked Questions
.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

• Windows Update

  Available | Next Step
  Included | This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove the LCU

Before you decide to remove the LCU, see
Understanding the risks: Why you should not uninstall security updates
.

To remove the LCU after installing the combined SSU and LCU package, use the
DISM/Remove-Package
command line option with the LCU package name as the argument. You can find the package name by using this command:
DISM /online /get-packages
.

Running
Windows Update Standalone Installer
(wusa.exe) with the
/uninstall
switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update,
download the file information for cumulative update 5079473
.

For a list of the files provided in the servicing stack update,
download the file information for the SSU (KB5083532) - version 26100.8035
.

Related topics

• Microsoft Store for Business and Education with Configuration Manager

• Get updates for apps and games in Microsoft Store

Original source Report a problem

Windows Autopatch hotpatch by default

Windows Autopatch is enabling hotpatch security updates by default to help secure devices even faster. This change in default behavior comes to all eligible [i] devices in Microsoft Intune and those accessing the service via Microsoft Graph API starting with the May 2026 Windows security update. Applying security fixes without waiting for a restart can get organizations to 90% compliance in half the time, while you remain in control.

One month before this shift, starting on April 1, 2026, new controls become available if you're not ready for this change. Here's why and how you can decide on your next move.

The advantage of hotpatch updates

Every month, Windows publishes security updates to address common vulnerabilities and exposures (CVEs) to help keep users at your organization secure. When you roll out these updates as an IT admin, you may wait for days for devices to restart before they become compliant. Typically, you'd allow 3-5 days after installing those fixes before forcing a restart to apply them. When hotpatch updates launched about a year ago, we changed the game. Security updates take effect as soon as they are installed – no restart required.

This change in approach patches devices significantly faster since they aren't waiting for that restart. To see how this is working in the real world, we asked four different companies with 30-70K devices about their gains in the number of days to security compliance. They all reported achieving 90% patch compliance in half the previous time, without making any policy changes (see chart below).

Today, there are over 10 million production devices enrolled in hotpatch updates, showing the level of adoption and trust companies like yours have in this capability. Learn more about the efficiency of smaller hotpatch update sizes and how we implement hotpatch updates internally at Microsoft.

Hotpatch by default: How it works

Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch updates by default to help your organization get more secure, quicker. This change applies whether you use Windows Autopatch through Microsoft Intune or the Windows updates API in Microsoft Graph.

What does it mean in practice? All update policies in Microsoft Intune depend on Windows Autopatch. The default tenant setting is only applied to devices that aren't members of a quality update policy. Windows Autopatch respects your configuration of quality update policies. If a device is assigned to one of those policies, the hotpatch setting from that policy is the one applied. Your preferences for update deferrals and update ring settings are also respected.

Note: Hotpatch updates only apply to devices that meet the hotpatch prerequisites. Devices that don't meet these prerequisites will continue to patch in the same way they do today.

When will my devices start receiving hotpatch updates?

If a device meets the prerequisites and has taken the April 2026 security update (a baseline update), it will start receiving hotpatch updates with the May 2026 security update. Double-check whether a device is enrolled in hotpatch updates with new Windows Autopatch update readiness tools.

Note: Hotpatch updates are applied from the latest baseline release. If a device is enrolled in hotpatch updates but isn't yet on the latest baseline, Windows Autopatch first installs the latest baseline update, which requires a restart. Once the device is on the latest baseline, it continues receiving hotpatch updates without requiring restarts going forward. For more information on the latest schedule for these releases, see Release notes for hotpatch.

How do I know if a device will receive a hotpatch update?

Before the May 2026 hotpatch update, review the Hotpatch quality updates report in Intune. It shows devices that have hotpatch updates enabled and meet the prerequisites. You can easily see which devices will receive a hotpatch update in the Hotpatch ready column. Devices successfully patched are in the Hotpatched column.

