Windows Release Notes

This cumulative update for Windows 11, version 23H2 (KB5075941), includes the latest security fixes and improvements, along with non-security updates from last month’s optional preview release. To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.

To view the latest updates about this release, visit the Windows release health dashboard or the update history page for Windows 11, version 23H2.

Tip: This month’s video is available in the Windows 11, version 25H2 and 24H2 article.

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Microsoft Store apps updates

Change Log

Improvements

This update addresses security issues for your Windows operating system. ​​​​​​​

Important: Use EKB KB5027397 to update to Windows 11, version 23H2.

This security update contains fixes and quality improvements from KB5073455 (released January 13, 2026), KB5077797 (released January17, 2026), and KB5078132 (released January,24, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

■ [Secure Boot]

​​​​​​​​​​​​
This release will execute updates in the Boot Manager on devices that already have the Windows UEFI CA 2023 certificate in their Secure Boot Signature Database (DB). It replaces the 2011 signed bootmgfw.efi with the 2023 signed bootmgfw.efi. Be advised of the consequences of resetting the DB or turning Secure Boot on or off, as this can cause a "Secure Boot violation" issue. In those rare cases, the solution is to create the Secure Boot recovery media.

■ With this update, Windows quality updates include a broad set of targeting data that identifies devices and their ability to receive new Secure Boot certificates. Devices will receive the new certificates only after they show sufficient successful update signals, which helps ensures a safe and phased rollout.

■ [Display & Graphics] Fixed: This update addresses an issue caused the Desktop Window Manager (DWM) process to re‑start unexpectedly. ​​​​​​​

■ [File Explorer] Fixed: This update addresses an issue where folder renaming with desktop.ini files in File Explorer isn't work correctly. The LocalizedResourceName setting is ignored, so custom folder names don't appear.

■ [Fonts & Display] Updates the Chinese fonts to support the GB18030‑2022A standard for character coverage and display.

■ [Graphics] Fixed: This update addresses an issue where certain GPU configurations might recently have experienced a system error related to dxgmms2.sys, resulting in the KERNEL_SECURITY_CHECK_FAILURE error.

■ [OS Security (known issue)] Fixed: After installing the Windows security update released on or after January 13, 2026, some PCs which run Virtual Secure Mode (VSM) are unable to shut down or enter hibernation. Instead, the device restarts.

■ [Windows Security] Fixed: This update addresses an issue that affected Microsoft Defender SmartScreen Application Reputation (AppRep) events from being logged. This interrupted event tracking used for advanced threat investigations.

■ [Secure Boot] With this update, Windows quality updates include a broad set of targeting data that identifies devices and their ability to receive new Secure Boot certificates. Devices will receive the new certificates only after they show sufficient successful update signals, which helps ensures a safe and phased rollout.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, see the Security Update Guide and the February 2026 Security Update.

Windows 11 servicing stack update (KB5077457) - 22621.6642

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update​​​​​​​

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5075941.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5077457) - versions 22621.6642.

Original source Report a problem

Windows 11 February 10, 2026, KB5077181

This cumulative update for Windows 11, version 25H2 and 24H2 (KB5077181), includes the latest security fixes and improvements, along with non-security updates from last month’s optional preview release. To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.

To view the latest updates about this release, visit the Windows release health dashboard or the update history page for Windows 11, version 25H2 and 24H2.

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

• Windows Secure Boot certificate expiration
• Microsoft Store apps updates
• Change log

Improvements

This security update contains fixes and quality improvements from KB5074109 (released January 13, 2026), KB5077744 (released January 17, 2026), and KB5078127 (released January 24, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

• [Gaming] Fixed: This update addresses an issue that determines device eligibility for the full-screen gaming experience.
• [Networking] Fixed: This update addresses an issue that prevented some devices from connecting to certain WPA3‑Personal Wi‑Fi networks. The issue might occur after you install KB5074105.
• [Secure Boot] With this update, Windows quality updates include a broad set of targeting data that identifies devices and their ability to receive new Secure Boot certificates. Devices will receive the new certificates only after they show sufficient successful update signals, which helps ensures a safe and phased rollout.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, see the Security Update Guide and the February 2026 Security Updates.

AI Components

This release updates the following AI components:

AI Component Version Image Search 1.2601.1268.0 Content Extraction 1.2601.1268.0 Semantic Analysis 1.2601.1268.0 Settings Model 1.2601.1268.0

Windows 11 servicing stack update (KB5077869) - 26100.7839

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

• Windows Update
  • This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5077181.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5077869) - version 26100.7839.

