Windows Updates & Release Notes

Do more with the improved Secure boot status report in Windows Autopatch

Now, you can gain better device-level visibility into certificate status, trust configuration, and readiness for Secure Boot certificate updates. New interactive certificate-level details fit directly into your certificate rollout workflow:

1. Identify devices that aren't up to date.
2. Use trust configuration and certificate details to understand applicability.
3. Check confidence level to determine your rollout strategy.
4. Use alerts and timestamps to validate reporting freshness and prioritize action.
5. Plan targeted remediation instead of broad deployments.

From policy deployment to actual Secure Boot readiness

Secure Boot is a core Windows security feature that helps ensure devices start up using only trusted, digitally signed components. It helps protect against boot-level malware and enforces a root of trust during startup. As Secure Boot certificates evolve and older certificates approach expiration, visibility into device readiness becomes critical.

To deploy Secure Boot certificate updates, the recommended option is to enable the EnableSecurebootCertificateUpdates policy. When active, the policy automatically sends certificate updates to supported and eligible devices but requires a device restart to complete the process.

However, before enabling a Secure Boot policy, it's important to understand:

• Which devices have updated their certificates and are protected
• Whether firmware configuration blocks updates
• Whether devices are ready for rollout
• When to take action

The Secure Boot status report addresses this gap by giving you a data-informed view of device readiness, not just policy assignment status. The report provides a device-level view of Secure Boot across your Windows Autopatch-managed devices. Let's walk through how to quickly understand your fleet's readiness.

Note: Certificate readiness presupposes devices with Secure Boot enabled. Devices with Secure Boot disabled are included for visibility only. They don't require any action.

How to use the Secure Boot status report

The report includes several key signals designed to help you make informed decisions.

Ready to see it in action? Start here:

1. Go to the Intune admin center.
2. Open Reports > Windows Autopatch > Windows quality updates.
3. Select Reports.
4. Open Secure Boot status.

Identify devices that aren't up to date by certificate status

Find the new column called Certificate status. See which certificates require action based on an aggregate view. Here's what each status means:

• Up to date: No action is required.
• Not up to date: Devices require certificate updates.
• Not applicable: Secure Boot isn't enabled.

Drill into this field to see per-certificate details. No need for custom scripts or manual validation. Select the status cell for any device to see whether Secure Boot is enabled, its trust setting, and status for each of the four required certificates.

Use trust configuration and certificate details to understand applicability

Not all devices require the same set of Secure Boot certificates. The Secure Boot trust setting column shows whether a device trusts:

• Microsoft-only components
• Both Microsoft and non-Microsoft components

This is important because certificate applicability depends on how the device is configured, not just what exists on disk. For example, a device may be fully compliant even if certain certificates aren't present. This happens if certificates aren't required for that configuration.

Check confidence level to determine your rollout strategy

This is one of the most important additions in the new version of the report. The Confidence level column helps guide deployment decisions based on Microsoft-observed data across similar devices and firmware configurations. Select any cell to see a flyout summary for that device. Review the description of the status and the recommended action. It also states whether the high-confidence deployment policy is allowed.

Use this data to:

• Confidently auto-deploy updates to high-confidence devices.
• Manually validate devices with limited or no data.
• Pause rollout where known issues exist.

Here are recommendations based on confidence level labels:

• High confidence: Deploy the certificates depending on the policy setting:
  • If the high-confidence policy is allowed: No action is required. Devices will automatically receive Secure Boot certificate updates through Windows Update.
  • If the high-confidence policy isn't allowed: Deploy certificate updates manually when ready.
• Under observation: Test certificate updates in controlled rollout.
• No data observed: Carefully validate certificate updates before broad deployment. Microsoft hasn't observed this type of device in Secure Boot update data.
• Temporarily paused: Don't deploy. Devices in this group are affected by a known issue. Consult with your OEM for possible firmware updates.
• Not supported: Exclude these devices from automation.

Use the confidence level data to take out guesswork from your Secure Boot certificate rollout strategy and turn it into data-informed deployment.

Use alerts and timestamps to prioritize action

A new Alerts column helps you validate reporting freshness and prioritize action. The report surfaces the following operational signals:

• Devices missing diagnostic data
• Devices requiring action
• Timestamp of last reported diagnostic data

Important! To avoid false assumptions when validating rollout progress, note these important limitations:

• Status updates can take up to 12 hours after restart to be reflected.
• Devices must send required diagnostic data to appear correctly in the report.
• Inactive devices might show up as Unknown.

Plan targeted remediation of Secure Boot certificates

Secure Boot certificate updates are not uniform across devices. They depend on firmware, configuration, and trust models. Due to this variation, applying Secure Boot updates sometimes sees unexpected results.

Without clear visibility, organizations risk:

• Missing required updates
• Deploying updates too broadly
• Misinterpreting device readiness

The Secure Boot status report gives you a more precise, device-level understanding of readiness, so you can act confidently and help reduce risk across your estate. Together, these improvements focus on one thing: making the data actionable. If needed, make data-informed decisions on targeted remediations instead of broad deployments.

Note on Secure Boot updates and hotpatch updates

If you're using hotpatch updates, plan for a one-time change in strategy. More devices become eligible for Secure Boot certificate updates over time based on high-confidence diagnostic data. High-confidence deployment relies on data included in monthly non-security preview updates, which are typically released the fourth week of the month. By definition, devices receiving hotpatch updates don't receive these preview updates. As such, these devices might not progress at the same rate as other devices. Here's the implication:

• Devices might not receive updated high-confidence data in May or June.
• Some devices might not become eligible for automatic deployment during that time.

In addition, applying Secure Boot updates requires device restarts to complete changes to:

• Secure Boot certificates
• The Windows Boot Manager

As a result of this design, devices receiving hotpatch updates will only receive updates automatically during the next baseline month (for example, April or July).