You can also look at the Quality update status report in Intune to check which devices are ready to receive a hotpatch update. In this report, the column labeled Hotpatch Readiness indicates if the device meets the prerequisites for hotpatch updates. A new column called Hotpatch enabled will be added showing the status of each device.

Embracing the change at your own pace

Windows Autopatch is enabling hotpatching by default because hotpatch updates are the quickest way to get secure. As such, we recommend keeping hotpatch updates enabled for your devices. If you're not ready for this change, you can opt out groups of devices or the whole tenant.

The tenant setting to opt out of hotpatch updates is scheduled to go live on April 1, 2026. And because April is a hotpatch baseline month, you have until May 11, 2026 before any hotpatch updates are deployed.

How to opt out of hotpatch updates across your tenant

Once the changes are live in April, configure the default hotpatch update behavior for your tenant as follows:

• Open Microsoft Intune.
• Navigate to Tenant administration > Windows Autopatch > Tenant management.
• Select the Tenant settings tab.
• Toggle the "When available, apply updates without restarting the device ("hotpatch")" setting to either Allow or Block.

How to opt out of hotpatch updates for groups of devices

Want to specify the desired behavior for a group of devices? Simply assign them to a quality update policy. Windows Autopatch respects your intention set at the policy level over the tenant-level default. To create a quality update policy, take the following steps:

• Open Microsoft Intune.
• Navigate to Devices > Manage updates > Windows updates.
• Select the Quality updates tab.
• Select Create.
• Select Windows quality update policy from the drop-down menu.
• Fill out the title and details on the Basics tab and select Next.
• In the Settings step, toggle the "When available, apply without restarting the device ("hotpatch")" setting to either Allow or Block, then select Next.
• Apply any scope tags, then select Next.
• Assign your desired Microsoft Entra groups, then select Next.
• Select Create.

You can disable hotpatch updates at the tenant level and enable them for specific devices and vice versa. When you're ready for hotpatch updates by default, just toggle "When available, apply without restarting the device ("hotpatch") back to Allow.

To start taking advantage of hotpatch updates enabled by default, check that your devices meet the prerequisites. To learn more and get started, see Hotpatch updates and the Windows Autopatch frequently asked questions (FAQ).

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

[i] See prerequisites for hotpatch updates in Hotpatch updates.

Original source Report a problem

Hotpatch updates overview

With hotpatch updates, you can quickly take measures to help protect your organization from the evolving landscape of cyberattacks, while minimizing user disruptions. Hotpatch updates are Monthly B release security updates that install and take effect without requiring you to restart the device. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.

Hotpatch is an extension of Windows Update and requires Autopatch to create and deploy hotpatches to devices enrolled in the Autopatch quality update policy.

Key benefits

• Hotpatch updates streamline the installation process and enhance compliance efficiency.
• No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
• The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
• Hotpatch package size is significantly smaller than the standard cumulative updates. Therefore, hotpatch updates install faster and consumes less network bandwidth. Additional details are shared in the Hotpatch efficiency unlocked: Smaller update size blog.

Prerequisites

To benefit from Hotpatch updates, devices must meet the following prerequisites:

• One of the eligible licenses: Windows 11 Enterprise E3 or E5, Microsoft 365 F3, Windows 11 Education A3 or A5, Microsoft 365 Business Premium, or Windows 365 Enterprise
• Windows 11 version 24H2 or later
• Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see Release notes for Hotpatch .
• Microsoft Intune to manage hotpatch update deployment with the Windows quality update policy with hotpatch turned on .

Operating system configuration prerequisites

To prepare a device to receive Hotpatch updates, configure the following operating system settings on the device. You must configure these settings for the device to be offered the Hotpatch update and to apply all Hotpatch updates.

Virtualization based security (VBS)

VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see Virtualization-based Security (VBS) .

VBS is required for the hotpatch update installer to function. To enable VBS, you can use the CSP VirtualizationBasedTechnology. For more information, see VirtualizationBasedTechnology .