Original source Report a problem

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Change log

Improvements

This security update contains fixes and quality improvements. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

• [Graphics] Fixed: This update addresses an issue where certain GPU configurations might recently have experienced a system error related to dxgmms2.sys, resulting in the KERNEL_SECURITY_CHECK_FAILURE error.
• [.NET Framework 3.5 ] Starting with Windows 11 version 26H1, .NET Framework 3.5 is no longer a Windows Feature on Demand optional component. You must install .NET Framework 3.5 by using the standalone installer. For more information, see https://go.microsoft.com/fwlink/?linkid=2348700.
• [Networking] Fixed: This update addresses an issue that prevented some devices from connecting to certain WPA3‑Personal Wi‑Fi networks.
• [OS Reliability]
• Fixed: This update addresses an issue where BitLocker Hardware Lab Kit (HLK) tests in the Windows Hardware Compatibility Program (WHCP) playlist were missing. The tests now appear as expected.
• Fixed: This update addresses an issue that could cause TrustedInstaller to stop responding and prevent Windows from starting.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, see the Security Update Guide and the February 2026 Security Updates.

AI Components

This release updates the following AI components:

AI Component Version Image Search 1.2511.1224.0 Content Extraction 1.2511.1224.0 Semantic Analysis 1.2511.1224.0 Settings Model 1.2511.1224.0

Windows 11 servicing stack update (KB5077868) - 28000.1575

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

• Windows Update
• Available Next Step
• Included This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5077179.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5077868) - version 28000.1575.

Original source Report a problem

Windows 11, version 26H1 is a scoped release

Windows continually works in partnership with our OEMs and IHVs to support new device innovations. Windows 11, version 26H1 is a targeted release that supports some of the new device innovations coming in 2026. That means that this release is not being made available through broad channels but is only intended for those who purchase these new devices. At this time, devices with Qualcomm Snapdragon® X2 Series processors will come with Windows 11, version 26H1.

Organizations should continue to purchase, deploy, and manage devices running broadly released versions of Windows 11 (e.g. versions 24H2 and 25H2) with confidence.

Windows 11, version 26H1 is not a feature update for version 25H2. There is no need to pause device purchases or OS deployments, and no changes required to existing enterprise rollout plans. Windows will continue to have annual feature updates in the second half of the calendar year.

• Windows 11, version 26H1 will only be available on new devices with select new silicon as they come to market in early 2026.
• Windows 11, version 26H1 is not offered as an in-place update from Windows 11, version 24H2 or 25H2 on existing devices.
• There is no impact to devices already in market today.
• Devices running Windows 11, version 26H1 will continue receiving monthly updates for security, quality, and new features, the same as devices running Windows 11, versions 24H2 and 25H2.
• Devices running Windows 11, version 26H1 will not be able to update to the next annual feature update in the second half of 2026. This is because Windows 11, version 26H1 is based on a different Windows core than Windows 11, versions 24H2 and 25H2, and the upcoming feature update. These devices will have a path to update in a future Windows release.
• Windows 11, version 26H1 does not support hotpatch updates.
• Windows 11, version 26H1 security updates will be manageable through typical tooling – Windows Autopatch, Microsoft Intune, Microsoft Configuration Manager, etc.

This approach allows Windows to support the development of new hardware capabilities while protecting the stability and predictability that commercial customers rely on in production environments.

What this means for IT planning

For IT admins planning refreshes, rollouts, or purchases, Windows 11, versions 24H2 and 25H2 remain the recommended releases for enterprise deployment at this time.

• New PCs being released with Windows 11, versions 24H2 and 25H2 are fully supported and continue to receive monthly security and quality updates following the official support lifecycle policy.
• For organizations with homogenous environments, those who prioritize standardization, long deployment windows, and large volume management, Windows 11, versions 24H2 and 25H2 remain the right choices. You'll always have a path to the next annual release when you follow the predictable H2 update cadence.
• Early adopters who wish to take advantage of the full benefits of new hardware platforms may evaluate Windows 11, version 26H1 selectively — without disruption to the rest of their estate. For instructions on how to check, see Windows 11, version 26H1 update history.

In short: Windows 11, version 26H1 should not impact your current Windows deployment and purchasing strategy. There is no benefit to waiting or deferring plans based on version 26H1, unless you are specifically targeting adoption of devices with silicon that requires such.

Our ongoing commitment

We remain committed to:

• Predictable servicing and lifecycle policies
• Clear communication when action is required
• Strong backward compatibility
• Minimal disruption to enterprise operations

If and when a Windows release requires changes to deployment planning or management practices, we will communicate that clearly, directly, and with sufficient runway.

