Windows 11 March 2026 Update KB5079473: Sysmon In-Box and Emoji 16

  • Thread Author
Microsoft has released the March 2026 cumulative update for Windows 11 (KB5079473), a combined security and quality rollup that advances OS builds for supported channels, brings several user-facing conveniences (Emoji 16, a taskbar network speed test, WebP wallpaper support), and—critically for defenders—introduces Sysmon as an optional, in‑box component for the first time. (support.microsoft.com)

Background / Overview​

Microsoft published KB5079473 on March 10, 2026 as the March Patch Tuesday cumulative update for Windows 11 versions 24H2 and 25H2. The update is distributed as a combined Servicing Stack Update (SSU) plus the Latest Cumulative Update (LCU) and is available through Windows Update, Windows Update for Business, WSUS configuration, and the Microsoft Update Catalog. The KB article includes both automatic delivery channels and explicit offline installation instructions for architects, OEM imaging teams, and administrators who prefer manual control. (support.microsoft.com)
This release is more than a security-only rollup: Microsoft folded last month’s optional preview improvements into the LCU, so feature refinements and endpoint telemetry changes arrive alongside dozens (and in some cases hundreds) of security fixes listed in Microsoft’s Security Update Guide. Enterprises and power users need to treat KB5079473 as a combined operational change: it affects servicing stack behavior, optional telemetry components, and on‑device feature availability. (support.microsoft.com)
Community and early reporting around the update emphasize three practical themes: (1) defenders gain a heavier default telemetry tool (Sysmon in‑box); (2) users gain small but visible UI and productivity niceties (Emoji 16, taskbar speed test, WebP wallpaper); (3) manual installers and offline imaging teams must respect a specific MSU installation order and servicing‑stack pairing to avoid “not applicable” or “operation not supported” failures that have tripped teams in past rollouts. Community activity captured in our internal forums reflects this mix of enthusiasm and caution.

What’s in KB5079473 — Notable features and fixes​

Sysmon becomes optional, in-box​

  • Microsoft now offers Sysmon (System Monitor) as an optional, in‑box Windows feature rather than an external Sysinternals download. This means defenders can enable a supported Sysmon directly from Optional Features or the “More Windows features” settings and manage it via standard Windows servicing workflows.
  • The change reduces friction for organizations that wish to standardize process and network event telemetry; however, it also shifts some management expectations because the component will now be bound to Windows servicing and lifecycle practices in addition to Sysinternals configuration.

UX and productivity improvements​

  • Emoji 16.0 glyphs are included in the emoji panel, expanding the expressive set for messaging and UI. This is one of the visible user-facing changes many non‑enterprise users will notice first.
  • A taskbar network speed test feature is surfaced for quick diagnostics of connectivity from the taskbar. This is primarily convenience-oriented but benefits frontline support.
  • WebP wallpaper support and other small File Explorer and Settings reliability improvements are included; these are quality‑of‑life wins for end users and device managers. (support.microsoft.com)

Servicing, security, and AI component notes​

  • The update includes the latest Servicing Stack Update (SSU) for the OS; SSUs are bundled into the combined package Microsoft distributes so that the servicing engine on clients is capable of reliably applying future updates. The KB confirms that the combined SSU + LCU package will be delivered via Windows Update and explains removal constraints for the SSU. (support.microsoft.com)
  • The March LCU includes updates to certain AI components (Image Search, Content Extraction, Semantic Analysis, Settings Model) that are only applicable to Windows Copilot+‑capable devices; those AI component packages will not install on non‑Copilot devices. Administrators should be aware of this targeted applicability when validating deployments. (support.microsoft.com)

Installation options — what administrators need to know​

Microsoft documents two supported installation approaches for the standalone packages (MSU files) from the Microsoft Update Catalog: Method 1 (place all MSU files in a single folder so DISM auto‑discovers prerequisites) and Method 2 (download and apply MSUs individually, in precise order). Both options are valid; each has tradeoffs.