Note

Devices might be temporarily ineligible because they don’t have VBS enabled or aren’t currently on the latest baseline release. To ensure that all your Windows devices are configured properly to be eligible for hotpatch updates, see Troubleshoot hotpatch updates . You can also find VBS status in Autopatch alerts and remediation with the alert 'Hotpatch – VBS not running.'

Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)

CHPE (Compiled Hybrid Portable Executable) is a type of binary that improves the performance of 32‑bit (x86) applications running on Arm64 devices. CHPE binaries include both native Arm64 and x86 code, allowing Windows to run x86 applications more efficiently on Arm‑based PCs.

This requirement only applies to Arm64 CPU devices when using hotpatch updates. Hotpatch updates are not compatible with servicing CHPE OS binaries located in the %SystemRoot%\SyChpe32 folder.

Note

CHPE is only relevant for environments where 32-bit x86 Microsoft Office or other legacy x86 applications are required on Arm64 devices.

If you're not sure what edition of applications you're running and whether they might fail when disabling CHPE, see Choose between the 64-bit or 32-bit version of Office - Microsoft Support .

Application failure or performance issues can arise from disabling CHPE binaries. This can happen if you run a 32-bit program, such as VBA code using Declare statements or 32-bit COM Add-ins with no 64-bit alternative. To avoid these issues, update the program to 64-bit or identify the devices that must run these programs and exclude them from your hotpatch quality update policies.

For guidance on how to update 32-bit applications to 64-bit, see Update app architecture from Arm32 to Arm64 .

To ensure that all the hotpatch updates are applied, you must disable CHPE usage. Set the CHPE disable flag and restart the device. You only need to set this flag one time. The registry setting remains applied through updates.

To disable CHPE binaries, you can use the DisableCHPE system policy CSP. For more information, see DisableCHPE .

You can also create and/or set the following DWORD registry key: Path:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
DWORD key value: HotPatchRestrictions=1

Important

Support for the 32-bit edition of Microsoft 365 Apps on Windows Arm-based devices is ending. New feature updates stopped in October 2025, and security updates end in December 2026. If your organization is still using 32‑bit Microsoft 365 Apps on Windows Arm‑based PCs, review End of Support for 32-bit Microsoft 365 Apps on Windows Arm-based PCs . There are no plans to support hotpatch updates on Arm64 devices with CHPE enabled. Disabling CHPE is only applicable to Arm64 devices.

If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (HotPatchRestrictions=0) then restart the device to turn on CHPE usage.

Ineligible devices

Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases.

LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant.

Note

If devices aren't eligible for hotpatch updates, they're offered the LCU. The LCU keeps your configured Update ring settings; it doesn't change the settings.

Release cycles

For more information about the release calendar for hotpatch updates, see Release notes for Hotpatch .

• Baseline: Includes the latest security fixes, cumulative new features, and enhancements. Restart required.
• Hotpatch: Includes security updates. No restart required.

Table 1

Quarter | Baseline updates (requires restart) | Hotpatch (no restart required)
1 | January | February and March
2 | April | May and June
3 | July | August and September
4 | October | November and December

During a hotpatch month, if a device has hotpatch updates enabled but isn't on the latest baseline update, the device will receive both the latest baseline update (restart required) and the latest hotpatch update.

Note

Upgrading a hotpatch enrolled device to the latest Windows version (eg: upgrading from Windows 11 24H2 to Windows 11 25H2) during a baseline month keeps the device on the hotpatch cycle and the device keeps receiving the hotpatch updates seamlessly. However, upgrading a device to the latest Windows version in a hotpatch month switches the device to standard updates; you must restart the device to apply the update until the next baseline release.

Hotpatch on Windows 11 Enterprise or Windows Server 2025

Note

Hotpatch is also available on Windows Server and Windows 365. For more information, see Hotpatch for Windows Server Azure Edition .

Hotpatch updates are similar between Windows 11 and Windows Server 2025.