To move forward sooner, your organization can:

• Install the latest monthly non-security preview update (instead of a hotpatch update) to pick up updated high-confidence data.
• Restart the devices to complete the update process.
• Optional: Temporarily pause hotpatch updates and plan maintenance windows during Secure Boot rollout. Then resume hotpatch updates.

Learn more or bookmark these resources:

• Secure Boot status report in Windows Autopatch
• Windows Secure Boot certificate expiration and CA updates
• Secure Boot playbook for certificates expiring in 2026
• Windows Server Secure Boot playbook for certificates expiring in 2026

Continue the conversation. Find best practices. Bookmark the Windows Tech Community. Looking for support? Visit Windows on Microsoft Q&A.

Original source

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Improvements

This update addresses security issues for your Windows operating system.

Important: Use EKB KB5027397 to update to Windows 11, version 23H2.

This security update contains fixes and quality improvements from KB5082052 (released April 14, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

• [Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
• [Country and Operator Settings Asset (COSA)] This update brings profiles up to date for certain mobile operators.
• [Daylight saving time (DST)] This update supports the 2023 DST change for the Arab Republic of Egypt.
• [Enterprise State Roaming (ESR)] ESR can now be managed through Windows Backup for Organizations policies. This makes setup easier for IT administrators. To learn more, see Enterprise State Roaming.
• [Microsoft Defender SmartScreen] This update enables Microsoft Defender SmartScreen in the Windows shell to send file hashes for unsigned files. This support allows SmartScreen to use newer reputation models and improves the quality of application reputation checks.
• [Remote Desktop (known issue)] Fixed: This update addresses an issue that affects the Remote Desktop Connection security warning dialog. The dialog could render incorrectly in multi-monitor scenario when the monitors had different scaling set. This might occur after installing the April 2026 (KB5082052) security update. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, see the Security Update Guide and the May 2026 Security Update.

Windows 11 servicing stack update (KB5086307) - 22621.6937

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove this update

Before you decide to remove this update, see Understanding the risks: Why you should not uninstall security updates.

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5087420.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5086307) - versions 22621.6937.

Related topics

Microsoft Store for Business and Education with Configuration Manager

Get updates for apps and games in Microsoft Store

Original source

This cumulative update for Windows 11, version 25H2 and 24H2 (KB5089549) includes the latest security fixes and improvements, along with non-security updates from last month's optional preview release.

Visit the Windows release health dashboard for the latest status on this release.

Windows 11 May 12, 2026, KB5089549

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Improvements

This update includes new features and quality improvements that were part of the following update:

• April 14, 2026—KB5083769 (OS Builds 26200.8246 and 26100.8246)
• April 30, 2026—KB5083631 (OS Builds 26200.8328 and 26100.8328) Preview

This update addresses security vulnerabilities documented in the following guide:

• May 2026 Security Updates

The following summary outlines key quality improvements addressed by this update. The bold text within the brackets indicates the item or area of the change.

• [Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
• [Boot manager servicing update]
• This update improves startup reliability after boot file updates, so devices start normally without entering BitLocker recovery.
• (Known issue) Fixed: This update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 (Platform Configuration Register 7) configurations. This might occur after installing the April 2026 security update (KB5083769).
• [Connectivity] This update improves the reliability of Simple Service Discovery Protocol (SSDP) notifications to help prevent the service from becoming unresponsive.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

AI Components

This release updates the following AI components:

AI Component Version Image Search 1.2604.515.0 Content Extraction 1.2604.515.0 Semantic Analysis 1.2604.515.0 Settings Model 1.2604.515.0

Windows 11 servicing stack update (KB5092762)- 26100.8456

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

If you want to remove this update

Before you decide to remove this update, see Understanding the risks: Why you should not uninstall security updates.

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5089549.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5092762) - version 26100.8456.

Related topics

• Windows monthly updates explained
• Description of the standard terminology used for Microsoft software updates
• Windows release health
• Microsoft Store for Business and Education with Configuration Manager
• Get updates for apps and games in Microsoft Store

Original source

This cumulative update for Windows 11, version 26H1 (KB5089548) includes the latest security fixes and improvements, along with non-security updates from last month's optional preview release.

Visit the Windows release health dashboard for the latest status on this release.

Improvements

This update includes new features and quality improvements that were part of the following update:

• April 14, 2026—KB5083768 (OS Build 28000.1836)
• April 30, 2026—KB5083806 (OS Build 28000.1896) Preview

This update addresses security vulnerabilities documented in the following guide:

• May 2026 Security Updates

The following summary outlines key quality improvements addressed by this update. The bold text within the brackets indicates the item or area of the change.

• [Connectivity] This update improves the reliability of Simple Service Discovery Protocol (SSDP) notifications to help prevent the service from becoming unresponsive.
• [Gaming] This update improves compatibility for some games that use embedded web content and helps reduce the impact of JavaScript errors on in‑game features.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

AI Components

This release updates the following AI components:

AI Component Version

Image Search 1.2603.377.0
Content Extraction 1.2603.377.0
Semantic Analysis 1.2603.377.0
Settings Model 1.2603.377.0

Windows 11 servicing stack update (KB5092761)- 28000.2103

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Windows Update

Available Next Step

Included This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove this update

Before you decide to remove this update, see Understanding the risks: Why you should not uninstall security updates.

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5089548.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5092761) - version 28000.2103.

Related topics

Windows monthly updates explained

Description of the standard terminology used for Microsoft software updates

Windows release health

Original source

This Hotpatch update for Windows 11, version 25H2 and 24H2 (KB5089466) includes security improvements. To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.

To view the latest updates about this release, visit the Windows release health dashboard or the update history page for Windows 11, version 25H2 and 24H2.

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Improvements and fixes

This security update includes quality improvements.

