Windows 11 KB5079473 Patch: Sysmon In Box, RSAT Arm64, QMR and More

Windows 11’s March cumulative update (KB5079473), released on March 10, 2026, is one of the more consequential Patch Tuesday drops in recent memory — not because it dramatically reshapes the OS, but because Microsoft folded a string of measurable quality-of-life improvements and enterprise-grade capabilities into a single, widely distributed security rollup. This update brings Sysmon as an in‑box capability, expands Quick Machine Recovery to more Pro devices, adds a taskbar‑accessible network speed test, enables WebP wallpapers, extends RSAT support to Arm64, and ships with the usual tranche of security fixes (dozens of CVEs, including a couple of publicly disclosed issues). For IT teams and power users, KB5079473 is equal parts welcome feature drop and a reminder that monthly cumulative updates now carry both feature and security consequences — and that means testing matters more than ever.

Background / Overview​

Microsoft released KB5079473 on March 10, 2026, advancing Windows 11 to OS Build 26200.8037 for 25H2 and 26100.8037 for 24H2. This cumulative update is distributed via Windows Update and Microsoft Update Catalog, and it includes the combined servicing stack update (SSU) and the latest LCU (latest cumulative update). Administrators can install the MSU packages offline or use DISM/WUSA as per normal offline update workflows. The package also includes updates to AI components that are applicable only to Windows Copilot+ devices.
Why this matters: unlike the old model where feature work primarily shipped in distinct feature updates, Microsoft has continued blending non‑security improvements into monthly cumulative releases. KB5079473 is a clear example — it contains both urgent security remediation and useful platform improvements that will change the day‑to‑day experience for many users and admins.

---

What’s new — the headline features explained​

Sysmon is now in‑box: what changed and why it matters​

• What it is: Sysmon (System Monitor) is a long‑standing Sysinternals tool used by defenders to capture detailed system events — process creations, network connections, process image loads, and other telemetry useful for threat detection and investigation.
• What KB5079473 delivers: Microsoft has added Sysmon functionality as a native, optional OS capability. The OS can now capture and write the Sysmon‑style events directly into the Windows Event Log, allowing third‑party EDR tools, security analysts, and administrators to consume richer telemetry without needing to deploy the Sysinternals binary separately.
• Why this matters: Bringing Sysmon in‑box reduces deployment friction for defenders and simplifies compliance with telemetry collection policies. Organizations can standardize on native event streams, reduce agent complexity, and rely on event continuity during initial provisioning or recovery scenarios.
• How to use it: Sysmon in‑box exposes configurable event collection and supports custom configuration files to tune which event types are recorded. That means false‑positive noise can be reduced by crafting appropriate filtering rules. Administrators should treat the new capability as an optional, deployable feature and include it in their security baselines and onboarding documentation.

Quick Machine Recovery (QMR) reaches more Pro devices​

• What QMR does: Quick Machine Recovery provides a lightweight, automated recovery pathway when Windows encounters serious boot or startup problems. The feature aims to repair startup failures without resorting to full image restores or manual intervention.
• What changed with KB5079473: QMR now turns on automatically for many Windows 11 Pro devices that are not domain‑joined and not enrolled in enterprise endpoint management. Until now, QMR had been enabled by default on Home editions and selectively available elsewhere.
• Practical impact: For small business and consumer Pro devices, this increases the chances a device can recover from startup issues without IT support. For enterprises that manage machines via group policy, QMR remains disabled unless explicitly enabled by the organization.
• Considerations: While QMR reduces recovery effort for many scenarios, organizations should test the feature in their environment. Automated recovery routines can interact unexpectedly with custom boot configurations, BitLocker recovery states, and enterprise provisioning scripts. Include QMR in your imaging/test plans and document any policy overrides you require.

Taskbar network speed test — convenient, but limited​

• How it works: KB5079473 adds a network speed test shortcut accessible from the system tray (right‑click the network icon) or the Wi‑Fi/Cellular quick settings pages. Selecting the test opens your default browser and runs a web‑based speed test that measures download/upload throughput for Ethernet, Wi‑Fi, and cellular links.
• Important nuance: The taskbar‑triggered test launches a web service (Bing/partner‑hosted) rather than running a native kernel‑level throughput diagnostic. That makes the feature convenient, but it also means the measurement is affected by browser behavior and the remote test endpoint — it’s a troubleshooting convenience, not an authoritative link‑layer benchmark.
• When to use it: Quick checks for consumer‑facing performance or when onboarding non‑technical users. For precise diagnostics or benchmarking across drivers, hardware, or VPNs, continue to rely on dedicated network test tools and synthetic traffic generators.