• Windows Autopatch manages Windows 11 updates
• Azure Update Manager and optional Azure Arc subscription for Windows 2025 Datacenter/Standard Editions (on-premises) manages Windows Server 2025 Datacenter Azure Edition. For more information, on Windows Server and Windows 365, see Hotpatch for Windows Server Azure Edition .

The calendar dates, eight hotpatch months, and four baseline months, planned each year are the same for all the hotpatch-supported operating systems (OS). It’s possible for additional baseline months for one OS (for example, Windows Server 2022), while there are hotpatch months for another OS, such as Server 2025 or Windows 11, version 24H2. Review the release notes from Windows release health to keep up to date.

Enroll devices to receive Hotpatch updates

Note

If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it. Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group.

To enroll devices to receive Hotpatch updates:

• Go to the Intune admin center .
• Select Devices from the left navigation menu.
• Under the Manage updates section, select Windows updates .
• Go to the Quality updates tab.
• Select Create , and select Windows quality update policy .
• Under the Basics section, enter a name for your new policy and select Next.
• Under the Settings section, ensure that the option "When available, apply without restarting the device ("Hotpatch") is set to Allow . Then, select Next .
• Select the appropriate Scope tags or leave as Default. Then, select Next .
• Assign the devices to the policy and select Next .
• Review the policy and select Create .
• You can also Edit the existing Windows quality update policy and set the "When available, apply without restarting the device ("Hotpatch") to Allow .

These steps ensure that targeted devices, which are eligible to receive Hotpatch updates, are configured properly. Ineligible devices are offered the latest cumulative updates (LCU).

Note

Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply.

Roll back a hotpatch update

Automatic rollback of a Hotpatch update isn’t supported but you can uninstall them. If you experience an unexpected issue with hotpatch updates, you can investigate by uninstalling the hotpatch update and installing the latest standard cumulative update (LCU) and restart. Uninstalling a hotpatch update is quick, however, it does require a device restart.

Troubleshoot hotpatch updates

Step 1: Verify the device is eligible for hotpatch updates and on a hotpatch baseline before the hotpatch update is installed

Hotpatching follows the hotpatch release cycle. Review the prerequisites to ensure the device is eligible for hotpatch updates. For information on devices that don’t meet the prerequisites, see Ineligible devices .

For the latest release schedule, see the hotpatch release notes . For information on Windows update history, see Windows 11, version 24H2 update history .

Step 2: Verify the device has Virtualization-based security (VBS) turned on

1. Select Start, and enter System information in the Search.
2. Select System information from the results.
3. Under System summary, under the Item column, find Virtualization-based security.
4. Under the Value column, ensure it states Running.

Step 3: Verify the device is properly configured to turn on hotpatch updates

1. In Intune, review your configured policies within Autopatch to see which groups of devices are targeted with a hotpatch policy by going to the Windows Update > Quality Updates page.
2. Ensure the hotpatch update policy is set to Allow.
3. On the device, select Start > Settings > Windows Update > Advanced options > Configured update policies > find Enable hotpatching when available. This setting indicates that the device is enrolled in hotpatch updates as configured by Autopatch.

Step 4: Disable compiled hybrid PE usage (CHPE) (Arm64 CPU only)

For more information, see Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) .

Step 5: Use Event viewer to verify the device has hotpatch updates turned on

1. Right-click on the Start menu, and select Event viewer.
2. Search for AllowRebootlessUpdates in the filter. If AllowRebootlessUpdates is set to 1, the device is enrolled in the Autopatch update policy and has hotpatch updates turned on:
   "data": { "payload": "{"Orchestrator":{"UpdatePolicy":{"Update/AllowRebootlessUpdates":true}}}", "isEnrolled": 1, "isCached": 1, "vbsState": 2,

Step 6: Check Windows Logs for any hotpatch errors

Hotpatch updates provide an inbox monitor service that checks for the health of the updates installed on the device. If the monitor service detects an error, the service logs an event in the Windows Application Logs. If there's a critical error, the device installs the standard (LCU) update to ensure the device is fully secure.

1. Right-click on the Start menu, and select Event viewer.
2. Search for hotpatch in the filter to view the logs.

Original source Report a problem

Welcome to the February 2026 edition of Windows news you can use. Today marks the start of Microsoft Technical Takeoff—four Mondays of demos, deep dives, and live Q&A for the IT pro community. If you're not tuning in live, all sessions will be recorded, so definitely bookmark any topics of interest and catch up on demand.

Speaking of events, we're hosting another Secure Boot AMA on March 12. Post your questions in advance or during the live event. New and updated resources and tools help you monitor the status of Secure Boot certificate updates across your estate. Look for more details on those below.

New in Windows update and device management

• [BACKUP] [RESTORE] – The first sign-in restore experience is now part of Windows Backup for Organizations. Empower people to restore their settings and Microsoft Store app list automatically at first sign-in, including those using Microsoft Entra hybrid joined devices, Cloud PCs, and multi‑user devices. For the first time, users who sign in with a Microsoft Entra ID on eligible devices will be able to restore their environment if they missed the option during first sign-in.
• [START MENU] – The new Start menu will be available to organizations in the second quarter of this calendar year. Two policies allow IT admins to further customize the Start menu: HideCategoryView and ConfigureStartPins. For more details, see the Start Policy CSP and Start policy settings.
• [WINDOWS 365] – By pairing Windows 365 Reserve with Windows 365 Boot, you can keep Windows 11 devices preconfigured with Windows 365 Boot. When users need access, simply assign a Windows 365 Reserve license in Microsoft Intune and hand the device to a user. No additional setup required.
• [WINDOWS 365] – Windows 365 is now supported in New Zealand North. This supports organizations who need to keep data within national borders, meet industry or government compliance expectations, or simply provide your workforce with a faster, more consistent Cloud PC experience.
• [26H1] – Windows 11, version 26H1 is a targeted release designed to support the next generation of silicon. Find out what you need to know about version 26H1 and why Windows 11, versions 25H2 and 24H2 remain the recommended releases for enterprise deployment.
• [ADMIN] – Learn how to filter and focus Message center in the Microsoft 365 admin center to prioritize Windows information with a new step-by-step guide.
• [WINDOWS] [5G] – Windows enterprise managed cellular connectivity is in private preview. This native Windows capability provides organizations with centralized management and customization of 5G cellular connectivity on Windows 11 PCs. This solution is integrated with Intune and validated on Surface 5G-enabled devices (available now).

New in Windows security

• [SECURE BOOT] – New tools and guidance are available to help you actively monitor and manage the update of Secure Boot certificates across your device fleet.
• Explore the latest OEM pages for Secure Boot.
• Find out what happens when Secure Boot certificates expire on Windows devices.
• Quickly get a device-level view of Secure Boot across your Windows Autopatch-managed devices with the Secure Boot status report.
• For devices not enrolled in Windows Autopatch, learn how to monitor Secure Boot certificate status with Microsoft Intune remediations.
• Access tailored guidance for managing Secure Boot certificate updates for Windows Server, Windows 365, and Azure Virtual Desktop.
• Review updated FAQs about the Secure Boot update process.
• Stay updated as new resources become available by bookmarking the new Updates and announcements section of https://aka.ms/GetSecureBoot.
• Tune in live—and post your questions in advance—for the March 12 Secure Boot Ask Microsoft Anything session on the Microsoft Tech Community. Want a primer before the AMA? Tune in March 9 to Secure Boot certificates explained at Tech Takeoff.

New in AI

• [MECHANICS] – For those seeking to better understand Microsoft 365 Copilot and AI experiences on Windows 11 PCs, check out the new episode of Microsoft Mechanics. See how to access Copilot and agents from the taskbar. Find answers across files, email, and meetings, and turn ideas into polished content using voice or text.