We'll continue to deliver updates through the same servicing model you rely on today. We'll keep you informed as Windows evolves and continues to improve performance and battery life for both existing and new devices.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Original source Report a problem

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Simplified Windows update titles

Change log

Highlights

This update is available through two release phases: gradual rollout and normal rollout. A gradual rollout delivers an update in phases, so features reach devices over time instead of all at once, meaning availability varies by device. A normal rollout is the broad release to all eligible devices at the same time, usually when it reaches general availability (GA).

Gradual rollout

The following summary outlines features from Copilot experiences and AI-powered Windows 11 PC experiences, along with improvements and fixes. The bold text within the brackets indicates the item or area of the change.
For more info on the different AI experiences, see aka.ms/copilotpluspcs.

Copilot+ PCs experiences

Windows 11 PC experiences

AI Components

This release updates the following AI components:

• AI Component Version
• Image Search 1.2601.1268.0
• Content Extraction 1.2601.1268.0
• Semantic Analysis 1.2601.1268.0
• Settings Model 1.2601.1268.0

Windows 11 servicing stack update (KB5074104) - 26100.7704

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

• Windows Update
• Available
• Next Step
• Included Open Start WindowsLogo icon > Settings Settings icon Update & Security > Windows Update. In the Optional updates available area, you will find the link to download and install available updates. Check for optional updates

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command:

DISM /online /get-packages

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5074105.
For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5074104) - version 26100.7704.

Original source Report a problem

This out-of-band update for Windows 11, version 25H2 and 24H2 (KB5078127) is cumulative. It includes updates from previous security and non-security releases, along with an additional fix. To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.

To view the latest updates about this release, visit the Windows release health dashboard or the update history page for Windows 11, version 25H2 and 24H2.

Improvements

This OOB update includes quality improvements. This update is cumulative and includes security fixes and improvements from the January 13, 2026, security update (KB5074109) and the out-of-band update (KB5077744) from January 17, 2026, in addition to the following:

• [File System] Fixed: After installing the Windows update released on and after January 13, 2026, some applications became unresponsive or encountered unexpected errors when opening files from or saving files to cloud-based storage, such as OneDrive or Dropbox. In certain Outlook configurations that store PST files on OneDrive, Outlook may hang and fail to reopen unless the process is terminated or the system is restarted. Users may also see missing sent Items or previously downloaded emails being re‑downloaded.

This update is offered through Windows Update for devices running Windows 11 that have already installed KB5074109 or KB5077744. It is also available for manual download from the Microsoft Update Catalog.

For devices enrolled in Hotpatch, this issue is addressed via KB5078167, which allows receiving the update without requiring a restart.

If you have turned on Get the latest updates as soon as they're available in Windows Update settings (Settings > Windows Update), you will automatically receive this update. If the toggle is off on your device, you can install the update manually by going to Settings > Windows Update and selecting Download & install.

Note
IT administrators using Microsoft Intune or Windows Autopatch should follow the guidance below for installing the OOB update via Windows Update.

• Expedite Windows quality updates in Microsoft Intune
• Deploy an expedited quality update using Windows Autopatch

AI Components

This release updates the following AI components:

AI Component | Version
Image Search | 1.2511.1224.0
Content Extraction | 1.2511.1224.0
Semantic Analysis | 1.2511.1224.0
Settings Model | 1.2511.1224.0

Windows 11 servicing stack update (KB5071142) - 26100.7295

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

• Password icon might be missing or invisible in the lock screen sign-in options

How to get this update

Before you install this update

​​Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

• Windows Update
  This update will be downloaded and installed automatically from Windows Update.

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File Information

For a list of the files provided in this update, download the file information for cumulative update 5078127.
For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5071142) - version 26100.7295.

Original source Report a problem

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Change log

Improvements

This OOB update includes quality improvements. This update is cumulative and includes security fixes and improvements from the January 13, 2026, security update (KB5074109) in addition to the following:

• [Remote Desktop] Fixed: After installing the January 2026 Windows security update (KB5074109), some users experienced sign-in failures during Remote Desktop connections. This issue affected authentication steps for different Remote Desktop applications on Windows such as the Windows App.

If you installed earlier updates, your device downloads and installs only the new updates contained in this package.

AI Components

This release updates the following AI components:

AI Component Version Image Search 1.2511.1224.0 Content Extraction 1.2511.1224.0 Semantic Analysis 1.2511.1224.0 Settings Model 1.2511.1224.0

Windows 11 servicing stack update (KB5071142) - 26100.7295

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

• Password icon might be missing or invisible in the lock screen sign-in options
• Apps might become unresponsive when saving files to cloud-based storage

How to get this update

Before you install this update

​​​​​​Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File Information

For a list of the files provided in this update, download the file information for cumulative update 5077744.
For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5071142) - version 26100.7295.