Method 1 — Recommended for reliability and simplicity​

  • Download all MSU files related to KB5079473 for your architecture and put them into one folder, e.g., C:\Packages.
  • From an elevated Command Prompt run:
    DISM /Online /Add-Package /PackagePath:c:\packages\Windows11.0-KB5079473-arm64.msu
  • Or in PowerShell:
    Add-WindowsPackage -Online -PackagePath "c:\packages\Windows11.0-KB5079473-arm64.msu"
  • DISM inspects the PackagePath folder and will automatically discover and install any prerequisite MSU files present (this is the reason Method 1 is less error prone for offline/manual workflows). The KB explicitly recommends this approach to avoid missing dependencies. (support.microsoft.com)

Method 2 — Explicit ordered install (when needed)​

  • If you prefer to run MSUs one at a time, the KB lists the required order for ARM64 devices:
  • windows11.0-kb5043080-arm64 (prerequisite)
  • windows11.0-kb5079473-arm64
  • Execute each MSU with DISM or the Windows Update Standalone Installer (wusa.exe), and respect the ordering. Missing the prerequisite (KB5043080 in this example) may render later packages “not applicable” or cause installation errors. The KB includes symmetrical instructions for x64 architectures. (support.microsoft.com)

Updating installation media and offline images​

  • To service a mounted image (offline image), run:
    DISM /Image:mountdir /Add-Package /PackagePath:Windows11.0-KB5079473-arm64.msu
  • Or use:
    Add-WindowsPackage -Path "c:\offline" -PackagePath "Windows11.0-KB5079473-arm64.msu" -PreventPending
  • When updating installation media, the KB cautions you to match Dynamic Update packages by month; if the same‑month SafeOS or Setup Dynamic Update is not available, use the most recent published version. This avoids mismatches during setup and SafeOS phases. (support.microsoft.com)

Practical, step‑by‑step guide for manual offline installation (recommended checklist)​

  • Inventory and confirm your target devices (24H2 vs 25H2, and architecture: x64 or ARM64).
  • Create a restore point or verify backup/Imaging processes. For domain‑joined devices, ensure system state backups are recent.
  • Download the required MSU files from the Microsoft Update Catalog for your architecture and add them to a single folder (e.g., C:\Packages). If you maintain an offline catalog, store the MSUs there as well. (support.microsoft.com)
  • Open an elevated Command Prompt on the target machine and run:
    DISM /Online /Add-Package /PackagePath:c:\packages\Windows11.0-KB5079473-x64.msu
    (Substitute the correct filename for ARM64 or x64).
  • If DISM returns success, reboot and validate OS build numbers (use winver or System > About). The KB notes the March 2026 builds as 26200.8037 (25H2) and 26100.8037 (24H2). (support.microsoft.com)
  • If manual single‑MSU installation is required, ensure prerequisites are present in the same folder or install the prerequisite MSU (for example KB5043080) first—KB5079473’s instructions explicitly list KB5043080 as a needed prior package for Method 2. (support.microsoft.com)

Troubleshooting and known gotchas (what to watch for)​

  • “Operation is not supported” or other DISM/wusa errors: Historically, manual installation flows that miss checkpoint or servicing‑stack MSUs produced errors (notably around KB5043080 in prior rollups). Community reports and Microsoft Q&A threads show that reinstalling the checkpoint MSU (KB5043080 in related scenarios) or using the “put all MSUs in one folder and let DISM resolve prerequisites” method resolves many of these errors. If you see an “operation not supported” message, first confirm you downloaded the architecture‑correct MSUs and that any older checkpoint MSU is present in the folder.
  • Combined SSU + LCU uninstall limitations: Running wusa.exe /uninstall against the combined package will not remove the SSU; SSUs cannot be removed after installation. If you need to revert the LCU you must use DISM /Remove-Package with the LCU package name obtained via DISM /online /get-packages. The KB emphasizes that SSUs are permanent once installed. Plan your rollback strategy accordingly. (support.microsoft.com)
  • AI components and Copilot+: the KB includes AI component updates but those are targeted to Copilot+ hardware and will not be installed on devices that don’t qualify. Don’t be surprised when some images show AI component packages as not applicable — that is intentional. (support.microsoft.com)
  • Imaging and sysprep edge cases: If you add the update to offline images, validate sysprep/unattend behavior. Past rollouts have shown that unattended XML applications and feature‑on‑demand additions can surface unexpected failures when a checkpoint MSU is absent. Testing an updated image on representative hardware before broad deployment is essential. Community threads reflect multiple cases where missing checkpoint MSUs created unattend.xml errors.