To learn about latest capabilities for Copilot+ PCs, visit the Windows Roadmap and filter Platform by “Copilot+ PC Exclusives.”

New in productivity and collaboration

Install the February 2026 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities.

• [SECURITY] – You can now set how often Data Protection Application Programming Interface (DPAPI) domain backup keys rotate automatically. This strengthens cryptographic security and reduces reliance on older encryption algorithms.
• [MOBILE] – Cross‑Device Resume now includes the ability to continue activities from your Android phone on your PC based on the apps and services you use. Resume Spotify playback, work in Word, Excel, or PowerPoint, or continue a browsing session.
• [ACCESSIBILITY] – Narrator now gives you more control over how it announces on‑screen controls. You can choose which details are spoken and adjust their order to match how you navigate apps.

New features and improvements are coming in the March 2026 security update. You can preview them by installing the February 2026 optional non-security update for Windows 11, versions 25H2 and 24H2. This update includes the gradual rollout of:

• [RECOVERY] – Quick Machine Recovery now turns on automatically for Windows Professional devices that are not domain‑joined and not enrolled in enterprise endpoint management. These devices receive the same recovery features available to Windows Home users. For domain‑joined or enterprise managed devices, Quick Machine Recovery stays off unless you enable it for your organization.
• [NETWORK] – A built‑in network speed test is now available from the taskbar. The speed test opens in the default browser and measures Ethernet, Wi‑Fi, and cellular connections.
• [CAMERA] – Control pan and tilt for supported cameras in the Settings app.
• [SYSMON] – System Monitor (Sysmon) functionality is now natively available in Windows. Capture system events for threat detection and use custom configuration files to filter the events you want to monitor. Windows writes captured events to Windows Event Log, which allows security tools and other applications to use them.
• [SEARCH] – When using search on the taskbar, preview search results by hovering and quickly seeing when more results are available with group headers.
• [RSAT] – This update adds support for Remote Server Administration Tools (RSAT) on Windows 11 Arm64 devices.

New for developers

• [STORE] – Explore new features and updates for those developing for the Microsoft Store on Windows. Check out developer analytics, a web installer, and new developer tools.

New in Windows Server

For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes.

• [SECURE BOOT] – The original Secure Boot certificates introduced in 2011 are approaching the end of their planned lifecycle, with expirations beginning in late June 2026. While many recent platforms include the supported 2023 certificates in firmware, you'll need to manage the process manually for any that require updating. Get started today with the Windows Server Secure Boot playbook for certificates expiring in 2026.
• [ReFS] – Resilient File System (ReFS) boot support is now available for Windows Server Insiders in Insider Preview builds.
• [DNS] – A public preview of DNS over HTTPS (DoH) for Windows DNS Server is now available. DoH support in Windows DNS Server complements broader Zero Trust DNS efforts already introduced on Windows clients to enable organizations to adopt encrypted, authenticated DNS across endpoints and on-premises infrastructure.
• [WS2025] – Looking for help with capacity planning of Remote Desktop Session Host servers running Windows Server 2025? Check out the new guide.

Lifecycle milestones

• Windows 10 Enterprise 2016 LTSB and Windows 10 IoT Enterprise 2016 LTSB will reach end of support on October 13, 2026. Windows Server 2016 will reach end of support on January 12, 2027. If your organization cannot migrate to newer, supported releases in time, explore the options available to help you keep your devices protected with monthly security updates.

Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025.

Additional resources

Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources:

• Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name
• Microsoft 365 Copilot release notes for latest features and improvements
• Windows Insider Blog for what's available in the Canary, Dev, Beta, or Release Preview Channels
• Windows Server Insider for feature preview opportunities
• Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders

Join the conversation

If you're an IT admin with questions about managing and updating Windows, add our monthly Windows Office Hours to your calendar. We assemble a crew of Windows, Windows 365, security, and Intune experts to help answer your questions and provide tips on tools, best practices, and troubleshooting.

