The March 2026 Patch Tuesday release for Windows 11 brings significant feature additions alongside critical security maintenance. Rolling out under build numbers 26200.8037 (for version 25H2) and 26100.8037 (for version 24H2), this package transitions several tools previously restricted to optional previews or external downloads directly into the core operating system.
Because this is a mandatory security update, it downloads and installs automatically through Windows Update, pulling in all quality improvements and feature drops accumulated over the previous month.
Desktop and interface additions
Several everyday usability improvements are active immediately after installing the update. Desktop personalization now natively supports WebP images. You can right-click any .webp file in File Explorer and set it as the desktop background, or select it directly from the Personalization settings menu without converting the image to a JPEG or PNG.
The taskbar introduces a built-in network speed test accessible directly from the system tray. Clicking the network icon or opening the Wi-Fi and Cellular Quick Settings provides a shortcut to measure connection performance. Initiating the test opens the default web browser to execute the speed check.
Other interface refinements include:
- Emoji 16.0 support: The emoji panel now includes the latest Unicode release, adding one new symbol from each major emoji category.
- Taskbar search improvements: Hovering over a search result now displays a preview of the file or document without requiring it to be opened. Search results are also organized with group headers that display the total number of items available in each category.
- File Explorer reliability: Middle-clicking the File Explorer taskbar icon, or holding Shift while clicking it, reliably opens a new instance rather than focusing the existing window. The command bar also gains an Extract all option when browsing non-ZIP archive folders.
- Widget settings: The configuration menu for Widgets now utilizes a full-page interface instead of a small dialog box.
Advanced system and recovery tools
System Monitor (Sysmon) is now a native, optional Windows feature. Previously requiring manual installation via the Sysinternals suite, the built-in tool logs system activity to the Windows Event Log for deep threat detection and analysis. If you have the standalone Sysinternals version installed, you must uninstall it before activating the native module.
To enable the native Sysmon integration via command line:
Step 1: Open an elevated PowerShell or Command Prompt window with administrator privileges.
Step 2: Execute the deployment tool command to enable the feature on your system.
Dism /Online /Enable-Feature /FeatureName:SysmonStep 3: Initialize the Sysmon setup to begin capturing system events.
sysmon -iFor administrative deployment, Remote Server Administration Tools (RSAT) are now fully supported on Windows 11 Arm64 devices. IT professionals can install Active Directory tools, Server Manager, and DNS/DHCP control utilities directly through the Optional Features menu on Arm-based hardware.
Recovery capabilities have also been expanded. Quick Machine Recovery (QMR) is now enabled by default for unmanaged Windows Pro devices, bringing advanced boot repair options previously standard only on Windows Home editions. Domain-joined and enterprise-managed devices will keep QMR disabled by default unless explicitly permitted by an organization's policies.
For corporate environments, the Windows Backup restore experience now triggers on the first sign-in for Microsoft Entra hybrid-joined devices, Cloud PCs, and multi-user setups. This automatically reinstates user settings and Microsoft Store apps during device migrations or hardware refreshes.
Security fixes and zero-day patches
KB5079473 addresses 58 total security flaws across the operating system. Crucially, this includes mitigations for six actively exploited zero-day vulnerabilities. Applying this update immediately shields the system from privilege escalation and remote code execution exploits that are currently active in the wild.
| CVE Identifier | Vulnerability detail |
|---|---|
| CVE-2026-21510 | Windows Shell flaw allowing attackers to bypass SmartScreen warnings via malicious shortcut files. |
| CVE-2026-21513 | MSHTML Framework security bypass actively exploited over network connections. |
| CVE-2026-21514 | Microsoft Word flaw bypassing OLE protections when opening malicious Office documents. |
| CVE-2026-21519 | Desktop Window Manager elevation of privilege granting attackers SYSTEM-level access. |
| CVE-2026-21525 | Windows Remote Access Connection Manager denial-of-service vulnerability. |
| CVE-2026-21533 | Windows Remote Desktop Services privilege elevation allowing unauthorized additions to the Administrators group. |
Alongside these specific patches, the update modifies how Windows Defender Application Control (WDAC) processes COM object allowlisting, ensuring objects are no longer incorrectly blocked when endpoint security policies outrank the allowlist.
The update also widens the deployment of updated Secure Boot certificates. Devices that establish a stable update history will automatically receive the new certificates, phasing in the transition smoothly ahead of older certificate expirations.
Installation details
Because the release contains critical security fixes, Windows 11 will attempt to download and install KB5079473 during standard maintenance windows. The system will prompt for a restart once the files are staged.
For enterprise deployments or offline systems, standalone installers (.msu files) are available through the Microsoft Update Catalog. The package sizes are approximately 4.5 GB for x64-based systems and 4.3 GB for Arm64 devices. The installation includes the latest servicing stack update (SSU version 26100.8035) to ensure future update reliability.