Windows 11 March 2026 Patch Tuesday: Secure Boot transition and Sysmon in box feature

  • Thread Author
Microsoft’s March 2026 Patch Tuesday for Windows 11 is more than a routine security roll‑in — KB5079473 (Builds 26200.8037 and 26100.8037) bundles practical quality-of-life features, enterprise-facing telemetry and certificate work, and several reliability fixes that together signal Microsoft’s intent to tighten platform resilience while rolling out measured functional upgrades.

Background / Overview​

Microsoft released the March 10, 2026 cumulative update for Windows 11 (KB5079473), delivering OS builds 26200.8037 for 25H2 and 26100.8037 for 24H2. This release follows Microsoft’s two‑phase rollout model: security fixes and servicing updates are delivered broadly, while new user‑visible features are distributed via a Controlled Feature Rollout (CFR). The package includes a servicing stack update, AI component refreshes, and a curated set of new or expanded features that IT teams and power users will notice over the coming weeks.
Two agenda items dominate the enterprise conversation: (1) the Secure Boot certificate transition that begins impacting devices in June 2026, and (2) the continued front‑loading of enterprise-grade tools into the OS — notably, Sysmon as an optional, in‑box feature. Beyond those larger themes, the update surfaces several user-facing tweaks — Emoji 16 glyphs in the emoji panel, a taskbar internet speed test shortcut (which launches a Bing/Speedtest experience), WebP wallpaper support, RSAT availability on Arm64, and improved recovery behavior for problematic updates.

What’s new, at a glance​

  • Patch identifier: KB5079473 — Windows 11 builds 26200.8037 (25H2) and 26100.8037 (24H2).
  • Release date: March 10, 2026.
  • Servicing stack update included: KB5083532 (March cumulative pairing).
  • AI component refresh: Image Search, Content Extraction, Semantic Analysis, Settings Model — version 1.2602.1451.0.
  • Rollout model: Security fixes delivered broadly; feature delivery via Controlled Feature Rollout (CFR).
Major user and admin‑facing additions in this update include:
  • Built‑in (optional) Sysmon for deep endpoint monitoring.
  • Emoji 16.0 glyphs exposed in the emoji panel for the first time in stable channel builds.
  • Taskbar network speed test shortcut that launches Bing’s Speedtest experience.
  • Quick Machine Recovery (QMR) enabled automatically in more scenarios (notably on many Pro devices that are not enterprise‑managed).
  • Windows Backup first‑sign‑in restore expanded to Microsoft Entra scenarios and Cloud PCs.
  • WebP supported as a desktop background file type.
  • RSAT support for Windows 11 Arm64 devices.
  • Camera pan and tilt controls exposed in Settings for supported webcams.
  • Multiple reliability and UX improvements across File Explorer, Printing (spooler), Nearby Sharing, resume/wakeup behavior, and Settings responsiveness.

The important security and servicing context​

Secure Boot certificates: the 2026 transition you can’t ignore​

One of this update’s most consequential items is the infrastructure work that prepares devices for the upcoming Secure Boot certificate transition. Microsoft and ecosystem partners are replacing the set of Microsoft UEFI/Secure Boot certificates that were issued in 2011 with 2023‑era certificates. The transition matters because:
  • The 2011 Microsoft certificates begin expiring in June 2026, with additional expirations through October 2026.
  • Devices that do not receive the new 2023 certificates will continue to boot for now, but will lose the ability to receive new boot‑time protections or updates to the Secure Boot DB/DBX after the old certificates expire.
  • Microsoft’s March servicing work expands the targeting signals used for device eligibility and installs the certificate‑update infrastructure as a controlled rollout. This is intended to reduce risk of mass boot failures by ensuring devices have demonstrated successful update signals before the KEK/DB updates are applied.
What IT teams should do now:
  • Audit fleet Secure Boot status and firmware level. Use the Device Security pane in Windows Security or scripted checks to confirm Secure Boot is enabled where expected.
  • Identify devices that are offline, in storage, or otherwise unlikely to receive updates before June 2026 and plan remediation — firmware updates or manual certificate enrollment may be required.
  • Prepare BitLocker recovery keys and ensure recovery key escrow is current; certificate updates and firmware rollouts can surface recovery prompts in some scenarios.
  • Test the Secure Boot certificate deployment path in a lab — validate the scheduled task that applies the updates and review the relevant event logs (Microsoft documents several Secure Boot update events that help troubleshooting).
  • Keep OEM firmware update channels on your radar; some firmware versions or implementations require updates from the vendor to accept the new keys.
Bottom line: the Secure Boot certificate transition has a fixed window (beginning June 2026) and is a genuine operational risk if unaddressed. Treat it as a priority for patch planning, validation, and stakeholder coordination.