Original source Report a problem

Security update (KB5074109)

This cumulative update for Windows 11, version 25H2 and 24H2 (KB5074109), includes the latest security fixes and improvements, along with non-security updates from last month’s optional preview release. To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.

To view the latest updates about this release, visit the Windows release health dashboard or the update history page for Windows 11, version 25H2 and 24H2.

This security update contains fixes and quality improvements from KB5072033 (released December 9, 2025). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

• [Compatibility] This update removes the following modem drivers: agrsm64.sys (x64), agrsm.sys (x86), smserl64.sys (x64) and smserial.sys (x86). Modem hardware dependent on these specific drivers will no longer work in Windows.

• [Credentials autofill] This update introduces a security hardening behavior restricting certain applications to autofill credentials during remote support sessions or automated authentication workflows. With this change, credential dialogs do not respond to virtual keyboard input from remote desktop or screen sharing tools or apps. For more information, see New behavior restricting certain applications to autofill credentials introduced by the Windows January 2026 security update.

• [Networking (known issues)]

• Fixed: This update addresses an issue where mirrored networking in Windows Subsystem for Linux (WSL) could fail causing “No route to host” errors and preventing access to corporate resources over VPN connections, even when the Windows host remained connected. This might occur after installing KB5067036.

• Fixed: This update addresses an issue where you might experience RemoteApp connection failures in Azure Virtual Desktop environments. This might occur after installing KB5070311.

• [Power & Battery] Fixed: This update addresses an issue where devices with a Neural Processing Unit (NPU) might stay powered on when idle. This could affect power performance.

• [Secure Boot] Starting with this update, Windows quality updates include a subset of high confidence device targeting data that identifies devices eligible to automatically receive new Secure Boot certificates. Devices will receive the new certificates only after demonstrating sufficient successful update signals, ensuring a safe and phased deployment.

• [Windows Deployment Services (WDS)] This update introduces a change in behavior in which WDS will stop supporting hands-free deployment functionality by default. Detailed guidance for IT administrators is available in Windows Deployment Services (WDS) Hands‑Free Deployment Hardening Guidance.

• [WinSqlite3.dll] Fixed: The Windows core component, WinSqlite3.dll, has been updated. Previously, some security software might have detected this component as vulnerable.

Note: WinSqlite3.dll is a separate component from sqlite3.dll, which is found in application-specific directories and is not a Windows component. If security applications continue to detect sqlite3.dll as vulnerable, contact the developer of the app using sqlite3.dll for an update. If sqlite3.dll is being used by a Microsoft app, install the latest version of the app from the Microsoft Store.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, see the Security Update Guide website and the January 2026 Security Updates.

AI Components
This release updates the following AI components:

AI Component Version Image Search 1.2511.1224.0 Content Extraction 1.2511.1224.0 Semantic Analysis 1.2511.1224.0 Settings Model 1.2511.1224.0

• Windows 11 servicing stack update (KB5071142) - 26100.7295

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

• Password icon might be missing or invisible in the lock screen sign-in options

• Connection and authentication failures in Azure Virtual Desktop and Windows 365

• Apps might become unresponsive when saving files to cloud-based storage

How to get this update

Before you install this update
Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update
To install this update, use one of the following Windows and Microsoft release channels.

This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove the LCU
To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information
For a list of the files provided in this update, download the file information for cumulative update 5074109.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5071142) - version 26100.7295.

Original source Report a problem

Editor's note

12.9.2025: This policy will be available starting with the January 2026 security update and will no longer be enabled by default. We have reflected this change in the post below and added clarification about device targeting.

Get the latest Windows quality updates during the out-of-box experience (OOBE). This much awaited improvement is coming to your eligible Microsoft Entra joined or Microsoft Entra hybrid joined devices running Windows 11, version 22H2 and later. It will be available starting with the January 2026 Windows security update.

You can enable this new capability with a policy setting. With Windows Autopilot and Microsoft Intune (or alternative management solutions), you can maintain seamless control over quality update behavior during provisioning, while ensuring alignment with organizational security and compliance requirements.

Manage your OOBE update experience in Microsoft Intune

When Windows quality update support is available in the Windows Autopilot Enrollment Status Page (ESP) at the end of August 2025, you'll see the new quality update setting. This setting is now disabled by default.