WebP wallpapers, Extract all improvements, and more user‑facing tweaks​

• WebP as background: You can now set .webp images as desktop backgrounds directly from Settings > Personalization or via File Explorer’s context menu. WebP support reduces friction for users who have web‑optimized images.
• File Explorer improvements: The update restores reliability when opening new File Explorer windows via Shift+click or middle‑click and introduces an Extract all command for non‑ZIP archive folders in the Explorer command bar.
• Camera controls and Widgets: New pan/tilt settings for supported cameras and a redesigned Widgets settings page (now full‑page) improve the configuration experience for modern peripherals and the widgets surface.
• Search & Taskbar tweaks: Search on the taskbar gains group headers with result counts and hover previews, while an update to the Search process icon improves Task Manager visibility.

RSAT on Arm64​

• What changed: Remote Server Administration Tools (RSAT) — the set of administration tools like ADUC, Group Policy Management, DNS, DHCP, and Server Manager — are now available as optional features on Windows 11 Arm64 devices.
• Why this matters: As Arm‑based PCs gain traction among developers and mobile professionals, the lack of RSAT tooling on ARM was a management gap. This change lets admins use a single ARM laptop for day‑to‑day server administration tasks without requiring an x64 emulation or separate management station.

---

Security content: what the update patches and why you should care​

KB5079473 is a cumulative package that includes March 2026 security fixes across Microsoft products. Security reporting aggregated around this Patch Tuesday indicates that Microsoft’s release addresses on the order of 80+ CVEs (security advisories across Windows, Office, SQL Server, Azure, and related components), including a small number of publicly disclosed zero‑day vulnerabilities. That means two things:

• The update is important to install promptly on internet‑facing or high‑risk systems.
• The sheer scale of fixes elevates the risk surface for regressions in complex, driver‑dependent environments.

From an operational standpoint, treat this month’s patching cycle like any other high‑priority deployment: evaluate critical hosts first, test on representative hardware and drivers, and apply a staged rollout using update rings or WSUS.

---

Deployment guidance and precise installation notes​

If you manage devices at scale, KB5079473 can be deployed via Windows Update, WSUS, or Microsoft Update Catalog. Microsoft’s published instructions include DISM and Add‑WindowsPackage examples for offline installations. For clarity, the typical offline install steps look like this:

• Download the relevant MSU package(s) for your architecture (x64 or arm64) from the Microsoft Update Catalog.
• Place the MSU files in a single folder (for example, C:\Packages).
• From an elevated Command Prompt or PowerShell, run:
• DISM /Online /Add‑Package /PackagePath:C:\Packages\Windows11.0‑KB5079473‑x64.msu
• Or use Add‑WindowsPackage in PowerShell for offline images.

If you use WSUS, the update will sync automatically when Products and Classifications are configured appropriately. The KB also includes a servicing stack update (SSU) and notes about removing the LCU — follow Microsoft’s guidance if you plan to roll back in test environments.

---

Early reports, known issues, and risk signals​

Officially, the KB5079473 release notes list no known issues at time of publication. That said, real‑world telemetry and forum chatter have surfaced anecdotal reports of install errors, driver breakages, and intermittent Wi‑Fi failures on specific hardware. Highlights from early feedback:

• Some users have reported installation errors (0x8007xxxx family) when attempting to apply the cumulative update. These are the kind of errors that often resolve with servicing stack updates, manual MSU install ordering, or cleanup of pending operations.
• A subset of Surface and older devices using legacy Wi‑Fi chipsets have reported connectivity regressions after the update. In several reported cases, users remedied connectivity by rolling back to vendor drivers or manually installing a matching driver package prior to the OS update.
• A few threads mention black screens or boot hangs, though these are infrequent and typically resolved by booting to WinRE and applying a system restore or rollback.

Important context: the majority of these accounts are anecdotal and originate from user forums and social media. Microsoft’s KB page for KB5079473 initially reported no known issues, and many organizations — after limited testing — have rolled the update successfully. However, the presence of driver‑related regressions is an enduring reality whenever OS updates touch driver stacks, network components, or firmware interactions.
Recommended precautions

• For enterprise: Stage the rollout through test groups and Update Rings. Validate vendors’ driver compatibility, especially NIC and storage drivers.
• For consumer/prosumer: Back up critical data before applying the update; create a system image if you rely on custom drivers that vendors no longer maintain.
• If you experience post‑update network loss: check hardware vendor driver updates first; if necessary, boot to safe mode/WinRE and roll back the update or reinstall a working driver.

---

Critical analysis — strengths, tradeoffs, and what to watch​

Strengths​

• Meaningful security and operational improvements together. Microsoft patched dozens of CVEs while delivering tangible QoL features that users will notice right away: WebP wallpapers, reliable File Explorer behaviors, camera pan/tilt settings, and a quick network check from the taskbar.
• Enterprise telemetry and tooling gains. Sysmon in‑box and RSAT on Arm64 are important for defenders and administrators. Native Sysmon support simplifies event collection pipelines and reduces reliance on ad‑hoc artifact deployment.
• Recovery improvements aimed at end users. Extending QMR to Pro devices outside enterprise control will reduce helpdesk calls for boot‑related failures and speed up device recovery for small businesses and individual professionals.