The following summary outlines key issues addressed by this update. The bold text within the brackets indicates the item or area of the change.

• [Connectivity] This update improves the reliability of Simple Service Discovery Protocol (SSDP) notifications to help prevent the service from becoming unresponsive.

• [Remote Desktop] This update addresses an issue that affects the Remote Desktop Connection security warning dialog. The dialog could render incorrectly in multi-monitor scenario when the monitors had different scaling set. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the Hotpatch update. For general information about SSUs, see Servicing stack updates.

If you are using Windows Update, the latest SSU installs with this update.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Release Channels | Available | Next step
Windows Update | Included | This update downloads and installs automatically from Windows update and Microsoft Update
Catalog | Not included | See the other options.
Server Update Services | Not included | See the other options.

File information

For a list of the files provided in this update, download the file information for cumulative update 5089466.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5092762) - version 26100.8456.

Original source

This month, the Windows Accessibility team delivered its first interactive deep dive on the Tech Community featuring demos of the latest improvements in Narrator and live Q&A. Watch it on demand to help ensure your organization is taking advantage of the latest Windows 11 accessibility features. Create a digital environment where everyone is empowered to achieve more.

We also continue to host Ask Microsoft Anything (AMA) here on the Tech Community to help you plan for older Secure Boot certificates starting to expire in June. Watch this month's AMA on demand —and save the date for the next Secure Boot AMA on May 18 if you have any outstanding questions.

Now on to more highlights from April with this month's edition of Windows news you can use.

New in Windows update and device management

• [APPS] [STORE] – You can now use policy to remove select pre-installed Microsoft Store apps on devices running Windows 11, version 25H2 or version 24H2. In addition, a new dynamic app removal list lets you remove any preinstalled MSIX/APPX app by referencing its Package Family Name (PFN).
• [APPS] [INTUNE] – App inventory in Microsoft Intune now updates Windows apps on a more frequent schedule. It only uploads changes since the last sync, which can help limit additional network usage. To take advantage of this capability, you'll need to set a new device configuration policy and assign that policy to desired corporate-owned Windows 11 devices enrolled in Microsoft Entra ID.
• [W365] – A new Windows 365 monitoring and reporting platform, now in public preview, consolidates Cloud PC health, performance, and configuration data into integrated dashboards in Intune.
• [W365] – User-initiated provisioning for Windows 365 Reserve is now in public preview. This IT-enabled setting allows users to initiate provisioning themselves, within existing policy and security controls, from Windows App.

New in Windows security

• [AUTOPATCH] – A new Windows Autopatch report reflects updated recommendations on patch compliance. It also highlights risk exposure based on configured policies and update rollout status across your estate.
• [HARDENING] [ADMIN] – Administrative actions are undergoing hardening changes that reduce the risk of privilege escalation and unauthorized access on Windows devices. Specifically, Windows now detects and blocks authentication attempts between machines that share duplicate SIDs.
• [HOTPATCH] – Need to explain the security architecture advantage behind hotpatch updates? Explore a concise explanation of how they support continuous protection, accelerate patch compliance, and reduce operational disruption.

New in AI

The following AI-powered capabilities are gradually rolling out beginning with the April 2026 security update:

• [NARRATOR] – Narrator now works with Copilot on all Windows 11 devices. Get instant, on‑device descriptions and the ability to select Ask Copilot for more detail.
• [INPUT] – With updates to the Pen settings page, users can now enable the pen tail button to open the same app as the Copilot key.
• [COPILOT] - A new RemoveMicrosoftCopilotApp policy setting allows you to uninstall Copilot from devices in your organization in a non-disruptive way.

To learn about latest capabilities for Copilot+ PCs, visit the Windows Roadmap and filter Platform by “Copilot+ PC Exclusives.”

New in Windows Server

For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes.

• [FEATURE UPDATES] – Running Windows Server 2022 or Windows Server 2019? You can now opt in to the Windows Server 2025 feature update from the Settings dialog.
• [EVENT] – The Windows Server Summit starts next Monday and runs May 11-13, 2026 from 7:00 a.m. to 12:00 p.m. PDT. If you haven't already, make sure to add sessions of interest to your calendar and register for the VIP experience. As a VIP, you'll receive access to the presentation decks and a chance to participate in a private virtual roundtable with the Windows Server product team.

New in productivity and collaboration

Install the April 2026 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities, which will be rolling out gradually:

• [FILE EXPLORER] – You can use Voice Typing (Windows logo key + H) when renaming a file in File Explorer.
• [SETTINGS] – The device information card on the Settings Home page simplifies key device specifications. Experience the improved consistency across the end-to-end flow from the Home Card to the Settings > System > About page. It should now be easier to scan and understand information.
• [DISPLAY] – When you use a native USB4 monitor connection, the USB controller can now enter its lowest power level while the PC is sleeping, which helps save battery life.

New features and improvements are coming in the May 2026 security update. You can preview them by installing the April 2026 optional non-security update for Windows 11, versions 25H2 and 24H2. This update includes the gradual rollout of:

• [FILE EXPLORER] – View and Sort preferences are preserved in folders such as Downloads and Documents when apps launch File Explorer directly to those locations. Archive formats now include uu, cpio, xar, and NuGet Packages (nupkg).
• [INPUT] – Voice typing animations on the touch keyboard now appear directly on the dictation key, helping you stay focused without extra visual distractions.

Also, take note that the Windows Insider Program team is simplifying the Insider experience by moving to two primary channels: Experimental and Beta. Other changes to the program include making changes behind-the-scenes to enable Insiders to use an in-place upgrade to hop between versions.

Lifecycle reminders

Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025.