Sysmon becomes an in‑box optional feature — why it matters​

For years Sysmon (System Monitor) was distributed via the Sysinternals toolkit; administrators and security teams downloaded, installed, and configured it manually. With this March update Microsoft has folded Sysmon into Windows as an optional, disabled‑by‑default in‑box feature. That change is significant for a few reasons:
  • It eliminates distribution friction: Sysmon can now be provisioned via Settings > System > Optional features > More Windows features, or via DISM/PowerShell automation.
  • It formalizes support: Microsoft documentation details the enable/configure workflow and explicitly notes that the in‑box Sysmon does not co‑exist with a previously installed standalone Sysmon; admins are advised to uninstall prior standalone copies before enabling the built‑in feature.
  • It keeps the existing Sysmon model: the tool is still disabled by default and requires configuration via the usual sysmon -i and XML configuration file workflow — nothing magical changes in how you tune event capture.
Quick enable checklist (for administrators):
  • Remove any previously installed Sysmon (if present).
  • Run (admin) PowerShell to enable the feature:
  • Enable-WindowsOptionalFeature -Online -FeatureName Sysmon
  • Install with a configuration (recommended):
  • sysmon -i C:\Sysmon\sysmonconfig.xml
Why this is a pragmatic win: centralized provisioning through Group Policy, Intune, or scripted DISM simplifies fleet onboarding for endpoint detection and response (EDR) telemetry and forensic capture, especially where organizations already standardize on Windows Update and Microsoft management tooling.

Emoji 16 arrives in the emoji panel — the small UX wins​

After months of staged Insider testing, a carefully curated subset of Emoji 16.0 glyphs is now available from the Windows emoji panel on updated systems. The rollout is conservative — Microsoft has picked one or a few representative glyphs from major categories to reduce visual or compatibility churn, and the Controlled Feature Rollout means not all devices will see them immediately.
What to expect:
  • New glyphs such as Fingerprint, Shovel, Leafless Tree, Root Vegetable, and Face with Bags Under Eyes appear in the panel on qualifying machines.
  • Geographic flag emoji support remains limited (Microsoft historically limits certain flag glyphs), so don’t assume full Unicode flag coverage.
This is a low‑risk, high‑pleasantness change for regular users; the important operational note is simply to remember that CFR → not everyone sees the same panel at once.

Taskbar speed test: convenience or promotional shortcut?​

Windows 11’s network flyout now exposes a “Perform speed test” shortcut. It’s convenient — right‑click the network icon or open the quick settings and you’ll find the action — but it behaves differently than many users expect:
  • The speed test opens your default browser and launches the Bing‑hosted speed test, which embeds a widely used backend (Speedtest by Ookla) rather than running a native measurement inside the OS.
  • In other words, the taskbar feature is a launcher to a web‑based tool, not a standalone, kernel‑level network diagnostic.
Why this distinction matters:
  • The web experience works fine for one‑off throughput checks, but it’s not a replacement for native, persistent monitoring tools (which provide continuous telemetry, historical baselines, or integration with enterprise monitoring).
  • Network troubleshooting in managed environments often needs WAN/edge diagnostics that are better served by dedicated tools or CLI utilities.
If you prefer a native app, the Microsoft Store hosts Speedtest by Ookla and other monitoring clients; the taskbar shortcut is handy but not a substitute for a measurement strategy in an enterprise environment.

Quick Machine Recovery (QMR): broader enablement and what to know​

Quick Machine Recovery — Microsoft’s cloud‑assisted remediation mechanism that can apply fixes when a PC fails to boot — has been part of the platform since the 24H2 feature set, with home systems benefiting from default enablement. The March update expands QMR’s automatic activation to additional scenarios:
  • QMR is now being turned on automatically for many Windows 11 Pro devices that are not domain‑joined and are not managed by enterprise endpoint protection tools. Domain‑joined and enterprise‑managed devices remain opt‑in per organizational policy, preserving admin control.
  • QMR is a best‑effort feature: it may upload diagnostic traces, request remediation content from Microsoft Update, and apply targeted fixes when those fixes are available.
How to check and configure QMR:
  • Settings > System > Recovery > Quick machine recovery — check the toggle and review the Automatically check for solutions and Auto‑remediation options.
  • From an elevated prompt, reagentc.exe can export current recovery settings for scriptable verification.
  • For managed fleets, Intune provides policy controls to enable/disable cloud remediation and to tune auto‑remediation behavior.
Operational caution: QMR communicates diagnostic data to Microsoft when active; privacy and data governance teams should be aware and document consent/telemetry policies for devices under their control.