Risk assessment — what this update changes for different audiences​

Home users and power users​

  • Benefits: immediate security hardening, Emoji 16, taskbar speed test, and general reliability improvements.
  • Risks: minimal if you install through Windows Update. Manual installation is fine but follow KB guidance carefully for MSU order if you go offline.

Small businesses and SMB IT​

  • Benefits: easier deployment of Sysmon for host telemetry and faster reactive triage.
  • Risks: if imaging pipelines or manual update processes skip a checkpoint SSU or prerequisite MSU, devices may fail to apply updates cleanly. SMBs that rely on an ad‑hoc manual MSU install should adopt the “place all MSUs in one folder and use DISM” workflow to reduce errors. (support.microsoft.com)

Enterprise and managed service providers​

  • Benefits: Sysmon in‑box reduces third‑party distribution complexity, enabling more consistent telemetry and a managed lifecycle for the component. Taskbar speed test and other quality improvements reduce lightweight help‑desk tickets.
  • Risks and operational impact:
  • The move of Sysmon into the Windows servicing model changes patch‑management assumptions: vendor‑managed Sysmon updates via Sysinternals may now collide or require uninstall before enabling the in‑box feature. Microsoft warns that if you have the Sysinternals Sysmon installed, you should uninstall that version before enabling the in‑box Sysmon. Plan sequencing in your patch cycles and group policies.
  • Imaging and offline servicing scripts must be updated to include the monthly SSU/LCU combination and ensure dynamic update matching when building setup media. Failing to match Dynamic Update month packages can introduce setup failures. (support.microsoft.com)

Security implications — defenders’ perspective​

  • Sysmon in‑box is the headline for security teams: having a supported, native Sysmon reduces configuration drift and simplifies baseline enforcement. But it also centralizes a historically optional telemetry producer inside the servicing lifecycle, which means defenders must coordinate with patch cycles for updates to the Sysmon binary and event schemas.
  • The KB includes the regular set of security fixes for Windows components; Microsoft points administrators to the Security Update Guide and the March 2026 security update listing for the CVE breakdown. For high‑impact CVEs that require immediate remediation, refer to the Security Update Guide entries corresponding to this LCU. (support.microsoft.com)
  • Operational note: any change that increases endpoint telemetry should be reviewed for data‑classification and privacy policy alignment. Security teams should document Sysmon’s enabled configuration (hashing, logging levels, retention) and integrate the new telemetry into event‑forwarding and SIEM parsers so that noise does not drown out signal.

Testing and rollout recommendations​

  • Lab first: validate the update on a small set of representative devices (consumer, corporate‑managed, ARM64, x64) and confirm:
  • Boot and WinRE functionality
  • Domain join and authentication workflows (including smart card, if used)
  • Application compatibility for critical line‑of‑business apps
  • Telemetry ingestion for Sysmon (if enabling)
  • Staged rollout: use rings (pilot → broad) and monitor key telemetry (failed boot counts, update compliance, Event ID spikes) for at least one week before broad deployment.
  • Imaging: rebuild golden images with the March 2026 combined package applied, then run sysprep and test device provisioning flows. Confirm Dynamic Update packaging if you publish installation media for devices that will be used outside networked environments. (support.microsoft.com)