Additional resources

Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources:

• Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name
• Microsoft 365 Copilot release notes for latest features and improvements
• Windows Insider Blog for what's available in the Canary, Dev, Beta, or Release Preview Channels
• Windows Server Insider for feature preview opportunities
• Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders

Join the conversation

If you're an IT admin with questions about managing and updating Windows, add our monthly Windows Office Hours to your calendar. We assemble a crew of Windows, Windows 365, security, and Intune experts to help answer your questions and provide tips on tools, best practices, and troubleshooting.

Finally, we're always looking to improve this monthly summary. Drop us a note in the Comments and let us know what we can do to make this more useful for you!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community. Looking for support? Visit Windows on Microsoft Q&A.

Original source

This non-security update for Windows 11, version 25H2 and 24H2 (KB5083631), includes production-quality improvements. To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.

To view the latest updates for this release, go to Windows release health dashboard or the update history page for Windows 11, version 24H2 and version 25H2.

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Highlights

This update is available through two release phases: gradual rollout and normal rollout. A gradual rollout delivers an update in phases, so features reach devices over time instead of all at once, meaning availability varies by device. A normal rollout is the broad release to all eligible devices at the same time, usually when it reaches general availability (GA).

Gradual rollout

The following summary outlines features from AI-powered Windows 11 PC experiences, along with improvements and fixes. The bold text within the brackets indicates the item or area of the change.

Windows 11 PC experiences

AI Components

This release updates the following AI components:

AI Component Version
Image Search 1.2604.515.0
Content Extraction 1.2604.515.0
Semantic Analysis 1.2604.515.0
Settings Model 1.2604.515.0

Windows 11 servicing stack update (KB5088467)- 26100.8247

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Windows Update

Included

Open Start WindowsLogo icon > Settings Settings icon > Windows Update. > Advanced options > Optional updates. In the Optional updates available area, you will find the link to download and install available updates. Check for optional updates

If you want to remove this update

Caution:

Before you decide to remove this update, see Understanding the risks: Why you should not uninstall security updates.

To remove this update after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command:
DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5083631.
For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5088467) - version 26100.8247.

Related topics

Microsoft Store for Business and Education with Configuration Manager
Get updates for apps and games in Microsoft Store

Original source

This non-security update for Windows 11, version 26H1 (KB5083806), includes production-quality improvements. To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.

To view the latest updates for this release, go to Windows release health dashboard or the update history page for Windows 11, version 26H1.

Highlights

This update is available through two release phases: gradual rollout and normal rollout. A gradual rollout delivers an update in phases, so features reach devices over time instead of all at once, meaning availability varies by device. A normal rollout is the broad release to all eligible devices at the same time, usually when it reaches general availability (GA).

The following summary outlines features from AI-powered Windows 11 PC experiences, along with improvements and fixes. The bold text within the brackets indicates the item or area of the change.

AI Components

This release updates the following AI components:

AI Component | Version

• Image Search | 1.2603.377.0
• Content Extraction | 1.2603.377.0
• Semantic Analysis | 1.2603.377.0
• Settings Model | 1.2603.377.0

Windows 11 servicing stack update (KB5088834)- 28000.1837

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Gradual rollout

Available | Next Step

Included | Open Start WindowsLogo icon > Settings Settings icon Update & Security > Windows Update. In the Optional updates available area, you will find the link to download and install available updates. Check for optional updates

If you want to remove this update

Caution: Before you decide to remove this update, see Understanding the risks: Why you should not uninstall security updates.

To remove this update after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5083806.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5088834) - version 28000.1837.

Original source

A new Windows Autopatch report that reflects updated recommendations on patch compliance is rolling out soon to your tenant.

Keeping devices up to date has never been more critical for security. As noted in a recent post AI-powered defense for an AI-accelerated threat landscape, by Ales Holecek, Chief Architect and Corporate Vice President of Microsoft Security, organizations need to rethink exposure, response, and risk. This is especially true when it comes to keeping Windows devices patched with the latest security updates.

On April 22, 2026, Microsoft Intune released a new security update status dashboard offering centralized visibility into update compliance across Windows client, Windows Server, and Microsoft 365 apps. The dashboard provides a clear, current view for IT and security teams, backed by current data, and without the need to switch between multiple reports or tools.

Today, we're announcing that Windows Autopatch is rolling out an extension to that dashboard offering more detailed information on client patching status and policy risk exposure. This new Windows Autopatch report:

• Breaks down specific patch versions within your estate.
• Informs you of policies putting your estate at risk.
• Provides actionable workflows to help reduce exposure.

Updated recommendations for servicing Windows

Strategies for reducing risk and staying current are changing. Across the industry, organizations often had a 14- or 28-day SLA to patch devices across their estate. In today's threat landscape, this can leave users in an exposed or critical vulnerability state.

Aligned with the recommendations provided in the recent post from Microsoft Security we are adjusting our recommendations and encourage organizations to install the latest security updates:

• Within 3 days to be considered current (and reported as current)
• Within 7 days to help ensure devices aren’t subject to vulnerabilities (and reported as critical)
• Between 3 and 7 days, devices are considered exposed (and reported as exposed)

To view which policies in your tenant are not configured per recommendations, navigate to the Windows Autopatch overview pane and select View policies leading to increased risk exposure, a poor experience. From here, you can see which policies are configured in a way that falls short of these recommendations.

We recognize that more aggressive timelines can introduce disruption. However, given the pace of today's threat landscape, these updated recommendations are intended to balance stronger security while maintaining user productivity and stability.

To help ensure devices stay secure, while having an optimal experience, we recommend using Windows Autopatch and configuring the following policies:

• Quality update deferral of < 3 days
• Quality update deadline of 0 or 1 day
• Grace period of 1 or 2 days
• Enable hotpatch updates (Note: Hotpatch updates will be enabled by default for all eligible devices that haven't been opted out starting in May 2026.)

We also recommend using Extended Security Updates (ESU) for all eligible devices still running Windows 10 so those devices continue to receive critical security updates.

Reassess and stay protected

Now is the time to reassess your risk profile and patching deployments. We continue to improve Windows Autopatch reports to give you the information you need to help reduce threats to your estate. By using the new report, you can identify where to take action to stay even more protected in this ever-evolving threat landscape.

Additional resources:

• As vulnerability discovery moves at AI speed, keeping current is foundational to reduce exposure
• Strengthening secure software at global scale: How MSRC is evolving with AI

Original source

This cumulative update for Windows 11, version 25H2 and 24H2 (KB5083769), includes the latest security fixes and improvements, along with non-security updates from last month’s optional preview release. To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.

To view the latest updates about this release, visit the Windows release health dashboard or the update history page for Windows 11, version 25H2 and 24H2.

This security update contains fixes and quality improvements from KB5079473 (released March 10, 2026), KB5085516 (released March 21, 2026), KB5079391 (released March 26, 2026 - no longer offered), and KB5086672 (released March 31, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

Secure Boot

• New! The status of Secure Boot certificate updates on your device may be displayed in the Windows Security app (Settings > Privacy & security > Windows Security). Learn more about the status alerts via badges and notifications. These enhancements are disabled by default on commercial devices.
• With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
• This update addresses an issue where the device might enter BitLocker Recovery after the Secure Boot updates.

Networking

This update improves reliability when Windows uses SMB compression over QUIC. After you install this update, SMB compression requests over QUIC complete more consistently, reducing the likelihood of timeouts and supporting smoother, more dependable performance.

Remote Desktop

This update improves protection against phishing attacks that use Remote Desktop (.rdp) files. When you open an .rdp file, Remote Desktop shows all requested connection settings before it connects, with each setting turned off by default. A one-time security warning also appears the first time you open an .rdp file on a device. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.

Reset this PC (known issue)

Fixed: This update addresses an issue that might cause device reset to fail when using the “Keep my files” or “Remove everything” options. This might occur after installing the March 2026 (KB5079420) Hotpatch security update.

Vulnerable driver blocklist

This update introduces a security hardening change that adds known vulnerable kernel drivers to the Microsoft vulnerable driver blocklist. Backup applications that rely on blocked drivers might experience failures when attempting to mount or manage disk images.
These apps relying on blocked drivers might display error messages, including "The backup has failed because Microsoft VSS has timed out during the snapshot creation" or VSS_E_BAD_STATE. Affected users should update to a newer version of their application that uses newer drivers that include the required protections. For more information, see April 2026 Windows security updates introduce protections to known vulnerable kernel drivers.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, see the Security Update Guide and the April 2026 Security Updates.

This release updates the following AI components:

AI Component Version
Image Search 1.2603.377.0
Content Extraction 1.2603.377.0
Semantic Analysis 1.2603.377.0
Settings Model 1.2603.377.0

Windows 11 servicing stack update (KB5088467)- 26100.8247

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key.

Warnings related to Remote Desktop might not display correctly.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove this update

Caution: Before you decide to remove this update, see Understanding the risks: Why you should not uninstall security updates.

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5083769.
For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5088467) - version 26100.8247.

Related topics

Microsoft Store for Business and Education with Configuration Manager

Get updates for apps and games in Microsoft Store

Original source

This cumulative update for Windows 11, version 23H2 (KB5082052), includes the latest security fixes and improvements, along with non-security updates from last month’s optional preview release. To learn more about differences between security updates, optional non-security preview updates, out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.

To view the latest updates about this release, visit the Windows release health dashboard or the update history page for Windows 11, version 23H2.

Tip: This month’s video is available in the Windows 11, version 25H2 and 24H2 article.

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Windows Secure Boot certificate expiration

Change log

Improvements

This update addresses security issues for your Windows operating system.

Important: Use EKB KB5027397 to update to Windows 11, version 23H2.

This security update contains fixes and quality improvements from KB5078883 (released March 10, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

• [Secure Boot]
• New! The status of Secure Boot certificate updates on your device may be displayed in the Windows Security app (Settings > Privacy & security > Windows Security). Learn more about the status alerts via badges and notifications. These enhancements are disabled by default on commercial devices.
• With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
• This update addresses an issue where the device might enter BitLocker Recovery after the Secure Boot updates.
• [Networking] This update improves reliability when Windows uses SMB compression over QUIC. After you install this update, SMB compression requests over QUIC complete more consistently, reducing the likelihood of timeouts and supporting smoother, more dependable performance.
• [Remote Desktop] This update improves protection against phishing attacks that use Remote Desktop (.rdp) files. When you open an .rdp file, Remote Desktop shows all requested connection settings before it connects, with each setting turned off by default. A one-time security warning also appears the first time you open an .rdp file on a device. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.
• [Sign-In] Fixed] After you install the Windows update released on or after March 10, 2026, some users might experience an issue signing in to apps with a Microsoft account. Even when the device has a working Internet connection, a “no Internet” error appears during sign in and prevents access to Microsoft services and apps such as Microsoft Teams.
• [Vulnerable driver blocklist] This update introduces a security hardening change that adds known vulnerable kernel drivers to the Microsoft vulnerable driver blocklist. Backup applications that rely on blocked drivers might experience failures when attempting to mount or manage disk images. These apps relying on blocked drivers might display error messages, including "The backup has failed because Microsoft VSS has timed out during the snapshot creation" or VSS_E_BAD_STATE. Affected users should update to a newer version of their application that uses newer drivers that include the required protections. For more information, see April 2026 Windows security updates introduce protections to known vulnerable kernel drivers.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, see the Security Update Guide and the April 2026 Security Update.

Windows 11 servicing stack update (KB5086307) - 22621.6937

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

• Devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key
• Warnings related to Remote Desktop might not display correctly

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Windows Update

This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove this update

Caution: Before you decide to remove this update, see Understanding the risks: Why you should not uninstall security updates.