You'll be able to control whether updates are installed during OOBE if you meet these criteria:

• Your devices are on Windows 11, version 22H2 or later and on any of the following SKUs: Pro, Enterprise, Education, or SE.
• You use Microsoft Intune to manage Windows quality updates.
• You've assigned a Windows Autopilot Enrollment Status Page (ESP) profile to devices using either Windows Autopilot preregistered device group or using the "All devices" assignment. We call this device targeting.
• Your devices are imaged with the November 2025 Windows non-security update or later or are automatically updated with the November 2025 OOBE zero-day patch (ZDP) update. Learn more about these updates for Windows 11, versions 24H2 and 25H2, also available for Windows 11, versions 22H2 and 23H2.

Note: At this time, if you're not using device-targeting ESP, you won't be able to enable Windows quality updates during OOBE. For more information about Intune prerequisites, as well as supported and unsupported scenarios, visit Set up the Enrollment Status Page in the admin center.

The new setting

To confirm or control this experience on the devices you manage:

1. Go to the Microsoft Intune admin center.
2. Navigate to Devices > Enrollment > Enrollment Status Page.
3. Select the ESP profile you wish to check or create a new one and go to its Settings tab. Note the ESP profile must use device targeting.
4. Locate the new setting called Install Windows quality updates (might restart the device). If its value is set to "Yes," you're set to install quality updates during provisioning!

Note: Preexisting ESP profiles will have Install Windows quality updates set to "No." You can edit this setting to enable the updates. New ESP profiles will default to "Yes."

As we've preannounced, the device will check Windows Update at the last page of OOBE and install any applicable quality updates. That way, the user will start out with the latest security and quality updates at first sign-in.

Recommendation for pause and deferral settings

Want to ensure that quality updates during OOBE respect pause and deferral settings? Assign your Windows Update rings profile to the same Windows Autopilot preregistered device group as your ESP profile or using the "All devices" assignment.

During the device phase of provisioning, the ESP will ensure that the settings from the Windows Update rings policy are synchronized prior to exiting the page. That way, settings are in place before the final Windows Update page checks for updates.

Note: If these requirements aren't met, the pause and deferral settings might be inconsistently applied during OOBE.

Note: Devices will receive feature updates separately after OOBE as per their configured feature update policies.

Alternative management solutions for OOBE updates

Some non-Microsoft mobile device management (MDM) solutions are also capable of using the ESP functionality. How can you determine if that's the case for you? Check if your MDM provider has developed its own functionality to track configuration using features or protocols offered by Microsoft to reliably deliver certain policies during OOBE. If they have selected the ESP profile as eligible to be applied, designate the ESP profile as a tracked policy when creating it. You must use an ESP profile with device targeting to ensure that the latest Windows quality updates indeed get installed during OOBE.

Ready for an improved OOBE?

With this new default experience, you can:

• Complete the devices' OOBE with the latest approved quality updates already applied.
• Enhance security from day one.
• Reduce post-deployment update overhead.

Thank you again for your feedback and helping us make Windows better!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Original source Report a problem

Highlights

■ This update addresses security issues for your Windows operating system.

Improvements

This security update contains fixes and quality improvements from KB5070311 (released December 1, 2025). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

• [Copilot] Fixed: This update addresses an issue where Ask Copilot didn’t activate the Click to Do window as expected. The window now appears in the foreground when you share data with Copilot.
• [File Explorer (known issue)] Fixed: This update addresses an issue where File Explorer briefly flashes white when you navigate between pages. This issue might occur after you install KB5070311.
• [Networking] Fixed: This update fixes an issue where external virtual switches lose their physical network adapter (NIC) bindings after a host restart. When this happens, the switches revert to internal mode, resulting in loss of network connectivity for virtual machines and blocking normal server operations. ​​​​​​​
• [PowerShell 5.1] Invoke-WebRequest now includes a confirmation prompt with a security warning of script execution risk. You can choose to continue or cancel the request. For additional details, see CVE-2025-54100 and KB5074596: PowerShell 5.1: Preventing script execution from web content.
• [System Components] The AppX Deployment Service (Appxsvc) has moved to Automatic startup type to improve reliability in some isolated scenarios.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, see the Security Update Guide website and the December 2025 Security Updates.

AI Components

This release updates the following AI components:
AI Component | Version
Image Search | 1.2511.1224.0
Content Extraction | 1.2511.1224.0
Semantic Analysis | 1.2511.1224.0
Settings Model | 1.2511.1224.0

Windows 11 servicing stack update (KB5071142) - 26100.7295

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

• Password icon might be missing or invisible in the lock screen sign-in options
• Mirror networking on Windows Subsystem for Linux might fail
• RemoteApp sessions might fail to start on Azure Virtual Desktop

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

• Windows Update
  This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

• For a list of the files provided in this update, download the file information for cumulative update 5072033.
• For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5071142) - version 26100.7295.

Original source Report a problem