Troubleshooting quick‑reference​

  • If an MSU install fails with “Operation is not supported”:
  • Ensure the folder contains the required checkpoint MSU (e.g., KB5043080) or switch to the “all MSUs in one folder” DISM method.
  • Confirm architecture‑correct MSU (ARM64 vs x64).
  • Run DISM /Online /Cleanup-Image /RestoreHealth if servicing stack corruption is suspected.
  • If rollout causes unexpected app breaks:
  • Check third‑party UI/customization utilities for Explorer.exe crashes; previously, some third‑party UI mods clashed with cumulative updates.
  • Reproduce in safe mode or a non‑customized image to isolate the fault.
  • Need to remove the LCU?
  • Use DISM /online /get-packages to find the package name, then DISM /Online /Remove-Package /PackageName:<name>. Remember: you cannot remove the SSU from a combined package via wusa.exe; SSUs are persistent. (support.microsoft.com)

How the community is reacting​

Early community threads and news reports reflect a pragmatic mix of interest and caution: defenders welcome Sysmon being more accessible, while image maintainers and manual installers call attention to the need for careful ordering of MSU files to avoid common DISM errors experienced in prior rollouts. Our internal forum snapshots show active discussion about the new features and the install methods, echoing the same practical guidance Microsoft published in the KB.

Final analysis — strengths, tradeoffs, and recommendations​

Strengths
  • Defender advantage: Sysmon in‑box is the most consequential security and operations change in this package. It simplifies deployment and ensures a supported telemetry path for process and connection observability.
  • Practical UX wins: Emoji 16, the taskbar speed test, and WebP wallpaper support are small but tangible improvements that reduce help‑desk noise.
  • Servicing improvements: The included SSU aims to improve update reliability over time.
Tradeoffs and risks
  • Operational friction for manual/offline installers: Past experiences with checkpoint MSUs (e.g., KB5043080) demonstrate that manual installs can fail unless prerequisites are present or DISM is used with all packages in one folder. This KB repeats that same install‑order pattern, so teams must adjust offline workflows.
  • Lifecycle coupling: Moving Sysmon into the servicing model changes how it will be updated; admin teams must align patch windows and test Sysmon configuration compatibility before mass enabling.
  • Rollback constraints: SSU permanence means rollbacks are asymmetric; consider this when deciding how aggressive your rollout schedule will be. (support.microsoft.com)
Concrete recommendations
  • Test KB5079473 in a lab and pilot ring before broad deployment.
  • Use Method 1 (all MSUs in a single folder + DISM auto‑resolve) for manual deployments to minimize missing‑prerequisite errors. (support.microsoft.com)
  • If you plan to enable Sysmon centrally, publish a controlled Sysmon configuration, update SIEM parsers, and coordinate with your change windows to avoid telemetry surprises.
  • Maintain an emergency rollback and recovery playbook (image restores, off‑network recovery media), because servicing stack changes complicate simple “uninstall” paths. (support.microsoft.com)
KB5079473 is a substantial March 2026 cumulative update: it pairs meaningful operational gains (Sysmon in‑box) with the careful servicing hygiene required of modern Windows management. For most users and organizations, installing via Windows Update is the safest path. For administrators using offline, manual, or imaging workflows, follow Microsoft’s documented DISM methods, honor the MSU ordering, and validate updated images in a representative environment before broad deployment. The update is available now from the Microsoft Update Catalog and will roll through Windows Update channels; consult the KB for architecture‑specific MSU filenames, and plan your rollout with testing and rollback considerations in place. (support.microsoft.com)
Conclusion
This March 2026 update is notable because it threads together defensive capability (Sysmon), incremental user improvements, and a reminder that servicing mechanics still matter to deployment teams. Treat KB5079473 as both a security and an operations release: test, stage, and deploy with attention to the servicing prerequisites the KB documents to avoid the same pitfalls other teams have encountered when installing MSU packages manually. (support.microsoft.com)
Source: Microsoft - Message Center March 10, 2026—KB5079473 (OS Builds 26200.8037 and 26100.8037) - Microsoft Support
 
Click to expand...
You must log in or register to reply here.