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5082052.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5086307) - versions 22621.6937.

Related topics

Microsoft Store for Business and Education with Configuration Manager

Get updates for apps and games in Microsoft Store

Original source

This security update for Windows 11, version 26H1 (KB5082052), includes the latest security improvements, along with non-security updates from last month’s optional preview release. To learn more about differences between security updates, optional non-security preview updates, Out-of-band (OOB) updates, and continuous innovation, see Windows monthly updates explained. For information on Windows update terminology, see the different types of Windows software updates.

To view the latest updates about this release, visit the Windows release health dashboard or the update history page for Windows 11, version 26H1.

Improvements

This security update contains fixes and quality improvements from KB5079466 ​​​​​​​(released March 10, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change.

[Secure Boot]

New! The status of Secure Boot certificate updates on your device may be displayed in the Windows Security app (Settings > Privacy & security > Windows Security). Learn more about the status alerts via badges and notifications. These enhancements are disabled by default on commercial devices.

​​​​​​​With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.

This update addresses an issue where the device might enter BitLocker Recovery after the Secure Boot updates. ​​​​​​​

[Networking]

This update improves reliability when Windows uses SMB compression over QUIC. After you install this update, SMB compression requests over QUIC complete more consistently, reducing the likelihood of timeouts and supporting smoother, more dependable performance.

[Remote Desktop]

This update improves protection against phishing attacks that use Remote Desktop (.rdp) files. When you open an .rdp file, Remote Desktop shows all requested connection settings before it connects, with each setting turned off by default. A one-time security warning also appears the first time you open an .rdp file on a device. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.

If you've already installed previous updates, your device will download and install only the new updates included in this package.

For more information about security vulnerabilities, see the Security Update Guide and the April 2026 Security Updates.

AI Components

This release updates the following AI components:

AI Component Version Image Search 1.2602.1451.0 Content Extraction 1.2602.1451.0 Semantic Analysis 1.2602.1451.0 Settings Model 1.2602.1451.0

Windows 11 servicing stack update (KB5088834)- 28000.1837

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. To learn more about SSUs, see Simplifying on-premises deployment of servicing stack updates.

Known issues in this update

Microsoft is not currently aware of any issues with this update.

How to get this update

Before you install this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Windows Update

Available | Next Step
Included | This update downloads and installs automatically from Windows Update and Microsoft Update.

If you want to remove this update

Caution: Before you decide to remove this update, see Understanding the risks: Why you should not uninstall security updates.

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files provided in this update, download the file information for cumulative update 5083768.

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5088834) - version 28000.1837.

Original source

Administrative actions are undergoing hardening changes that reduce the risk of privilege escalation and unauthorized access on Windows devices.

These changes strengthen the trust boundary between identity, authentication, and User Account Control (UAC) enforcement. It’s now much harder for an attacker (or a misconfigured cloned device) to reuse or manipulate authentication artifacts after an OS restart to silently gain elevated privileges.

With these hardening changes, Windows now detects and blocks authentication attempts between machines that share duplicate SIDs.

This is by design and should be seen as a security signal, not a code defect.

Some environments deploy Windows devices using automation or virtual machine templates. Some of these methods rely on previously accepted authentication behavior between cloned systems. If you created these deployments without running Sysprep, that’s your case. Recent authentication hardening updates might now require you to rebuild affected devices using supported imaging methods.

A temporary workaround (detailed below) is available to provide time for remediation. However, it reduces the security protections introduced by the latest updates and cannot be used as a permanent solution due to its lifecycle end date.

Running Sysprep prepares a Windows image for deployment. Sysprep removes device-specific identity and security information, allowing each deployed machine to generate a unique system identity and authentication context when it starts.

Let’s take a closer look at why these hardening changes are important to the overall security of your environment and how you can update your cloning, imaging, and authentication practices.

Why administrative action hardening is necessary for security

The current administrative action hardening phase began with the August 2025 non-security update (KB5064081) and the September 2025 security update (KB5065426). These updates strengthen loopback authentication protections. They help ensure that Kerberos authentication is more tightly bound to the current machine state across OS restarts.

Previously, authentication artifacts could persist across restarts in ways that allowed elevated operations to proceed without explicit user approval. Current hardening helps reduce this risk. It improves how machine identity is validated during authentication.

While these changes improve security posture, they might require adjustments to how you deploy and manage devices in some environments.

Symptoms of administrative action hardening

With the installation of Windows updates released on or after August and September 2025, your devices were hardened against unauthorized attempts to bypass loopback detection. This applies to devices running Windows 11, version 24H2 and later as well as Windows Server 2025.

You might have observed authentication failures between machines when accessing SMB shares or connecting via Remote Desktop. Similar failures might also occur with authentication using New Technology LAN Manager (NTLM) or between machines that aren’t joined to a domain.

The target machine shows the following LsaSrv Event ID 6167 in the System event log:

There is a partial mismatch in the machine ID. This indicates that the ticket has either been manipulated or it belongs to a different boot session. Failing authentication.

This is an inconvenient but necessary symptom of administrative action hardening that might require operational change to support your organization’s security posture. Here’s why.

What changed internally

User Account Control (UAC) in Windows primarily acts as a privilege mediation mechanism. It helps ensure that administrative rights are exercised only with explicit user approval. While users may hold administrative credentials, applications they launch initially run with standard user privileges. Privileges must be explicitly elevated through a UAC consent prompt to perform administrative actions.

Recent security investments in Windows have tightened how you approve and enforce administrative actions. These UAC hardening changes reduce the risk of elevation without explicit user consent. Hardening happens through Windows updates and applies regardless of whether Administrator protection is enabled. Administrator protection (available in preview) also benefits from these changes. It helps reduce automatic elevation paths and reinforces explicit, user-approved elevation for administrative operations. The result is a stronger trust boundary between identity, authentication, and UAC enforcement.