Finally, we're always looking to improve this monthly summary. Drop us a note in the Comments and let us know what we can do to make this more useful for you!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Original source Report a problem

What’s new in Windows Autopatch update readiness?

We’re excited to announce the general availability (GA) of Windows Autopatch update readiness, bringing a new level of clarity, control, and confidence to your update management experience. This release is designed to help you anticipate issues, streamline deployments, and maintain organizational resilience, all within your existing Windows Autopatch license.

Windows Autopatch is available for customers with Windows Enterprise, Frontline, US Government, Education and Business Premium SKUs. Learn more here.

Windows Autopatch update readiness brings new capabilities to help you proactively detect and remediate device update issues, so you can reduce downtime, improve update success, and lower the security risk that comes from devices that aren’t up to date. As part of this release, you’ll see four core experiences added to Windows Autopatch:

• Windows Autopatch management status report – A tenant-wide view of Windows update management coverage across your Intune-enrolled Windows devices.
• Quality update journey – End-to-end, per-device visibility into where an update is in the lifecycle and what’s blocking progress.
• Alerts and remediations – A centralized, actionable alerts experience with clear guidance to drive issues to resolution.
• Update Readiness Checker – Proactive checks to identify devices at risk before updates roll out widely.

Windows Autopatch management status report: Tenant-wide coverage at a glance

The Autopatch management status report gives you a tenant-wide, device-centric view of all Intune-managed Windows 10 and Windows 11 devices including devices enrolled in Windows Autopatch, devices managed by update rings, and devices not currently under any update policy. This helps you quickly spot gaps in update management coverage, so devices don’t quietly fall through the cracks.

At a glance, this report helps you understand:

• Your full device inventory of Intune-managed Windows devices.
• Whether devices are enrolled in Windows Autopatch cloud approval policies for feature, quality, and driver updates.
• How devices are managed for updates—via update rings or categorized as Other (Intune-enrolled but not part of cloud policies or update ring policies).
• Whether a device is enrolled in hotpatch updates (part of the Windows quality update policy with the “Allow rebootless updates” toggle enabled).
• Whether there are active alerts associated with a device.

Quality update journey: Pinpoint where updates stall

The Quality update journey report provides end-to-end, per-device visibility into how a Windows device progresses through an update, providing clear, granular phases. Instead of guessing, you can see what a device has already completed, where it is currently paused, and where it may be encountering issues.

Presented as a per-device timeline, the report traces each stage of the update lifecycle from offering to download, install, reboot, and completion, including timestamps, state transitions, and mapped alerts so you can follow a trustworthy sequence of events.

With this view, you can more easily spot patterns across devices (for example, many devices pausing in the same phase) and focus your troubleshooting where it will have the biggest impact. In this GA release, Device Update Journey initially focuses on Windows feature updates.

Repair with confidence

You can spot devices that need repair, identify any that might face update blockers, and use targeted remediations to stay secure, all through Windows Autopatch. Actionable alerts guide administrators through each step, while integrated audit logs ensure you’re aware of what’s occurred and progress is transparent.

Actionable alerts, transparent progress

When something needs your attention, Windows Autopatch makes sure you’re in the loop with actionable alerts and guided remediation. Each step is tracked, leading to a clearer IT backlog and measurable gains in compliance. Best of all? These features work with your current deployment process — no need to change how you roll out updates.

Available as part of your existing Autopatch license

All these capabilities are available today as part of your existing Windows Autopatch license—no add-ons, no extra purchases, and no disruption to your current workflows. Windows Autopatch update readiness is designed to deliver immediate value by helping IT teams reduce manual preparation and troubleshooting, improve update success rates, and quickly bring at-risk devices back into compliance.

Ready to elevate your update experience? Start benefiting from Windows Autopatch update readiness today and empower your IT teams with proactive insights and streamlined control. For more information, visit the Windows Autopatch portal or reach out to your Microsoft representative.