Enterprise‑oriented items: Windows Backup, RSAT on Arm64, Camera controls​

  • Windows Backup restore expands to organizations: The first‑sign‑in restore experience can now be leveraged for Microsoft Entra hybrid‑joined devices, Cloud PCs, and multi‑user environments when the capability is enabled. This streamlines device refresh and onboarding for managed accounts (settings and Microsoft Store app restore where applicable).
  • RSAT on Arm64: Remote Server Administration Tools (RSAT) are now supported on Windows 11 Arm64 devices. Admins working with Arm‑powered laptops or Field devices can now install Active Directory, DNS, DHCP, Group Policy, and other tools directly on Arm64 clients without falling back to x86 emulation or jumpboxes.
  • Camera pan and tilt: Windows Settings exposes basic pan/tilt controls for compatible webcams under Settings > Bluetooth & devices > Cameras, reducing reliance on third‑party vendor utilities for simple adjustments.
These items continue Microsoft’s long arc of converging enterprise tooling into the OS footprint and widening Arm compatibility for administrative tasks.

File Explorer, printing, storage, and other quality work​

This cumulative delivers multiple smaller but practical fixes that improve day‑to‑day reliability:
  • File Explorer: improved reliability when opening new windows (Shift‑click or middle‑click behaviors fixed), a new Extract all option for non‑ZIP archive folders in the command bar, and better device detection in the Network tab.
  • Printing: spooler (spoolsv.exe) performance improvements aimed at reducing slowdowns during heavy printing workloads.
  • Storage settings: redesigned dialogs, faster temporary file scanning, and UI consistency refinements across Settings, Taskbar auto‑hide, and credential fields in Windows Security dialogs.
  • Resume from sleep: fixes that reduce time to full resume on heavy‑load scenarios.
For admins and power users, these quality improvements matter because they reduce friction in remote support sessions, imaging, and end‑user productivity.

AI component refresh​

Microsoft updated several internal AI components used by Windows features (Image Search, Content Extraction, Semantic Analysis, Settings Model) — all to version 1.2602.1451.0 in the March bundle. These components power features such as contextual search, recommendations, and other assistant‑style experiences. Microsoft does not publish granular changelogs for these internal models; treat them as maintenance and quality updates rather than new capability promises.

Servicing stack and deployment notes​

The March rollup includes a servicing stack update (SSU) as part of the combined package so that Windows Update machinery itself is up to date. The March KB lists KB5083532 as the servicing stack included with the cumulative rollout. Note: preview packages in February referenced other SSU KBs during testing, so administrators should verify the precise SSU and LCU pairing before doing offline integration with imaging workflows or WSUS distribution.
For enterprise deployment:
  • Test the combined SSU + LCU in a staging ring before broad rollout.
  • When using offline installation (MSU files and DISM), follow Microsoft’s prescribed ordering of MSUs to avoid update ordering problems.
  • Validate that dynamic update components are the expected month’s release if you update installation media.

Known issues and risk surface​

As of the March 10, 2026 release notes, Microsoft reports no known issues with KB5079473. That is encouraging but not a guarantee; staged CFR and enterprise telemetry can reveal regressions later. Practical risk areas to keep an eye on:
  • Secure Boot certificate updates — corner cases on some hypervisors, older firmware, or devices with unusual UEFI implementations may block KEK or DB updates. Event IDs in the System log (e.g., 1795, 1796, 1801, 1808) and scheduled task status provide the primary troubleshooting signals.
  • BitLocker recovery interaction — when firmware or Secure Boot keys are updated, some machines may prompt for recovery keys. Ensure recovery keys are escrowed to avoid productivity loss.
  • Built‑in Sysmon vs. pre‑existing Sysmon installations — the built‑in feature will not co‑exist with an existing standalone Sysmon; admins must remove the previous installation first to avoid conflicts.
  • Taskbar speed test expectations — users might assume the feature is a native diagnostic rather than a browser‑based shortcut; this can cause support questions when toolbox behavior differs from a fully native tool.
Flagging unverifiable or variable items: independent outlets reported varying counts of CVEs addressed in the March rollup (different vendor tallies appear in the press). Microsoft’s Security Update Guide is the authoritative listing for CVEs and exact counts; use that resource for compliance reporting.