Loopback detection and token filtering scenarios are also part of this effort. A machine ID is used to check if a machine is performing loopback authentication, i.e., authenticating to itself. Before the August 2025 non-security update, each boot randomly generated the machine ID. However, authentication artifacts could still persist across a restart in ways that allowed threat actors to bypass token filtering.

Windows updates released on and after August 2025 detect and block such behavior. Windows now persists part of the machine ID across boots.

Before, authentication handshakes between Windows hosts that were cloned from each other succeeded because only per-boot components were checked. Now, authentication handshakes are detected and blocked because the cross-boot component of the machine ID is the same between the two hosts, while the per-boot component is not, resulting in a partial mismatch of machine IDs.

Specifically, if you've cloned machines without running Sysprep, you might see Kerberos and NTLM authentication failures. You can identify them by the LsaSrv event 6167 log in the auth target machine, for both NTLM and Kerberos protocols.

This behavior is not a regression. It’s a direct and intentional consequence of binding loopback authentication more tightly to machine identity across OS boots.

In summary, prior to installing Windows Updates released on or after August 2025:

• Machine ID regenerated on every boot.
• Loopback detection relied entirely on per-boot state.
• Persisted authentication artifacts could bypass token filtering.

After August 2025:

• Machine ID combines per-boot and cross-boot components.
• Loopback detection survives restarts.
• Persisted authentication artifacts are reliably rejected.

Management recommendations for administrative action hardening symptoms

While administrative action hardening improves security, it requires an adjustment in your strategy to clone Windows images. As you embrace administrative action hardening for its security benefit, you should take the following actions:

• Stop any automation that clones devices without Sysprep. If not addressed, devices end up with duplicate security IDs (SIDs).
• Rebuild all devices with duplicate SIDs from scratch, then run Sysprep. It's not sufficient to unjoin devices and run Sysprep. If needed for transition only: temporarily roll back the hardening change.

Recommended solution

When cloning a Windows image, you should always use Sysprep. You can read more about this recommendation in our official documentation in KB314828 and The Microsoft policy for disk duplication of Windows installations.

If your scenario falls outside of this recommendation, the only supported and durable resolution is to rebuild affected systems using supported deployment and imaging methods. Once done, you should remove existing clones.

Temporary workaround (not recommended)

Important! Microsoft does not recommend using this temporary registry-based compatibility option. It reduces the security protections introduced by recent updates. If your organization uses enhanced administrator security configurations (including Administrator protection, where applicable), avoid relying on this setting except as a short-term bridge while remediation is underway. Environments that remain in this configuration might be exposed to elevated risk until remediation is complete. Please plan and execute migration to supported deployment practices as soon as possible. See KB5068222: Strengthening administrator protection and Kerberos authentication

We understand that while cloning without Sysprep may have been unsupported, you still may have taken a dependency on it. To help ease the transition to a supported configuration, a temporary compatibility option is now available. This option relaxes the updated authentication behavior to allow continued operation in affected environments. It’s provided solely to facilitate remediation and should not be considered a long-term configuration.

Please contact Microsoft Commercial Customer Service and Support (CSS) to get information about this registry value. Complete the intake form as follows:

Form field Recommended option Select the Product family Windows Servers What product or service do you need help with? Windows Server 2025 Select the product version Windows Server 2025 Which category best describes the issue? Windows Security Technologies Which problem best describes the issue Kerberos authentication OR Legacy authentication (NTLM)

You must have an understanding of the risk of disabling administrative action hardening. You’ll also need to provide:

• Reasoning for requiring this temporary workaround
• A clear plan for the long-term resolution of reimaging cloned machines in your environment

Important! This workaround is the replacement for the known issue rollback (KIR)-based group policy setting. These settings were released by Windows Updates between August 2025 and March 2026 to disable loopback protections. Your organization can only obtain the new registry key by opening an assisted support case and certifying that you can rebuild cloned devices prior to the end of 2027.

This registry key will act as temporary rollback until it expires and allow authentication that would otherwise by blocked by loopback identity protections. Event Viewer helps you monitor this temporary workaround. If you set this temporary registry value and restart the system, the next authentication attempt will be allowed. An LsaSrv warning event 6168 will be logged in the target machine in the System event log:

UAC bypass via Kerberos vulnerability is explicitly allowed. A Kerberos loopback ticket can be manipulated to gain admin privileges. This is a security risk.

The only way to stop seeing this event is to migrate your environment to a supported state. Once done, please delete the registry key or set it to 0.

Timeline to remove the clones in your environment

The rollback is temporary and will remain available until the end of 2027. We hope this timeframe provides your organization with sufficient opportunity to migrate your environment to a supported state by following established deployment methods for cloning.

For additional information, check out the following resources:

• KB5070568: Kerberos and NTLM authentication failures due to duplicate SIDs
• KB5068222: Strengthening administrator protection and Kerberos authentication
• The Microsoft policy for disk duplication of Windows installations
• Sysprep
• Administrator Protection
• Windows 11: August 29, 2025—KB5064081 (OS Build 26100.5074) Preview
• Windows Server 2025: September 9, 2025—KB5065426 (OS Build 26100.6584)

Original source

Windows hotpatch updates allow you to adopt a secure-by-design and secure-by-default approach to keeping Windows 11 protected and productive. The security architecture advantage behind hotpatch updates helps you support continuous protection, accelerate patch compliance, and reduce operational disruption. And since hotpatch updates will be enabled by default across Windows Autopatch for eligible devices in May 2026, you might wonder how this makes your environment even more secure by default.

How hotpatch updates reflect Windows security by design

In Microsoft overarching security-by-design philosophy, security comes first when designing any product or service. Embodying this philosophy are hotpatch updates.