• Start using Windows Autopatch now.
• Learn how to upgrade to Windows 11 using Windows Autopatch.
• Join the Microsoft Security Advisors Program for exclusive opportunities to help shape our product, get early access to the roadmap, and connect with a community of IT professionals.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Original source Report a problem

Hotpatch for Windows 11 Enterprise version 24H2

Hotpatch for Windows 11 Enterprise version 24H2 gives you the ability to apply security updates without restarting a device. This keeps your client computers up to date and secure. By reducing the number of Patch Tuesday restarts, these devices are also more available. You can manage and apply updates using Autopatch with Windows 11 Enterprise version 24H2. Some of the benefits include:

• Higher availability and fewer restarts
• Faster deployment of updates because the packages are smaller, install faster, and have easier patch orchestration using Autopatch for update management.
• Better protection because the hotpatch packages focus to address Windows security updates and you don’t have to restart.

Hotpatch updates for calendar year 2026

Check the release cycles for Hotpatch for Windows 11 Enterprise version 24H2. With Hotpatching, devices receive a baseline cumulative update in the first month of each quarter.

Hotpatch updates for calendar year 2025

View the release cycles for Hotpatch for Windows 11 Enterprise, version 24H2.

Hotpatch updates for calendar year 2024

Find all the hotpatch updates for Windows 11 on the calendar.

Original source Report a problem

Hotpatch for Windows 11 Enterprise, version 25H2

Hotpatch for Windows 11 Enterprise, version 25H2 gives organizations the ability to apply security updates without requiring a device restart. This helps maintain security while keeping workflows uninterrupted.

Hotpatch is an extension of Windows Update and requires Autopatch to create and deploy updates to devices enrolled in the Autopatch quality update policy.

Benefits include:

• Immediate protection.
  Hotpatch updates take effect immediately upon installation, providing rapid protection against vulnerabilities
• Consistent security.
  Devices receive the same level of security patching as the monthly standard security updates released on the second Tuesday of every month.
• Minimized disruptions.
  Users can continue their work without interruptions while Hotpatch updates are installed. Hotpatch updates don't require the PC to restart for the remainder of the quarter.

Note:

OS features, firmware, or application updates might still require a restart during the quarter.

Hotpatch updates for calendar year 2026

Eligible devices must be on the latest baseline release version to qualify for hotpatch updates. Microsoft releases baseline updates quarterly as standard cumulative updates.
Check the update calendar to view the Hotpatch release for Windows 11 Enterprise, version 25H2.

January to April

May to August

September to December

Hotpatch updates for calendar year 2025

View the update release calendar for Windows 11 Enterprise, version 25H2 Hotpatch updates.

October to December

Original source Report a problem

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Updated battery icons and redesigned Start menu on more devices

Windows Secure Boot certificate expiration

Change log

Highlights

This update is available through two release phases: gradual rollout and normal rollout. A gradual rollout delivers an update in phases, so features reach devices over time instead of all at once, meaning availability varies by device.​​​​​​ A normal rollout is the broad release to all eligible devices at the same time, usually when it reaches general availability (GA).

Gradual rollout

The following summary outlines features from AI-powered Windows 11 PC experiences, along with improvements and fixes. The bold text within the brackets indicates the item or area of the change.

Windows 11 PC experiences

AI Components

This release updates the following AI components:

AI Component Version Image Search 1.2602.1451.0 Content Extraction 1.2602.1451.0 Semantic Analysis 1.2602.1451.0 Settings Model 1.2602.1451.0

Windows 11 servicing stack update (KB5077371)- 26100.7911

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

​​​​​​​​​​​​​​How to get this update
Before you install this update
Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update
To install this update, use one of the following Windows and Microsoft release channels.

Windows Update
Open Start WindowsLogo icon > Settings Settings icon Update & Security > Windows Update. In the Optional updates available area, you will find the link to download and install available updates. Check for optional updates.

If you want to remove the LCU
To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5077241.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5077371) - version 26100.7911.

Original source Report a problem