Practical checklists: what to run right now​

For system administrators and power users, here are immediate, actionable checks and steps.

Verify applied OS build and update presence​

  • Settings > Windows Update > Check for updates — allow KB5079473 to install if offered.
  • Confirm build in Settings > System > About or run (admin) in PowerShell:
  • systeminfo | findstr /B /C:"OS Version" /C:"OS Name"
  • Or: (Get-ComputerInfo).WindowsVersion and (Get-ComputerInfo).OsBuild.

Enable built‑in Sysmon (test / lab first)​

  • Remove existing standalone Sysmon:
  • Uninstall via Programs & Features if previously installed, or use the vendor uninstaller steps.
  • Enable the optional feature (admin PowerShell):
  • Enable-WindowsOptionalFeature -Online -FeatureName Sysmon
  • Install with a vetted configuration:
  • sysmon -i C:\Sysmon\sysmonconfig.xml
  • Verify events: Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon > Operational.

Check Quick Machine Recovery state​

  • Settings > System > Recovery > Quick machine recovery — verify toggles and auto‑remediation settings.
  • For scripted verification, use reagentc.exe to export recovery settings and confirm WinRE/CloudRemediation state.

Confirm Secure Boot certificate readiness​

  • Confirm Secure Boot is enabled: Settings > Privacy & security > Windows Security > Device Security > Secure Boot on.
  • Use PowerShell (admin) to inspect UEFI variables for the presence of 2023 certs (example approach — run vetted scripts from Microsoft or your trusted toolkit; the Secure Boot guidance includes sample checks).
  • Monitor the scheduled task used for certificate application (Microsoft‑documented task) and look for update event IDs in the System event log to ensure the update flow is progressing.

Migration and policy guidance for IT teams​

  • Treat the Secure Boot certificate rollout as a coordinated program: identify devices that may be out of band, check firmware versions, validate BitLocker key escrow, and schedule any necessary firmware updates with OEMs.
  • Test Sysmon configuration changes before fleet enablement — Sysmon can generate high event volumes when configured aggressively, leading to storage and ingestion pressure on SIEMs.
  • Update documentation and runbook entries that reference wallpaper automation, RSAT dependencies, or taskbar expectations — small UX changes (WebP wallpaper support, taskbar shortcuts) can break legacy scripts or user instructions.
  • For WSUS and offline deployments, double‑check MSU ordering and the Servicing Stack pairing before importing cumulative packages.

Final assessment and verdict​

The March 2026 Windows 11 cumulative update (KB5079473) is a practical release: Microsoft has balanced security and platform hardening (including critical Secure Boot groundwork) with convenience and manageability improvements that benefit both consumers and enterprises. The addition of Sysmon as an in‑box optional feature is the most meaningful change for IT and security ops because it reduces deployment friction and signals Microsoft’s desire to embed enterprise telemetry capabilities into the core OS.
That said, the Secure Boot certificate transition is the highest operational risk in the near term. The steps Microsoft is taking — controlled rollout, targeted device eligibility, scheduling logic — are prudent, but administrators must still proactively verify, test, and remediate devices that could otherwise miss the update window.
Small UX moves (taskbar speed test as a web shortcut, Emoji 16 rollouts, WebP wallpaper support) improve day‑to‑day user experience but are best viewed as incremental polish rather than transformational change. For organizations, the headline action is simple: test KB5079473 in your pilot rings, verify Secure Boot certificate readiness, ensure BitLocker recovery keys are accessible, and update your deployment automation to handle the new SSU + LCU pairing.
Windows continues to evolve in a measured way — this update demonstrates Microsoft’s preference for incremental, risk‑aware improvements that privilege platform security and manageability while delivering incremental user value. If you manage Windows devices, prioritize Secure Boot readiness and the servicing stack test pass; if you’re a power user, look forward to Sysmon in‑box and the small usability wins that reduce friction day to day.
Conclusion
KB5079473 is not a blockbuster feature drop, but it is one of the more practically useful Patch Tuesday releases in recent memory: it brings enterprise capabilities into the OS, prepares the platform for a critical Secure Boot certificate transition, and smooths several rough edges across File Explorer, recovery, and personalization. Roll it into your test ring, validate Secure Boot and BitLocker readiness, and plan to move to broader deployment once you've confirmed compatibility with firmware and management stacks.
Source: Windows Latest I tested Windows 11 March 2026 Updates: Everything new, improved, and fixed
 
Click to expand...
You must log in or register to reply here.