These are the same security fixes that are part of monthly security updates (also known as “B” releases). The distinction is that they get installed without requiring a restart. Hotpatch updates help you:

• Reduce downtime for frontline devices, VDI sessions, IT-managed shared PCs, and high uptime systems.
• Shrink your vulnerability window (i.e., the time between patch availability and full deployment).
• Improve update compliance rates automatically.

Note: Hotpatch updates only apply to devices that meet the prerequisites and receive updates managed by Windows Autopatch. Otherwise, no action is needed. Ineligible devices continue to patch the same way they do today.

How hotpatch update prerequisites strengthen your security baseline

Hotpatch update readiness is built on Windows security capabilities that help ensure that devices are in a trusted state before updates are applied.

The key prerequisite is virtualization-based security (VBS) - a foundational Windows 11 security feature and the core requirement for hotpatch updates at scale. VBS (also known as core isolation) uses hardware virtualization to run a secure kernel alongside the OS in a hypervisor-isolated environment. This separation means that, even if the main OS is compromised, the secure kernel remains protected. For hotpatch updates, VBS provides the trusted environment needed to safely update running kernel code.

Hotpatch updates also require modern Windows 11 hardware that supports VBS. Protections like silicon-rooted security and firmware integrity further strengthen the trusted foundation, in which VBS operates. This way, hotpatch updates apply to devices with an already robust security baseline. In other words, devices that receive hotpatch updates are already trusted and well-protected - reducing risk and strengthening your security posture.

Operational governance through existing update frameworks.

Hotpatch updates are delivered using the same Windows Update and Windows Autopatch mechanisms you already manage today. Clean integration of hotpatch updates into existing update rings and policies helps ensure consistent rollout, predictable compliance, and centralized, cloud‑managed enforcement - without introducing a new update model to govern. This means you get the benefits of hotpatch updates with no disruption to your current update processes or compliance reporting.

How hotpatch updates fit into Windows chip-to-cloud security model

Security by design spans from chip to cloud. Hotpatch technology reflects this broader architectural framework in its prerequisites and functionality, designed to keep devices secure end-to-end. Let's take a look at the hardware (chip) layer, the operating system (OS) layer, and the cloud and identity layer of the same chip-to-cloud trust chain you already manage.

Hardware/chip layer.

Hotpatch updates are supported only on modern, secure silicon configurations (including Arm64), helping ensure that updates apply on hardware with:

• TPM 2.0
• UEFI Secure Boot
• Measured and trusted boot pathways

This way, the OS environment being patched is already hardware-rooted and trusted.

OS layer.

Hotpatch update readiness guidance links directly to VBS, which is core to Windows 11 OS-level protections. These OS-level safeguards help you:

• Protect sensitive processes from tampering.
• Enforce strong code integrity.
• Create a trusted foundation for in-memory patching.

Hotpatch updates use this secure architecture, updating protected code paths while keeping the OS running.

Cloud/identity layer.

Hotpatch updates use the same trusted channels as Windows Update. They're managed through:

• Windows Update client policies (formerly Windows Update for Business)
• Windows Autopatch quality update rings
• Microsoft Entra ID (formerly Azure AD)-based device identity

This helps ensure that your patches come from a secure, authenticated cloud source and adhere to your compliance and deployment policies.

Hotpatch updates use the full chip-to-cloud trust chain, so every update is delivered and applied with end-to-end security.

How hotpatch updates reflect Windows security by default

Microsoft Secure Future Initiative defines security as protections that are enforced by default and require no extra effort. Windows 11 security posture, rooted in stronger defaults and continuous innovation, reinforces the security-by-design principles.

Hotpatch updates have always been designed with security at the core, and until now have been an opt-in feature. With the May 2026 security update, Windows Autopatch will enable hotpatch updates by default at the tenant level to help organizations get secure quicker. This change in default behavior is designed to reduce patch friction while keeping your existing update governance intact. Importantly, it doesn't override the controls you already use and comes with new controls to opt out until you're ready.

• The default tenant setting is only applied to devices that aren't members of a quality update policy.
• Windows Autopatch continues to respect the preferences you've set for deferrals and update ring settings.
• Starting April 1, 2026, you can also opt out of this new default behavior at the tenant or device group level. Learn more at Securing devices faster with hotpatch updates on by default.

With hotpatch updates enabled by default, you're secured with Windows security updates during each hotpatch release month, with no additional steps. In addition, critical security out-of-band (OOB) updates can also be delivered as hotpatch updates. This automatically secures you against the threats addressed by the OOB update, and your organization is protected faster, with less effort and fewer manual steps.

Alignment with security best practices

Enrolling in hotpatch updates automatically aligns your devices with Microsoft security best practices. Enroll devices in Windows Autopatch before May, if you haven't yet, and you'll start getting these updates enabled by default! These latest innovations in monthly servicing help keep your environment on a higher-trust, chip-to-cloud–aligned security baseline.

Embrace security by default with hotpatch updates that reduce user downtime and restart-driven tickets, improve update compliance, and shorten vulnerability exposure.

• The latest in Windows 11 security
• Hotpatch for client: Frequently asked questions
• Hotpatch readiness: Enable VBS at scale
• Hotpatch efficiency unlocked: Smaller update size
• Best practices for securing Microsoft Intune
• Windows 11 security book

Securing the present, innovating for the future

Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design, by default and during runtime, from Windows to the cloud, enabling trust at every layer of the digital experience.

Learn how to stay secure with Windows. Check out the updated Windows 11 Security Book and Windows Server Security Book, more about Windows 11, Windows Server, Windows hotpatch updates and Copilot+ PCs. To learn more about Microsoft Security Solutions, visit our website.

Bookmark the Microsoft Security Blog to keep up with our expert coverage on security matters. You can also follow Microsoft Security on LinkedIn and @MSFTSecurity on X for the latest news and updates on cybersecurity.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Original source