Tradeoffs and risks​

• Feature creep in monthly updates increases testing burden. Including non‑security features in cumulative monthly updates means IT teams must adjust their validation windows. The old “security update only” assumption no longer holds, which raises the operational risk for environments that require tight change control.
• Potential for driver/firmware regressions is real. Reports of Wi‑Fi and other driver issues — though not widespread — underscore that even well‑tested updates can interact unpredictably with legacy or out‑of‑date drivers. Organizations should ensure third‑party vendor drivers are validated for the new build.
• Controlled Feature Rollouts (CFR) complicate visibility. Some items in the update are subject to CFR, meaning you might install KB5079473 and not immediately see features like the Widgets redesign or certain Search improvements. That’s sensible for a staged rollout, but it can confuse users and admins who expect immediate parity after installing a cumulative update.
• Assumptions about “in‑box” tools. While bringing Sysmon in‑box is a win for defenders, organizations must formally evaluate its policy, storage, and log retention impacts. Out‑of‑the‑box logging increases event volume; without proper filtering and SIEM configuration, it can inflate storage costs and signal noise.

Strategic takeaways for IT leaders​

• Update policies must incorporate functional testing, not just security scanning. Add a short functional pass that exercises Network, File Explorer, boot flows, and any vendor software reliant on kernel‑mode drivers.
• Incorporate Sysmon in‑box into baseline hardening documentation where helpful, but configure filters before broad rollout. Unfiltered Sysmon can overwhelm log collection pipelines.
• Treat QMR like a configurable service: ensure it’s either enabled or explicitly controlled depending on your organization’s recovery and imaging strategy.

---

Practical checklist: how to prepare and what to do​

• Inventory at‑risk systems
• Identify devices with legacy NICs, non‑vendor‑maintained drivers, or custom boot configurations.
• Create a prioritized list for testing: domain controllers, file servers, security appliances (EDR), and high‑availability endpoints first.
• Test plan (minimum viable)
• Apply KB5079473 to a small test ring that mimics production hardware and software.
• Validate: boot, network connectivity, file shares, BitLocker unlock, VPN, and EDR functionality.
• Confirm no regressions for automated provisioning scripts and imaging tools.
• Backups and rollback readiness
• Ensure offline images or system restore points are available before mass deployment.
• Document rollback steps using MSU uninstall or system restore procedures. Note: removing an SSU is not trivial — always follow vendor guidance.
• Driver and firmware coordination
• Check with hardware vendors for NIC and storage driver compatibility.
• Where possible, update vendor drivers prior to applying the OS cumulative update.
• Deployment
• Use staged rings via Windows Update for Business, WSUS, or your patch management tool.
• Monitor telemetry and helpdesk tickets closely in the first 72 hours after deployment.
• Post‑deployment tuning
• If you enable Sysmon, roll out a configuration that filters noisy event types initially.
• Document QMR behavior and how it interacts with your recovery SOPs.

---

The bigger picture: why Microsoft is bundling these capabilities now​

There are a few broader trends this update highlights:

• Microsoft continues to push security and operations tooling into the platform itself (Sysmon, QMR), shrinking the deployment gap and making baseline defense more accessible.
• Arm64 support progression indicates a steady commitment to Arm devices as first‑class Windows endpoints, which is important for organizations planning hardware refreshes.
• The blending of features into cumulative updates reflects a “continuous improvement” posture but forces a cultural change for IT teams who must adopt more agile testing and deployment practices.

These moves make Windows 11 more resilient and featureful for a broad set of users, but they also recalibrate expectations around patching windows and validation cycles.

---

Final verdict and recommendations​

KB5079473 is a high‑value cumulative update: it patches a large set of security issues while delivering several immediately useful features for both consumers and enterprise admins. The inclusion of Sysmon in‑box and RSAT on Arm64 are particularly notable for security and systems teams, and the quality‑of‑life improvements will be appreciated by everyday users.
My recommendations:

• For large organizations: test thoroughly in a controlled ring, validate drivers and EDR integrations, and stage the rollout over weeks rather than days.
• For small businesses and home users: apply the update after a short delay (24–72 hours) to allow early driver‑specific regressions to surface; maintain a recent backup or system image before updating.
• For security teams: plan to evaluate and, where appropriate, adopt the in‑box Sysmon capability with tuned configuration files. Use the opportunity to refine your logging and retention policies to avoid log overload.
• For anyone using older Wi‑Fi chipsets or vendor drivers that are no longer actively updated: validate connectivity pre‑ and post‑update and keep a vendor driver handy for rollback if needed.

KB5079473 is emblematic of how Windows updates now carry dual responsibilities — to harden the platform and to evolve it functionally. That’s a net positive for the ecosystem, provided IT organizations and end users respect the updated risk and testing calculus that comes with a monthly cumulative model.

---

Source: PCWorld Windows 11 just got a bunch of new features with March's update