Microsoft ships March 2026 cumulative updates for Windows 11 25H2, 24H2, and 23H2
5 min. read 
Published on
Microsoft has released its March 2026 Patch Tuesday cumulative updates for Windows 11 versions 25H2, 24H2, and 23H2. The updates are KB5079473 for 25H2 and 24H2, which raise systems to builds 26200.8037 and 26100.8037, and KB5078883 for 23H2, which raises systems to build 22631.6783.
For most users, these are mandatory security updates that arrive through Windows Update. Microsoft says KB5079473 includes the latest security fixes and also brings in non-security changes from February’s optional preview release, while KB5078883 ships with security fixes, quality improvements, and a combined servicing stack update.
The headline change in this cycle is Secure Boot. Microsoft says Windows quality updates now include extra high-confidence targeting data to expand the phased rollout of new Secure Boot certificates on eligible 25H2 and 24H2 devices. Microsoft also warns that Secure Boot certificates used by most Windows devices start expiring in June 2026, so this rollout matters for both consumers and businesses.
Version 23H2 gets several practical fixes as well. Microsoft says the update adds new PowerShell options for Secure Boot management, improves File History reliability for certain filenames, boosts graphics stability for some GPU setups, adds the new Saudi Riyal currency symbol to Windows fonts, and improves the Windows System Image Manager warning flow when admins choose catalog files.
What Microsoft released
| Windows 11 version | Update | New build |
|---|---|---|
| 25H2 | KB5079473 | 26200.8037 |
| 24H2 | KB5079473 | 26100.8037 |
| 23H2 | KB5078883 | 22631.6783 |
What is new in KB5079473 for 25H2 and 24H2
Microsoft highlights two main changes in the 25H2 and 24H2 release notes. First, File Explorer search should work more reliably when users search across multiple drives or from the This PC view. Second, Windows now pushes the new Secure Boot certificates to a broader set of devices, but only after those systems show enough successful update signals.
That second point matters more than it may seem. Microsoft has spent months preparing systems for the upcoming Secure Boot certificate expiration window, and this update continues that staged rollout. If you manage a fleet of Windows 11 PCs, this patch is part of that larger readiness effort, not just a routine monthly update.
What is new in KB5078883 for 23H2
Microsoft packed more visible fixes into the 23H2 release notes. The company says admins can now use Get-SecureBootUEFI -Decoded to view Secure Boot keys and certificates in a readable format, while the new Get-SecureBootSVN cmdlet checks the Secure Boot Security Version Number in UEFI firmware and the bootloader against the latest policy.
Microsoft also says File History now backs up files with Chinese characters and Private Use Area characters more reliably. On the graphics side, the company says the update improves shutdown reliability on certain GPU configurations and makes games and 3D apps more stable during heavy graphics use. Windows fonts now support the new Saudi Riyal symbol, and Windows System Image Manager shows a warning dialog that asks users to confirm a chosen catalog file comes from a trusted source.
Key fixes at a glance
- Secure Boot certificate rollout expands on 25H2 and 24H2.
- File Explorer search reliability improves on 25H2 and 24H2.
- New Secure Boot PowerShell commands arrive on 23H2.
- File History fixes improve backup reliability for certain filenames on 23H2.
- Graphics stability improves for some GPU setups on 23H2.
- Windows fonts gain the Saudi Riyal symbol on 23H2.
- Windows System Image Manager gets a new trust warning dialog on 23H2.
How users and admins get these updates
Microsoft says both updates download and install automatically through Windows Update and Windows Update for Business, depending on policy settings. They are also available through the Microsoft Update Catalog and through WSUS when admins enable the right product and classification settings.
For 23H2, Microsoft also notes that the latest servicing stack update is combined with the cumulative update. That means standard uninstall methods do not work for the SSU portion after installation, and admins who need to remove the LCU must use DISM with the package name instead of relying on wusa.exe /uninstall.
Why this release matters
This month’s Windows 11 updates are less about flashy new features and more about platform maintenance. Microsoft continues to harden Secure Boot ahead of the 2026 certificate deadline, while also cleaning up practical issues in File Explorer, File History, graphics reliability, and admin tooling. That is the kind of release many enterprises want in March, especially when the changes land through standard Patch Tuesday channels.
The 23H2 update looks especially useful for IT teams that still manage mixed Windows 11 fleets. The Secure Boot PowerShell additions give admins clearer visibility, and the combined SSU plus LCU packaging keeps future update servicing more reliable, even if it makes rollback less flexible.
FAQ
It is KB5079473, and it raises devices to builds 26100.8037 and 26200.8037.
It is KB5078883, and it raises systems to build 22631.6783.
Yes. Microsoft says 25H2 and 24H2 continue the phased rollout of new Secure Boot certificates, while 23H2 adds new PowerShell tools for Secure Boot visibility and policy checks.
No. Microsoft says the combined SSU cannot be removed once installed. Admins must use DISM to remove the LCU if needed.
Microsoft says it is not currently aware of any issues with that update.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages