Windows IT Pro Blog articles

Teams Remote App/ Cloud App optimization for Windows 365 and Azure Virtual Desktop now GA

PavithraT — Thu, 04 Jun 2026 18:45:09 GMT

Today, we are announcing the general availability of Microsoft Teams for Remote App scenarios, expanding support for optimized Microsoft Teams experiences when connecting to Azure Virtual Desktop. Additionally, Cloud Apps for Windows 365 will also be supported. This update introduces a new media engine that replaces the legacy WebRTC-based optimization.

Optimized Teams experience for Remote App

The new optimization improves audio and video performance, reliability, and security, and simplifies ongoing support by enabling media engine updates without frequent upgrades to the infrastructure or client.

This feature will be available to anyone using Microsoft Teams as a Remote App on Azure Virtual Desktop or Cloud Apps on Windows 365 from Windows endpoints.

Teams users running in Remote App will automatically transition to the new optimization:

Audio and video performance and reliability are improved compared to the legacy WebRTC optimization.
Media engine updates no longer require frequent upgrades to the VDI infrastructure or client.

Note: Give and Take control is not supported at this time.

Try the optimized Teams experience for Remote App and Cloud Apps today

If you are using Windows App on Windows, you can try it today by meeting the following requirements:

On the user device, use Windows App for Windows version 2.0.964.0 or later
On the remote VM, install Microsoft Teams version 26043.2016.4478.2773 or later

Learn more: New VDI solution for Teams | Microsoft Teams | Microsoft Learn

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on  LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Adaptive data protection with context-based redirections in Windows 365, now in public preview

Derek_Su — Tue, 02 Jun 2026 19:15:00 GMT

Today, we are excited to announce the public preview of context-based redirections for Windows App. This new capability helps organizations apply more granular controls to device and resource redirection based on contextual signals such as device management state, compliance posture, user or group membership, and network conditions. The result is a more adaptive way to help users stay productive while reducing the risk of data leaving the protected Windows environment.

Context-based redirections are part of our broader secure bring-your-own-device (BYOD) strategy. Instead of relying only on a one-size-fits-all redirection policy, admins can use Microsoft Entra Conditional Access authentication context with Windows 365 and Azure Virtual Desktop redirection settings to make redirection decisions that better match the trust level of the session.

Why context matters for redirection

Redirections control important data paths between the local device and the remote session. In BYOD scenarios, an unmanaged or noncompliant device may not meet the same security standard as a corporate-managed endpoint. Context-based redirections help admins align these data paths with policy intent: enable what users need when the session is trusted and restrict higher-risk redirections when the session is not.

This builds on the existing Windows App and RDP security model where the more restrictive setting takes precedence. For example, if one policy allows a redirection but another security layer disables it, the redirection remains disabled. The most restrictive wins behavior, helping provide defense in depth and reducing the chance that a configuration gap becomes a data loss path.

What is in scope for public preview

In this public preview, the core scenarios are centered on:

Clipboard redirection: Control whether clipboard data can move between the local device and the remote Windows session.
Drive and storage redirection: Control access to local fixed, removable, and network storage from the remote session.
Printer redirection: Control whether users can print from the remote session to local printers.
USB redirection: Control whether supported USB devices can be redirected into the remote session.

Context-based redirection will be supported across Windows, web, Android, iOS, and macOS Windows App clients and through a dedicated VM session.

Note: We are currently developing the feature Resultant Set of Policy (RSOP) that will help users and IT admins determine which redirections settings were applied to this connection and which policy source produced this value.

Prerequisites

Note: If you’re testing with a recent gallery image or already have policies in your environment that disable redirections, update those settings before testing, as the most restrictive policy always applies. For context-based redirection to function properly, configure the redirections you want to test as “Not Configured” or “Enabled.”

To simplify testing and rollout, we recommend creating a dedicated device group for pilot Cloud PCs. This allows you to target only test devices with these settings and later reuse the same group when deploying your context-based redirection policy more broadly.

For more information, please visit Manage device RDP redirections for Cloud PCs. | Microsoft Learn.

Get started

To get started with context-based redirections, admins will first create an Entra authentication context, then create an Entra Conditional Access to issue the authentication context.

Once the authentication context and Conditional Access policy are in place, admins can configure the Windows 365 Remote Connection Experience setting policy to require the specified authentication context for the targeted redirections.

Validating the provisioned context-based redirection policy

To validate whether the provisioned context-based redirection policy is working as intended, test it from the user perspective by connecting to a Windows 365 Cloud PC/Azure Virtual Desktop VM that’s associated with the targeted device group:

Use any Windows App client. You can use the Windows web client by going to windows.cloud.microsoft.
Find the targeted, managed Windows 365 Cloud PC/Azure Virtual Desktop VM and click the "Connect" button.
Once the remote session loads, verify the behavior of the 4 redirections. Please visit each redirection’s respective Microsoft Learn documentations for detailed testing instructions:
1. Clipboard redirection: Verify whether copy and paste work between the local device and remote session.
2. Drive redirection enabled: Configure fixed, removable, and network drive redirection over the Remote Desktop Protocol | Microsoft Learn
3. Printer redirection: Configure printer redirection over the Remote Desktop Protocol | Microsoft Learn
4. USB redirection enabled: Configure USB redirection on Windows over the Remote Desktop Protocol | Microsoft Learn

Reducing NTLM Dependency: IAKerb and LocalKDC in Windows Insider Preview

mariam_gewida — Tue, 02 Jun 2026 16:32:15 GMT

Today, Windows expands where Kerberos works—reducing the need for NT LAN Manager (NTLM) fallback with IAKerb and LocalKDC, coming to client and server public preview later this month for Windows Insiders in the Canary Channel. These capabilities extend Kerberos authentication to scenarios that previously required NTLM, helping organizations reduce their dependency on legacy protocols. For developers, this means more authentication flows can rely on modern, Kerberos-based identity (even in environments that previously required legacy protocols), reducing the need for application workarounds and helping ensure consistent behavior across managed and unmanaged environments.

With this release:

IAKerb will be enabled by default
LocalKDC will be disabled by default
Both features will be configurable through registry keys

Note: For this public preview, configuration is exposed through registry settings so you can evaluate these capabilities in Insider environments. Management surfaces, such as Group Policies and MDM-based management, will be introduced as these capabilities mature.

Why this matters

For many organizations, moving away from NTLM is a security priority. But in practice, NTLM often remains in use because there are still real-world scenarios where traditional Kerberos cannot be used directly, such as:

Devices that do not have direct line-of-sight to a domain controller
Authentication flows involving local accounts
Standalone or workgroup environments
Network topologies where Kerberos reachability is limited

IAKerb and LocalKDC address many of these gaps (though not all) by extending Kerberos support, reducing reliance on NTLM fallback across customer environments.

What is IAKerb?

IAKerb (Initial and Pass-Through Authentication using Kerberos) enables Kerberos to work when the initiating device (Kerberos client) does not have direct connectivity to a domain controller. In a traditional Kerberos flow, the client must communicate directly with a domain controller to obtain the tickets needed for authentication. In some environments, that path is not available even though the client can still reach the target service. In those cases, IAKerb enables the target service to act as a proxy for the Kerberos exchange, allowing authentication to stay on a Kerberos-based path rather than falling back to NTLM.

This makes IAKerb especially useful in environments with:

Network segmentation
Restricted domain controller visibility
Remote or cloud-connected access patterns
Architectures where clients can reach services but not DCs directly

What is LocalKDC?

LocalKDC is a local Key Distribution Center implementation in Windows that enables Kerberos-based authentication for local account scenarios. Historically, local account authentication across machines has often depended on NTLM. LocalKDC helps close that gap by allowing Windows to use Kerberos semantics for local identity scenarios that would otherwise require legacy authentication. This is especially relevant for scenarios such as:

Workgroup environments
Standalone devices
Local account access to remote resources
Peer-to-peer or small-scale environments without domain infrastructure
Administrative or file access scenarios where local identities are used

How these features fit together

IAKerb and LocalKDC address different but complementary gaps in Windows authentication, reducing reliance on NTLM across both enterprise and local identity scenarios.

IAKerb is meant for enterprise and corporate environments, where domain credentials are used but Kerberos authentication cannot always complete because the client lacks direct line of sight to a domain controller. By allowing authentication to remain on a Kerberos-based path in these situations, IAKerb helps reduce NTLM usage for high-value corporate credentials . This is important because reducing the use of NTLM for enterprise credentials helps strengthen defenses against credential theft and relay-based attack paths, including forms of lateral movement that have historically relied on NTLM fallback.
LocalKDC addresses a different class of scenarios: local and non-domain identities, including workgroup, standalone, and local account access patterns. In these cases, LocalKDC helps bring Kerberos-based protections to scenarios that traditionally depended on NTLM for local credentials.

Together, these capabilities extend Kerberos in two directions: domain-based enterprise credentials, and local and consumer-style account scenarios, further reducing the exposure to credential theft and relay-based attacks. This matters because, as part of a broader shift toward modern and enforced authentication, simply disabling older protocols is not enough. Organizations also need secure, reliable authentication that works consistently, without falling back to legacy protocols. These features help deliver that by providing modern, compatible alternatives that reflect how customers operate today.

Registry Configuration:

For this public preview, IAKerb and LocalKDC can be configured using registry settings under:

The supported values for this preview are:

DisableIAKerb
DisableLocalKDC

Set the value to:

0 to enable the feature
1 to disable the feature

Note: If a registry value is not present, Windows uses the default behavior for that release. In this preview, the defaults are:

IAKerb: enabled by default (0)
LocalKDC: disabled by default (1)

This gives you flexibility to evaluate the features in Insider environments while controlling rollout and validation according to your needs.

What you can do now

With this public preview, customers participating in the Canary Channel can test these capabilities in preview environments and validate the scenarios where NTLM is still commonly used. These features are designed to address important NTLM fallback scenarios but will not eliminate every remaining NTLM dependency in Windows environments; some scenarios may still require NTLM based on application behavior, infrastructure assumptions, or legacy dependencies. Our goal with this preview is to close some of the key gaps by extending Kerberos to more scenarios, while continuing broader work to reduce NTLM dependency across the platform over time. Once available, you can use this preview to help:

Identify scenarios already covered by IAKerb or LocalKDC
Validate those scenarios in controlled environments, and use the documented configuration options to control enablement during testing
Understand where NTLM dependencies still remain using our enhanced NTLM Auditing
Check for dependencies such as name resolution, SPN configuration, or legacy assumptions
Prepare for future improvements that will address additional cases

We also recommend evaluating the following areas:

Access to SMB shares
Remote administration scenarios
Environments with limited or no direct Domain Controller (DC) connectivity
Workgroup or standalone device authentication
Local account access patterns
Scenarios being prepared for NTLM reduction or eventual NTLM blocking

This preview is an opportunity to validate application compatibility, infrastructure dependencies, and operational readiness before broader rollout decisions are made. Learn more about upcoming work in this space here: Advancing Windows security: Disabling NTLM by default - Windows IT Pro Blog.

Troubleshooting and Feedback

As you evaluate IAKerb and LocalKDC in preview environments, you may encounter scenarios where authentication behaves differently than expected. Windows provides built-in logging to help you understand what is happening and identify potential issues. These logs help you:

Verify whether Kerberos authentication is being used
Identify cases where IAKerb or LocalKDC is involved
Detect failures or fallback conditions

You can also leverage NTLM operational logs to:

Identify when NTLM is still being used
Understand why fallback to NTLM is occurring
Prioritize scenarios for further investigation

Reviewing these logs together can help you determine whether authentication is staying on a Kerberos path (via IAKerb or LocalKDC) or falling back to NTLM and why.

When to expect fallback behavior

Because this is a preview release, some scenarios may still fall back to NTLM due to:

Application-specific dependencies
Environmental configuration (e.g., name resolution or SPN issues)
Interactions between domain accounts and local accounts on the same machine

IAKerb and LocalKDC are designed to address a subset of common NTLM fallback scenarios, and continued improvements are planned to expand coverage over time.

Share feedback and scenarios

If you encounter a scenario that does not behave as expected, or if you have a unique authentication flow you would like us to evaluate, we encourage you to contact us at ntlm@microsoft.com.

Please include details such as:

The scenario you are testing
Expected vs. actual behavior
Relevant event log entries (if available)

Your feedback is critical to helping us improve coverage and ensure these capabilities work reliably across real-world environments.

Securing today. Preparing for what’s next.

Security in Windows is built into the platform—continuously maintained and designed to evolve as threats change.

Learn more in the Windows Security book and Windows Server Security book or explore Windows 11, Windows Server, and Copilot+ PCs. For broader solutions, visit the Microsoft Security site, follow the Security blog, or connect with Microsoft Security on LinkedIn and @MSFTSecurity.   

Made for developers and agents, Windows 365 at Build 2026

BhavyaChopra — Wed, 03 Jun 2026 00:38:24 GMT

Build 2026 is here, and Windows 365 is showing up in a BIG way. Over the past year, we’ve listened closely to developers and IT teams using Cloud PCs at scale. You told us that bringing a new developer onto a Cloud PC needs to be streamlined—that signing in should mean being ready to code, not spending hours on setup. We hear from you that compute choice matters, and that a one-size-fits-all approach doesn’t work for dev teams building everything from web apps to AI/ML workloads. In addition, you told us that agents are already in use—and they need a real place to run, backed by the same security, identity, and policy you trust. Today, we’re announcing our biggest release yet of developer and agent capabilities on Windows 365. It brings secure Cloud PCs preconfigured with common development tools, expanded compute options, a new platform for enterprise AI agents, and stronger security and connectivity—so you can build and scale from anywhere, on any device.

A development experience that starts ready

Every developer knows this story: a new machine, a fresh image—and hours lost to setup before a single line of code gets written. That friction repeats with every onboarding, project switch, and refresh. We’re solving it with ready-to-code Windows 365 Cloud PCs, enhanced image management, and flexible customization—so developers can get to coding faster.

With Microsoft Dev Box now in maintenance mode, Windows 365 is the forward-looking path at Microsoft for teams seeking to standardize developer environments on Cloud PCs, backed by an investment roadmap focused on developer productivity, AI workloads, and enterprise scale.

Windows 365 now supports Windows 11 developer configuration image, in public preview: It delivers a preconfigured, ready‑to‑code environment with tools developers already use, including Visual Studio Code, Git, GitHub CLI, Python, Node.js, and Windows Subsystem for Linux (WSL), available from first sign‑in. Developers can navigate across Windows and Linux (via WSL), local and cloud, and AI workloads, all from the same starting point.

Video caption: With GitHub remote capabilities enabled on your Cloud PC, you can monitor and manage a running CLI session from another endpoint, such as your local device, as demonstrated in this video.

Building on this, autopilot device preparation now available for Windows 365, automates the installation of apps and scripts on Cloud PCs through Microsoft Intune before a user ever signs in. This helps ensure a ready-to-use, compliant environment without manual setup. Coming soon in preview, we will introduce expanded customization capabilities that give teams greater flexibility to tailor Cloud PC environments to their project needs, including configuring required SDKs, CLIs, packages, build tools, repositories, and onboarding workflows, all while remaining within enterprise guardrails and enabling developers to get productive immediately. In addition, Azure Compute Gallery support is now generally available. This enables organizations to store and manage custom images in Azure Compute Gallery and import them into Windows 365 to create Cloud PCs.

For developers building AI‑powered apps, select language models (LM) now run directly on your Windows 365 Cloud PC, extending this ready-to-code experience to advanced workloads. and enabling developers to build and iterate on LM-driven applications using Cloud PC compute.

Flexible plans to choose from

As part of ongoing Windows 365 portfolio update, Windows 365 Flex, formerly known as Windows 365 Frontline, fits how employees work, whether through shared access or cost-efficient dedicated experiences.

And that flexibility shows up in compute choice. 32vCPU Windows 365 Cloud PCs are now available in Windows 365 Enterprise and Windows 365 Flex, supporting compute-intensive workloads like software development, data modeling, simulations, and AI/ML. Similarly, a new Windows 365 GPU Select plan is now available, expanding the Windows 365 GPU-enabled Cloud PC portfolio and giving developers a more accessible GPU option alongside the existing Standard, Super, and Max plans. The new capabilities are optimized for smooth, low-latency visual performance across applications, multimedia, and hardware accelerated graphic workflows, providing developers with more ways to accelerate build and test scenarios. All GPU-enabled Cloud PCs are available across both Windows 365 Enterprise and Windows 365 Flex (in shared or dedicated mode).

Enterprise-managed execution environment for AI agents

As AI agents move from reasoning to execution, a key challenge is enabling them to take action across enterprise applications and systems, not just APIs. Many enterprise workflows still depend on browsers, desktop applications, and legacy tools, which require agents to operate beyond traditional integration points.

Windows 365 for Agents is now generally available. Agent makers can use it as part of Agent 365 tools or through Microsoft Copilot Studio (preview). It enables enterprise AI automation by providing agents with secured, managed, and available Cloud PCs that run within real business environments. Agents can interact directly with applications and browsers, execute multi-step workflows, and operate across modern and legacy systems. Each Cloud PC is Entra-joined, Intune-managed, and policy-enforced, helping IT scale agents with consistent security, governance, and compliance. While Agent 365 secures and governs the agent, Windows 365 for Agents provides a dedicated workspace to support performance and security needs.

Designed to support agent creators, Windows 365 for Agents works with agents built using both no-code and pro-code approaches. It's already powering agentic experiences across Microsoft, from computer-use scenarios in Researcher to Project Opal within Microsoft Copilot Studio, demonstrating enterprise readiness. Beyond Microsoft’s own experiences, the platform also supports third-party agents, including partner-provided examples such as Sai from Simular. This always-on AI coworker can operate applications on a Windows Cloud PC by interacting with the user interface through mouse and keyboard inputs, similar to a human.

Watch Simular’s AI agent Sai in action in the demo below.

Video caption: Using Windows 365 for Agents, Sai runs an overnight claims-processing workflow in a Contoso claims app with no APIs. Sai reads scanned claim forms, extracts key fields, verifies coverage, and enters results directly through the UI. 

Secure access and reliable connectivity

Developers get consistent experience, agents run in a dedicated runtime, and IT maintains centralized control across both. Windows 365 brings these capabilities together, combining developer productivity with the provisioning, policy enforcement, and compliance controls organizations require. Building on this foundation, context-based redirection, in public preview starting in June, adds more adaptive data protection. Organizations can apply granular redirection policies based on contextual signals, such as device management status, user network and location status to control how content is accessed and redirected.

To improve connection reliability and user experience, Remote Desktop Protocol (RDP) multipath with redundant Transmission Control Protocol (TCP), now generally available (Windows 365/Azure Virtual Desktop), enhances connection resiliency by maintaining multiple transport paths (UDP and TCP) between the client and session host. This dynamically selects the most reliable path, particularly in TCP-only or UDP-restricted environments- improving session reliability and continuity while reducing disruptions to enhance the overall user experience. In addition, health checks in Windows App, now available on sovereign clouds (generally available) provides lightweight diagnostics that validate device readiness, network connectivity, and sovereign-specific endpoint reachability, enabling faster troubleshooting and more reliable connections in government cloud environments.

For shared and controlled usage scenarios, Snapshot-based reset for Windows 365 Flex (in shared mode), now in public preview, automatically reverts shared Windows 365 Flex Cloud PCs to a clean state after each user signs out. Every user starts with a clean Cloud PC, simplifying management and supporting the shared licensing model for Windows 365 Flex.

Beyond organizational boundaries, using Azure Files and FSLogix as a user profile management solution for external identities in Azure Virtual Desktop is now generally available, enabling secure access for external users such as partners and vendors. To see more, check out our latest blog.

Get started today

With these updates, Windows 365 moves into a new phase that further reduces setup friction, keeps developers in flow, and helps teams build, run, and scale across environments.

Windows 365 Enterprise and Windows 365 Flex now include new developer capabilities - buy or contact sales.
Contact sales to try Windows 365 32 vCPU and Windows 365 GPU-enabled Cloud PCs today.
Try 50 free hours of Windows 365 for Agents Cloud PC with Microsoft Copilot Studio.

Learn more at Microsoft Build 2026

Join the Windows 365 sessions at Microsoft Build 2026 to learn more and see these capabilities in action. Microsoft Build in 2026 offers two full days of content, from keynotes, breakouts, hands-on labs, to on-demand sessions that you can join live or watch anytime. The digital experience is free to attend. Register today to explore the full schedule, discover featured partners, and save your must-see sessions.

Tuesday, June 2, 2026:

Wednesday, June 3, 2026:

Build on-demand sessions available beginning June 2:

Windows news you can use: May 2026

Chris_Morrissey — Mon, 01 Jun 2026 21:00:00 GMT

First, as we head into June and the first set of Secure Boot certificates start to expire, there will be another Secure Boot Ask Microsoft Anything (AMA) on Thursday, June 4. Do save the date and post your questions early or at any time during the live stream if you need assistance. You can also watch the May edition on demand.

For more general questions around Windows deployment, updates, and management, you can join the chat-based Windows Office Hours every third Thursday. The next event will be June 18 at 8:00 AM PDT.

Now let's dive in to more Windows news you can use you might have missed this past month.

New in Windows update and device management

[AUTOPATCH] [GCC] – Windows Autopatch is now included automatically for Government Community Cloud (GCC) customers using Microsoft 365 G3 GCC, Microsoft 365 GCC G5, or Microsoft 365 GCC G5 without WDATP/CAS Unified. The $0 Windows Enterprise (OLS) activation SKU is no longer required. For guidance on how to get started, read Windows Autopatch for the US government.
[HOTPATCH] – Starting with the May 2026 Windows security update, hotpatch updates are now on by default for those using Windows Autopatch through Microsoft Intune or the Windows updates API in Microsoft Graph. The default tenant setting; however, is only applied to devices that aren't members of a quality update policy. Windows Autopatch respects your configuration of quality update policies.
[BACKUP] – Start managing Enterprise State Roaming (ESR) through Windows Backup for Organizations policies. By the end of June, you'll no longer be able to access ESR policies through the Microsoft Entra portal and will instead need to use Microsoft Intune.
[W365] – Admin Insights for Windows 365, now in public preview, brings together important signals from existing reporting, monitoring, and alerting from Intune. Quickly understand what's happening in your environment and where to focus.
[ARM] – Does your organization use, or plan to adopt, Arm-based Windows devices? Check out a snapshot of companies that have recently delivered or expanded print solutions supporting Windows on Arm.
[SKILLING] – Still have devices running Windows 10? Need advice on optimizing how you roll out new versions of Windows and Microsoft 365 apps in your organization? Use the updated Stay current with Windows learning path to plan, prepare for, and deploy for updates across your organization.

New in Windows security

[SECURE BOOT] – The updated Secure Boot status report in Windows Autopatch provides better device-level visibility into certificate status, trust configuration, and readiness for Secure Boot certificate updates. New interactive certificate-level details fit directly into your certificate rollout workflow.
[SECURE BOOT] – Microsoft Defender now provides centralized visibility into Secure Boot 2023 certificate readiness across your device fleet. A new assessment categorizes your devices automatically as exposed, compliant, and not applicable.
[FIREWALL] [NETWORKING] – Have devices that experience difficulties receiving updates? New guidance is available to help you identify potential causes and implement solutions to ensure updates roll out smoothly moving forward.
[PRINTING] – A new icon appears on the Printers & scanners settings page. It helps you easily understand which devices support a more secure printing experience with Windows protected print mode.
[PASSKEYS] – World Passkey Day was May 7. Learn how Microsoft is Advancing passwordless authentication.

To explore what's new in security across the Microsoft platform, see What's new in Microsoft Security: May 2026.

New in AI

[DEVELOPERS] – Microsoft Build runs June 2-3! It features sessions on building, modernizing, and optimizing Windows apps and developer experiences. Check out especially AI-powered capabilities, cloud integration, and next‑gen tooling like Copilot, WinUI, and GitHub Copilot.
[AGENTS] – Windows is adding a new way to monitor your agents from the taskbar. This experience supports agents across first- and third-party apps, with Researcher in the Microsoft 365 Copilot appas the first adopter.
[COPILOT] [M365] – The Copilot app has been redesigned to be faster and more responsive. What do you think about the way Copilot shows up across Microsoft 365 apps?
[COPILOT] [M365] – New Microsoft 365 Copilot resources are now available to help you get started with adopting Copilot capabilities across your organization.

To learn about latest capabilities for Copilot+ PCs, visit the Windows Roadmap and filter Platform by “Copilot+ PC Exclusives.”

New in Windows Server

For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes.

[HOTPATCH] – Hotpatch updates enabled by Azure Arc are now available at no additional cost for Windows Server 2025. Read the announcement for details on eligibility and guidance on how to get started.
[SKILLING] – All 19 sessions from Windows Server Summit 2026 are now available on demand. Learn and improve your skills on your schedule.

New in productivity and collaboration

Install the May 2026 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities, which will be rolling out gradually:

[FILE EXPLORER] – View and Sort preferences are now preserved in folders such as Downloads and Documents when apps launch File Explorer directly to those locations. File Explorer also now supports uu, cpio, xar, and NuGet Packages (nupkg) archive formats.
[INPUT] – Voice typing on the touch keyboard now looks simpler and more intuitive. The updated design removes the full‑screen overlay and shows voice typing animations directly on the dictation key.

New features and improvements are coming in the June 2026 security update. You can preview them by installing the May 2026 optional non-security update for Windows 11, versions 25H2 and 24H2. This update includes the gradual rollout of:

[AUDIO] – Shared audio enables two people to listen to the same audio from a single Windows 11 PC at the same time.
[CAMERA] – Windows 11's Multi-App Camera feature allows multiple applications to access your camera stream at the same time.
[MAGNIFIER] – Magnifier now provides clearer and more consistent announcements when working with a screen reader. You'll hear helpful announcements when you zoom in or out, switch views, turn color inversion on or off, or turn Magnifier on or off. In addition, Magnifier now supports magnification of permitted protected content.
[SEARCH] – Windows Search will now find and prioritize files with as few as two characters.
[PERFORMANCE] – Task Manager now provides enhanced visibility into NPU usage, including new metrics and AI activity insights.

Lifecycle reminders

Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025.

Additional resources

Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources:

Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name
Microsoft 365 Copilot release notes for latest features and improvements
Windows Insider Blog for what's available in the Beta and Experimental channels
Windows Server Insider for feature preview opportunities
Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders

Join the conversation

We are always looking to improve this monthly summary. Drop us a note in the Comments and let us know what we can do to make this more useful for you!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Updated Secure Boot status report in Windows Autopatch

Harman_Thind — Tue, 19 May 2026 19:50:26 GMT

Do more with the improved Secure boot status report in Windows Autopatch. Now, you can gain better device-level visibility into certificate status, trust configuration, and readiness for Secure Boot certificate updates. New interactive certificate-level details fit directly into your certificate rollout workflow:

Identify devices that aren't up to date.
Use trust configuration and certificate details to understand applicability.
Check confidence level to determine your rollout strategy.
Use alerts and timestamps to validate reporting freshness and prioritize action.
Plan targeted remediation instead of broad deployments.

From policy deployment to actual Secure Boot readiness

Secure Boot is a core Windows security feature that helps ensure devices start up using only trusted, digitally signed components. It helps protect against boot-level malware and enforces a root of trust during startup. As Secure Boot certificates evolve and older certificates approach expiration, visibility into device readiness becomes critical.

To deploy Secure Boot certificate updates, the recommended option is to enable the EnableSecurebootCertificateUpdates policy. When active, the policy automatically sends certificate updates to supported and eligible devices but requires a device restart to complete the process.

However, before enabling a Secure Boot policy, it's important to understand:

Which devices have updated their certificates and are protected
Whether firmware configuration blocks updates
Whether devices are ready for rollout
When to take action

The Secure Boot status report addresses this gap by giving you a data-informed view of device readiness, not just policy assignment status. The report provides a device-level view of Secure Boot across your Windows Autopatch-managed devices. Let's walk through how to quickly understand your fleet's readiness.

Note: Certificate readiness presupposes devices with Secure Boot enabled. Devices with Secure Boot disabled are included for visibility only. They don't require any action.

How to use the Secure Boot status report

The report includes several key signals designed to help you make informed decisions.

Ready to see it in action? Start here:

Go to the Intune admin center.
Open Reports > Windows Autopatch > Windows quality updates.
Select Reports.
Open Secure Boot status.

Identify devices that aren't up to date by certificate status

Find the new column called Certificate status. See which certificates require action based on an aggregate view. Here's what each status means:

Up to date: No action is required.
Not up to date: Devices require certificate updates.
Not applicable: Secure Boot isn't enabled.

Drill into this field to see per-certificate details. No need for custom scripts or manual validation. Select the status cell for any device to see whether Secure Boot is enabled, its trust setting, and status for each of the four required certificates.

Use trust configuration and certificate details to understand applicability

Not all devices require the same set of Secure Boot certificates. The Secure Boot trust setting column shows whether a device trusts:

Microsoft-only components
Both Microsoft and non-Microsoft components

This is important because certificate applicability depends on how the device is configured, not just what exists on disk. For example, a device may be fully compliant even if certain certificates aren't present. This happens if certificates aren't required for that configuration.

Check confidence level to determine your rollout strategy

This is one of the most important additions in the new version of the report. The Confidence level column helps guide deployment decisions based on Microsoft-observed data across similar devices and firmware configurations. Select any cell to see a flyout summary for that device. Review the description of the status and the recommended action. It also states whether the high-confidence deployment policy is allowed.

Use this data to:

Confidently auto-deploy updates to high-confidence devices.
Manually validate devices with limited or no data.
Pause rollout where known issues exist.

Here are recommendations based on confidence level labels:

High confidence: Deploy the certificates depending on the policy setting:
- If the high-confidence policy is allowed: No action is required. Devices will automatically receive Secure Boot certificate updates through Windows Update.
- If the high-confidence policy isn't allowed: Deploy certificate updates manually when ready.
Under observation: Test certificate updates in controlled rollout.
No data observed: Carefully validate certificate updates before broad deployment. Microsoft hasn't observed this type of device in Secure Boot update data.
Temporarily paused: Don't deploy. Devices in this group are affected by a known issue. Consult with your OEM for possible firmware updates.
Not supported: Exclude these devices from automation.

Use the confidence level data to take out guesswork from your Secure Boot certificate rollout strategy and turn it into data-informed deployment.

Use alerts and timestamps to prioritize action

A new Alerts column helps you validate reporting freshness and prioritize action. The report surfaces the following operational signals:

Devices missing diagnostic data
Devices requiring action
Timestamp of last reported diagnostic data

Important! To avoid false assumptions when validating rollout progress, note these important limitations:

Status updates can take up to 12 hours after restart to be reflected.

Devices must send required diagnostic data to appear correctly in the report.

Inactive devices might show up as Unknown.

Plan targeted remediation of Secure Boot certificates

Secure Boot certificate updates are not uniform across devices. They depend on firmware, configuration, and trust models. Due to this variation, applying Secure Boot updates sometimes sees unexpected results.

Without clear visibility, organizations risk:

Missing required updates
Deploying updates too broadly
Misinterpreting device readiness

The Secure Boot status report gives you a more precise, device-level understanding of readiness, so you can act confidently and help reduce risk across your estate. Together, these improvements focus on one thing: making the data actionable. If needed, make data-informed decisions on targeted remediations instead of broad deployments.

Note on Secure Boot updates and hotpatch updates

If you're using hotpatch updates, plan for a one-time change in strategy. More devices become eligible for Secure Boot certificate updates over time based on high-confidence diagnostic data. High-confidence deployment relies on data included in monthly non-security preview updates, which are typically released the fourth week of the month. By definition, devices receiving hotpatch updates don't receive these preview updates. As such, these devices might not progress at the same rate as other devices. Here's the implication:

Devices might not receive updated high-confidence data in May or June.
Some devices might not become eligible for automatic deployment during that time.

In addition, applying Secure Boot updates requires device restarts to complete changes to:

Secure Boot certificates
The Windows Boot Manager

As a result of this design, devices receiving hotpatch updates will only receive updates automatically during the next baseline month (for example, April or July).

To move forward sooner, your organization can:

Install the latest monthly non-security preview update (instead of a hotpatch update) to pick up updated high-confidence data.
Restart the devices to complete the update process.
Optional: Temporarily pause hotpatch updates and plan maintenance windows during Secure Boot rollout. Then resume hotpatch updates.

Learn more or bookmark these resources:

Continue the conversation. Find best practices. Bookmark the Windows Tech Community. Looking for support? Visit Windows on Microsoft Q&A.

Admin Insights for Windows 365: Stay on top of what needs attention — now in public preview

madelinecarr — Tue, 19 May 2026 16:00:00 GMT

When IT administrators are looking for the most critical actions to take, being able to quickly understand what is happening in their environment can make a big difference.

With this in mind, we’re excited to announce Admin Insights for Windows 365, now in public preview, designed to help IT administrators quickly understand what’s happening in their environment and where to focus.

To learn more and access technical guidance, visit the Admin Insights for Windows 365 documentation.

Understanding your environment, faster

IT administrators managing Windows 365 Cloud PCs rely on a range of signals—including reports, alerts, and device views—across the Microsoft Intune admin center to understand the health of their environment.

These signals provide valuable visibility across the Windows 365 environment. As environments scale, quickly surfacing what needs attention—and acting on it—becomes more important.

Bringing key signals together in one place

Insight cards surface signals for review when thresholds are met.

Admin Insights builds on existing reporting, monitoring, and alerting by bringing important signals together directly into the Windows 365 experience.

With Admin Insights, IT administrators can:

Identify what needs attention across their Cloud PC environment
Understand environment health at a glance, without digging through multiple reports
Spot unexpected changes and outliers, such as spikes in failures or degraded performance
Focus on what to do next, using signals surfaced in one place

What powers Admin Insights

Admin Insights surfaces dynamic insight cards in the Windows 365 management portal in Intune, based on changes and patterns across your Cloud PC environment:

Insight cards are generated automatically, based on activity across your environment
Up to 15 insight cards may be displayed, covering general health and outlier conditions
Cards appear contextually, highlighting what needs attention as changes are detected
Each card maps to a specific scenario, such as unhealthy Cloud PCs or connectivity failures

Get started with Admin Insights

Admin Insights are available on the Cloud PC Overview page. Insight cards appear when defined thresholds are met, surfacing key signals.

To learn more, visit the Admin Insights for Windows 365 documentation. The feature will continue to extend to new scenarios and Windows 365 surfaces in the Intune portal, providing IT administrators with the information they need, where they need it.

Easily identify Windows protected print mode compatible devices

elliesekine — Thu, 14 May 2026 16:00:00 GMT

As organizations work to modernize their print environments and reduce reliance on legacy drivers, Windows protected print (WPP) mode helps improve system security by enforcing the use of the Windows modern print stack and introducing additional security features.

To help IT admins and users easily understand which devices are compatible with this more secure printing experience, Windows is introducing a new icon that can be found in Settings > Bluetooth & devices > Printers & scanners:

Printer with compatibility icon indicating support for Windows protected print mode.

This icon appears next to each installed printer that supports Windows protected print mode, which requires IPP-capable printers.

This update helps IT administrators quickly evaluate printer readiness for Windows protected print mode before enabling it across managed devices. If your environment’s printers support WPP, we highly recommend enabling it to create a more secure print ecosystem.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Configuring firewall and proxies for smooth Windows updates

Dave_Roth — Mon, 11 May 2026 16:00:00 GMT

Having trouble connecting to Windows Update? If your devices experience difficulties getting updates, you're likely just one step away from the solution. The key is in the configuration of your network endpoints for firewalls and proxies. This post provides actionable guidance on how to identify the cause of the issue and remedy the situation.

How the Windows Update service and networking interact

The Windows Update service makes use of Internet hosted services to widely distribute updates to Windows devices. Windows devices connect to Windows Update services to check for various updates, including monthly security and non-security updates, driver and .NET Framework updates, machine learning (ML) model updates, and more.

Typically, a Windows Update scan occurs automatically or when triggered manually by the user. Once started, the process scans for updates, downloads, and installs them. However, some network configurations obscure this process, leading to errors or the inability to update a device. Luckily, there are measures you can take to avoid this.

Security is embedded in the Windows Update experience

Security is paramount for Windows Update. Its whole purpose is to help keep your devices protected and productive. Therefore, there are multiple protections to ensure that your device connects to authentic Windows Update services. However, there's one specific networking security consideration we'll focus on: Transport Layer Security (TLS).

You probably know TLS (sometimes referred to by an older protocol known as SSL) as the https:// element you type into your browser. This moniker instructs your browser to connect to a web server using HTTP over a TLS connection. Doing so helps ensure the following between your device and a web server:

The connection is protected from eavesdropping. It encrypts the data between your device and the server.
The connection can detect changes made to your data over the network. It provides integrity checks that your device can validate.
The connection is trusted. Your device inspects a TLS “certificate of authenticity” that the server provides to prove who it is.

When Windows interacts with the Windows Update service, it performs all of these checks. Additionally, it double-checks that the server isn't only trusted, but it's what it claims to be. This is done by verifying that the server's TLS certificate is chained up to a specific certificate authority (CA). Windows refers to this as a Windows Update trust anchor.

If the TLS certificate isn't issued by an actual Windows Update trust anchor, Windows won't trust that the server is a genuine Windows Update server and immediately disconnects. That's good news until you accidentally lock yourself out of accessing trustworthy Windows Update services.

Proxy server and firewall configurations to watch

Some networking environments implement special firewalls or proxies that intercept TLS connections. They typically perform TLS inspection, validating that the request to a server is legitimate and adheres to an organization's security and other policies. This is how some firewalls and proxies might block access to forbidden content.

When TLS inspection occurs in this way, the firewall or proxy server generates its very own certificate. Even though it is generated by the firewall or proxy, it appears to be legitimate (containing SAN entries for the URL's fully qualified domain name) and is trusted by the client's browser. Typically, this involves generating a TLS certificate to match the requested URL and signing it by the organization deploying these firewall/proxy services. Since the client device is a member of the organization, it inherently trusts these certificates signed by the same organization.

When this occurs, the Windows Update client detects that the TLS certificate issuer isn't a genuine Windows Update issuer. By design, the client only trusts certificates issued by the Windows Update service. This feature of “pinning” solely to TLS certificates issued by the Windows Update service protects the distribution and delivery channels from man-in-the-middle (MITM) attacks. Again, this is good news for your security posture, except when exceptions are needed.

The role of VPNs

Some virtual private network (VPN) providers block access or DNS lookups to prevent overloading the VPN network with high-volume traffic downloads. That's another potential cause of blocked access for Windows devices. If you're experiencing Windows Update issues over a VPN connection, contact your VPN provider.

Care with scripting

If you're an avid PowerShell administrator, you might be forcing Windows Update to scan using scripts that call into the Windows Update public API. In this case, these calls might return one of the error codes listed below and add an entry for the error to the Windows Update log. If this happens, remediation steps are the same as if you found them in the Windows Update log.

Note: The Windows Update protocol is complex and consists of multiple different connections and endpoints. Simply connecting to one of the Windows Update servers doesn't tell the bigger picture of end-to-end protocol success. Rely on API result codes and/or the Windows Update log to determine success.

How to tell if you're blocked

If your Windows device is not receiving Windows updates as you expect, check if your connections are being blocked. Whether the source of the issue is a proxy server, firewall, or VPN, you can use the following steps to troubleshoot and move forward.

The first thing to check is the Windows Update audit log. Generate it from PowerShell, running the Get-WindowsUpdateLogs command:

$output = "$env:TEMP\WindowsUpdate.log"
Get-WindowsUpdateLog -LogPath $output
Write-Host "Windows Update log written to $output"

Once you have the log file, look for any of the following error codes:

0x8024402c (decimal: -2145107924)
This is the WU_E_PT_WINHTTP_NAME_NOT_RESOLVED error. It means that the Windows device was unable to resolve the Windows Update server DNS name to an IP address. Your organization might be blocking Fully Qualified Domain Name (FQDN) to IP address resolution.
0x80240438 (decimal: -2145123272)
This is the WU_E_PT_ENDPOINT_UNREACHABLE error. You receive this if the FQDN has been properly resolved to an IP address, but the Windows device is unable to connect to the server. This is probably due to a firewall or proxy blocking access.
0x80245006 (decimal: -2145103866)
This is the WU_E_REDIRECTOR_INVALID_RESPONSE error. This can show up for several reasons. For the sake of this discussion, it typically means one of the following:
- Your connection with the Windows Update service was unable to procure data it needs. For example, your connection might have dropped during the client-server interaction. In this case, check that your connection to the Internet is stable and not dropping.
- Your device was unable to validate the server's TLS certificate via trust anchor certificate pinning. This is most likely the case if your firewall or proxy is performing TLS inspection.
0x80240437 (decimal: -2145123273)
This is the WU_E_PT_SECURITY_VERIFICATION_FAILURE error. Your device was unable to prove that the connected server is legitimate and genuine Windows Update. Similar to the WU_E_REDIRECTOR_INVALID_RESPONSE error, your device couldn't validate the server's TLS certificate via trust anchor certificate pinning. Again, check if your firewall or proxy is performing TLS inspection.

If your log shows any of these error codes, work with your IT team to help ensure that firewalls and proxies are properly allowing Windows Update connections. In some cases, VPNs may be blocking FQDN resolutions or connections to the Windows Update service. If you're using a VPN, check with the VPN provider.

Recommended configurations and exceptions

A trusted connection requires trusted subdomains

To ensure that Windows devices can properly access genuine Windows Update services, firewalls and proxies need to allow those connections to pass through uninterrupted. That is to say, without generating and using its own TLS certificate.

To do this, proxies and firewalls need to create “pass through” exceptions for these Windows Update connections. This is typically done by allow-listing specific Windows-Update-related DNS host names. There are several of these qualified DNS names (FQDN) that you need to accommodate. You can learn more about the FQDNs requiring these exceptions in the Windows Update sections of the following:

Note that for the FQDNs related to Windows Update, the * wildcard is recursive. For security and scalability purposes, host and DNS subdomain names might need to periodically change.

For example, here's a recommended DNS host name:

*.update.microsoft.com

It represents all of the following hosts and subdomains:

update.microsoft.com
sls.update.microsoft.com
tas02.sls.update.microsoft.com

This means that you should trust all the DNS hosts and subdomains related to wildcard FQDN for the connection to work properly. Check if these subdomains are missing. In many cases, it should only take you a few minutes to update your proxy and firewall configurations to include them.

A special case of WSUS servers

Do you use Windows Server Update Services (WSUS) in your networks? In this environment, instead of connecting to the Windows Update service directly, Windows devices connect to an IT-managed WSUS server. If you're a server administrator, you orchestrate which updates are available on the WSUS server for your devices to update. And since these devices don't need to traverse a proxy or firewall for a genuine Windows Update server, the FQDN exceptions aren't necessary.

You can require TLS connections between your devices and the WSUS server. Additionally, you have the option to certificate-pin the WSUS server to your TLS certificates, much like you do with Windows Update. To use this option, you might need to make proper proxy or firewall exceptions for any device connecting to your TLS, certificate-pinned WSUS server. To learn more about WSUS certificate pinning, see:

An easy fix is good news

Difficulties keeping Windows devices up to date with the latest updates might have to do with the embedded network security design. Windows Update doesn't trust servers that don't have TLS certificates issued by an actual Windows Update trust anchor. Your firewalls and proxies might block access to the trustworthy and necessary Windows Update service if your configuration is either intercepting TLS connections or isn't passing TLS requests through for the necessary DNS subdomains. The good news is that there's normally an easy fix for Windows Update connection issues. Essentially, make sure to trust FQDN subdomains of the recommended DNS subdomains.

Here are some resources to help you learn even more:

Continue the conversation. Find best practices. Bookmark the Windows Tech Community. Looking for support? Visit Windows on Microsoft Q&A.

Advancing print readiness across the Windows on Arm ecosystem

Phani_Krishna_Maringanti — Wed, 06 May 2026 16:00:00 GMT

Momentum across the Windows on Arm ecosystem continues to build as more commercial and retail customers adopt Arm-based Windows devices for everyday work. Customers are realizing tangible benefits such as improved performance per watt, longer battery life, quieter devices, and more consistent responsiveness across native Arm64 application workflows. As adoption grows, however, success depends not only on application availability, but on the readiness of foundational systems that customers rely on regardless of device or architecture. Printing, deeply embedded in business operations, remains one of the critical workflows that must keep pace.

Microsoft’s Modern Print Strategy provides an important foundation for this transition, modernizing printing on Windows through standardized protocols, inbox class drivers, and extensible Print Support Apps. This approach aligns closely with the needs of Windows on Arm by reducing complexity and enabling consistent, secure printing across architectures. At the same time, Microsoft recognizes that many commercial customers depend on established print workflows, and that hardware partners continue to support these needs through universal and native print drivers. Together, these models enable both software developers and hardware partners to extend reliable print solutions to Windows on Arm, consistently and reliably.

Below is a snapshot of print companies that have recently delivered or expanded solutions supporting Windows on Arm, demonstrating how the modern print ecosystem is evolving to meet customer expectations as Windows devices and the workloads they power continue to modernize.

	HP Universal Print Solutions HP provides universal print driver solutions that streamline support across diverse HP device fleets. The HP Universal Print Driver (UPD) and HP Smart Universal Print Driver (SUPD) enable consistent printing without requiring model-specific drivers. HP offers Windows 11 Arm64 support enabling Windows on Arm devices to print reliably to supported HP printers using a unified driver platform.
	HP Print Support Application The HP Print Support Application, previously known as the HP Universal Print Application, enhances the printing experience for HP devices configured with the Microsoft IPP Class Driver. Developed on the Windows Print Support App (PSA) framework, it works seamlessly with Microsoft’s modern IPP-based print architecture to deliver features and functionality beyond the standard class driver. The application is compatible with Windows 11, including Arm64 systems, and supports a broad range of HP printers, with additional models being added regularly.
	uniFLOW Online uniFLOW Online is a cloud native print and scan management solution built on Microsoft Azure that eliminates on-premises print servers while providing centralized control, security, and cost visibility across distributed environments. With support for Windows 11 devices on both AMD64 and Arm64 (including Copilot+ PCs), uniFLOW Online enables secure, consistent printing and scanning across modern Windows hardware using Microsoft Modern Print and Zero Trust cloud workflows.
	uniFLOW uniFLOW is an enterprise print, scan, and device management platform supporting server‑based and hybrid deployments, enabling secure workflows across complex, mixed‑fleet environments. With the uniFLOW 2025 LTS release, the platform adds support for Windows Protected Print and Windows 11 Arm64 PCs, so organizations can integrate modern Windows on Arm devices into existing on‑premises and hybrid print infrastructures.
	PaperCut MF PaperCut MF is an enterprise print management solution providing centralized control and security across printing, copying, and scanning. It bridges the gap when manufacturers lack native Arm drivers by supporting Windows on Arm devices with compatible clients. This enables organizations to manage mixed-architecture fleets while ensuring secure, policy-driven printing across modern Windows hardware.
	PaperCut Hive PaperCut Hive is a cloud-native print management solution that provides centralized control and secure printing without the need for on-prem infrastructure. Where manufacturers do not have Arm drivers, it helps ensure seamless printing across Arm64 and x64 systems. This enables organizations to confidently deploy modern Windows hardware while maintaining consistent policy enforcement across distributed fleets.
	Pharos Cloud Pharos Cloud is a secure, cloud-based print management platform that helps organizations reduce costs, eliminate print servers, and simplify IT operations. It enables direct IP and secure release printing from any location and streamlines management of enterprise printing across multi-vendor fleets. Pharos Cloud supports Copilot+ PCs, Windows on Arm, and Windows Protected Print using the Microsoft IPP Class Driver rather than legacy manufacturer drivers. This approach to cloud-based printing provides a supported path for enterprises introducing Arm-based Windows devices and Windows Protected Print while maintaining centralized control.
	RICOH Print Support Application Ricoh Print Support Application enables advanced, printer‑specific functionality for Ricoh devices on modern Windows systems by restoring vendor features on top of Microsoft’s driverless IPP printing model. The application runs on both 64‑bit Windows and Windows on Arm, supporting Windows 11 Arm64 PCs while aligning with Windows Protected Print and Microsoft’s move away from third‑party printer drivers. Organizations can use secure and authenticated printing with Ricoh printers without installing traditional device drivers.
	Printix Client for Windows Tungsten Printix is a cloud-based, serverless print management solution designed to streamline printing across distributed and hybrid environments. With support for Windows on Arm devices through the Printix client, organizations can seamlessly manage print queues, drivers, and policies across both Arm64 and x64 Windows systems. This eliminates the need for on-premises print servers or VPN dependencies, providing robust security in a cloud-managed infrastructure with authenticated access ensuring, a reliable and efficient printing experience.
	Vasion Print Vasion Print delivers Intelligent Print Automation for commercial and enterprise organizations: modernizing print infrastructure, consolidating print environments, and automating print and document workflows across distributed Windows environments. Built on a cloud-native, serverless architecture, Vasion Print eliminates traditional print servers through centralized, direct-IP printing and automated driver deployment. Native support for Windows on Arm means organizations can manage Arm64 and x64 devices seamlessly from a single SaaS console.
	Xerox Global Print Driver Universal PCL and PostScript print driver that enables consistent printing across mixed device fleets without model‑specific drivers. Xerox provides Windows 11 Arm64 versions of the Global Print Driver, allowing Windows on Arm devices to print to supported Xerox and compatible printers using a single universal driver.
	Xerox Print and Scan Experience App This desktop application delivers advanced print and scan features for Xerox and Lexmark devices using Microsoft’s modern IPP‑based printing model. The app includes Xerox Print Support Application (PSA), restoring device‑specific functionality when using Microsoft IPP Class Driver or Universal Print Class Driver queues, and supports Windows 11 systems including Arm64 devices. This enables secure, driverless printing and scanning aligned with Windows Protected Print without relying on traditional third‑party drivers.
	Xerox Workplace Cloud Xerox® Workplace Cloud is a cloud‑based print management solution that centralizes printer discovery, secure release, and usage tracking across distributed environments. It provides native client support for Windows on Arm devices, with Arm‑compatible Workplace Cloud clients available for managed deployment, enabling organizations to manage printing consistently across Arm64 and x64 Windows fleets without on‑premises print servers.
	Zebra ZDesigner Printer Driver Zebra ZDesigner Printer Driver v10 is a modern, Windows‑based ZPL printer driver meant for Link‑OS Zebra label printers. It enables full-featured printing, configuration, and management on supported Zebra devices using Windows operating systems running on machines with x86 / x64 or Arm processors.

As more organizations adopt Windows on Arm, the opportunity for print and device software vendors continues to grow. At the same time, enabling support across architectures can introduce real engineering challenges, from validating compatibility to modernizing legacy components. Microsoft App Assure, through its Arm Advisory Service, is available to help navigate these transitions.

Listen to what some partners have to say about working with us:

Matthew Coad, Head of Self Hosted Software / Sales and Channel APAC, PaperCut

“Working with Microsoft’s App Assure team enabled us to support customers moving to ARM64 devices while maintaining print continuity and resolving driver compatibility challenges. This collaboration allowed us to deliver PaperCut Hive and PaperCut MF as reliable solutions for mixed x64 and ARM64 environments, ensuring consistent, high‑quality printing as organizations modernize their Windows fleets.”

Julian Sharpe, Worldwide VP Engineering, Pharos Systems International

“Working with Microsoft’s App Assure team helped us to support customers adopting Windows on Arm and Windows Protected Print by validating cloud printing across mixed fleet environments. Through our close collaboration, shared customers can now standardize on Pharos Cloud to enhance security and centralize print insights, all built on a modern, IPP-based foundation.”

The App Assure team works directly with developers to reduce friction, resolve compatibility issues, and accelerate readiness for Arm-based Windows devices, through direct engineering support. Whether you’re modernizing an existing print solution or building something new, we’re here to help you deliver fast, reliable, and high-quality experiences on Windows.

If you’re a company looking to support Windows on Arm or extend your solution using modern print capabilities, reach out via our intake form to get started.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Windows news you can use: April 2026

Chris_Morrissey — Fri, 08 May 2026 04:24:59 GMT

This month, the Windows Accessibility team delivered its first interactive deep dive on the Tech Community featuring demos of the latest improvements in Narrator and live Q&A. Watch it on demand to help ensure your organization is taking advantage of the latest Windows 11 accessibility features. Create a digital environment where everyone is empowered to achieve more.

We also continue to host Ask Microsoft Anything (AMA) here on the Tech Community to help you plan for older Secure Boot certificates starting to expire in June. Watch this month's AMA on demand—and save the date for the next Secure Boot AMA on May 18 if you have any outstanding questions.

Now on to more highlights from April with this month's edition of Windows news you can use.

New in Windows update and device management

[APPS] [STORE] – You can now use policy to remove select pre-installed Microsoft Store apps on devices running Windows 11, version 25H2 or version 24H2. In addition, a new dynamic app removal list lets you remove any preinstalled MSIX/APPX app by referencing its Package Family Name (PFN).
[APPS] [INTUNE] – App inventory in Microsoft Intune now updates Windows apps on a more frequent schedule. It only uploads changes since the last sync, which can help limit additional network usage. To take advantage of this capability, you'll need to set a new device configuration policy and assign that policy to desired corporate-owned Windows 11 devices enrolled in Microsoft Entra ID.
[W365] – A new Windows 365 monitoring and reporting platform, now in public preview, consolidates Cloud PC health, performance, and configuration data into integrated dashboards in Intune.
[W365] – User-initiated provisioning for Windows 365 Reserve is now in public preview. This IT-enabled setting allows users to initiate provisioning themselves, within existing policy and security controls, from Windows App.

New in Windows security

[AUTOPATCH] – A new Windows Autopatch report reflects updated recommendations on patch compliance. It also highlights risk exposure based on configured policies and update rollout status across your estate.
[HARDENING] [ADMIN] – Administrative actions are undergoing hardening changes that reduce the risk of privilege escalation and unauthorized access on Windows devices. Specifically, Windows now detects and blocks authentication attempts between machines that share duplicate SIDs.
[HOTPATCH] – Need to explain the security architecture advantage behind hotpatch updates? Explore a concise explanation of how they support continuous protection, accelerate patch compliance, and reduce operational disruption.

New in AI

The following AI-powered capabilities are gradually rolling out beginning with the April 2026 security update:

[NARRATOR] – Narrator now works with Copilot on all Windows 11 devices. Get instant, on‑device descriptions and the ability to select Ask Copilot for more detail.
[INPUT] – With updates to the Pen settings page, users can now enable the pen tail button to open the same app as the Copilot key.
[COPILOT] - A new RemoveMicrosoftCopilotApp policy setting allows you to uninstall Copilot from devices in your organization in a non-disruptive way.

To learn about latest capabilities for Copilot+ PCs, visit the Windows Roadmap and filter Platform by “Copilot+ PC Exclusives.”

New in Windows Server

For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes.

[FEATURE UPDATES] – Running Windows Server 2022 or Windows Server 2019? You can now opt in to the Windows Server 2025 feature update from the Settings dialog.
[EVENT] – The Windows Server Summit starts next Monday and runs May 11-13, 2026 from 7:00 a.m. to 12:00 p.m. PDT. If you haven't already, make sure to add sessions of interest to your calendar and register for the VIP experience. As a VIP, you'll receive access to the presentation decks and a chance to participate in a private virtual roundtable with the Windows Server product team.

New in productivity and collaboration

Install the April 2026 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities, which will be rolling out gradually:

[FILE EXPLORER] – You can use Voice Typing (Windows logo key + H) when renaming a file in File Explorer.
[SETTINGS] – The device information card on the Settings Home page simplifies key device specifications. Experience the improved consistency across the end-to-end flow from the Home Card to the Settings > System > About page. It should now be easier to scan and understand information.
[DISPLAY] – When you use a native USB4 monitor connection, the USB controller can now enter its lowest power level while the PC is sleeping, which helps save battery life.

New features and improvements are coming in the May 2026 security update. You can preview them by installing the April 2026 optional non-security update for Windows 11, versions 25H2 and 24H2. This update includes the gradual rollout of:

[FILE EXPLORER] – View and Sort preferences are preserved in folders such as Downloads and Documents when apps launch File Explorer directly to those locations. Archive formats now include uu, cpio, xar, and NuGet Packages (nupkg).
[INPUT] – Voice typing animations on the touch keyboard now appear directly on the dictation key, helping you stay focused without extra visual distractions.

Also, take note that the Windows Insider Program team is simplifying the Insider experience by moving to two primary channels: Experimental and Beta. Other changes to the program include making changes behind-the-scenes to enable Insiders to use an in-place upgrade to hop between versions.

Lifecycle reminders

Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025.

Additional resources

Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources:

Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name
Microsoft 365 Copilot release notes for latest features and improvements
Windows Insider Blog for what's available in the Canary, Dev, Beta, or Release Preview Channels
Windows Server Insider for feature preview opportunities
Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders

Join the conversation

If you're an IT admin with questions about managing and updating Windows, add our monthly Windows Office Hours to your calendar. We assemble a crew of Windows, Windows 365, security, and Intune experts to help answer your questions and provide tips on tools, best practices, and troubleshooting.

Finally, we're always looking to improve this monthly summary. Drop us a note in the Comments and let us know what we can do to make this more useful for you!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community. Looking for support? Visit Windows on Microsoft Q&A.

Windows 365 and Azure Virtual Desktop: Expanding access

Tristan Scott — Mon, 04 May 2026 16:59:00 GMT

The way people work continues to evolve—and so do the ways organizations use Windows delivered from the cloud. From small businesses without dedicated IT teams, to enterprises modernizing existing virtualization deployments, to shift workers who need flexibility without a dedicated device, the range of scenarios continues to grow. Today’s updates build on that momentum—expanding how Windows 365 and Azure Virtual Desktop support more environments, more customers, and more ways of working.

Windows 365 and Azure Virtual Desktop have always been built to meet customers where they are and support their future ambitions.

Today, we’re announcing updates that extend that flexibility even further—helping more customers adopt cloud-powered Windows experiences in ways that fit their reality.

Making Cloud PCs more accessible for small and medium businesses

Small-to-medium-sized businesses don’t buy or use technology the way large enterprises do. Windows 365 Business is designed for smaller organizations (up to 300 seats) that want ready-to-use Cloud PCs with simple management—without needing other Microsoft licenses to get started. To make Windows 365 Business even more accessible, we're reducing the list price of Windows 365 Business by 20% across all Cloud PC configurations as of May 1, 2026.

In addition to our permanent price drop, eligible new customers can save an additional 20% off the new lower price through June 30¹.

This price change helps reduce the barriers to getting started with Windows 365. Cloud PCs are now even more accessible to smaller organizations, helping them give their people a full, secured Windows experience from the cloud.

A new name for Windows 365 Frontline—and a broader mission

Shift workers, part-time employees, and others who only need a computing device for periodic use have historically shared physical PCs at a desk on-site. In a workplace that's increasingly distributed, that model breaks down: workers can't easily share a device they no longer sit next to. And for many organizations, equipping workers with a dedicated PC isn't economically feasible—especially when many only need access for a few hours a day.

That's the gap Windows 365 Flex (formerly Windows 365 Frontline) is built to close.

Designed for organizations of any size, Windows 365 Flex is a secured, flexible solution that enables organizations to deliver Cloud PCs in ways that fit how employees work, whether through shared access or cost-efficient dedicated experiences.

It gives organizations the flexibility to extend cost-effective, personalized technology access to any employee who doesn't require a dedicated PC of their own. Once employees sign in, they have immediate access to all their personalized resources—apps, data, desktops, and settings—so they can hit the ground running. Windows 365 Flex can also be deployed in shared mode, where the Cloud PC can be reset to a fresh state between each use, or optionally persists a user’s settings and application data across sessions. Windows 365 Flex in shared mode also serves as the foundation for Windows 365 Cloud Apps—an app-only experience that provides users with access to individual applications without requiring a dedicated Cloud PC. Windows 365 Flex can also be provisioned in configurations that support the requirements of developers.

Since Windows 365 Frontline was first launched, we have seen it adopted more broadly across organizations with part-time employees, seasonal staff, contractors, and roles that require occasional or task-based PC access. The new name, Windows 365 Flex, better represents this flexibility. It reflects a broader shift—from solving a niche scenario to enabling workers of all types to participate in the modern organization in the way that works best for them.

The name change does not affect how the service works or how it is purchased.

Azure Virtual Desktop Hybrid now in public preview

For many organizations, the journey to the cloud isn’t a single step—it’s a path shaped by regulatory needs, existing investments, and operational realities. For customers who can't move every workload to the public cloud overnight, Azure Virtual Desktop Hybrid opens a new door. Now in public preview, it extends the Microsoft cloud-managed Virtual Desktop Infrastructure (VDI) service to on-premises environments—without requiring customers to replace existing infrastructure.

With Azure Virtual Desktop Hybrid, customers can run Azure Virtual Desktop session hosts on-premises using their existing hardware and preferred hypervisor connected through Microsoft Azure Arc. The Azure Virtual Desktop service remains in Azure, while session hosts can be deployed anywhere on-premises Azure Arc-enabled servers are supported. Users can access their desktops through the familiar Windows App.

This matters because it gives customers a phased, lower-risk path to cloud adoption:

Modernize legacy VDI environments at their own pace, preserving investments in datacenters, hardware, and operational tools.
Adopt cloud-managed desktops incrementally, with a clear path to migrate session hosts to Azure when the time is right.
Keep existing partner integrations for virtual machine management and provisioning.

In other words, customers now have a way to bring the simplicity of cloud-managed desktops to workloads that still need to live on-premises. Azure Virtual Desktop Hybrid is available to customers with an Azure subscription as part of the public preview. For instructions on how to get started with the Azure Virtual Desktop Hybrid public preview, please visit this link. You can also learn more about Azure Virtual Desktop Hybrid by contacting our launch partners LoginVSI, Nerdio, and Nutanix.

A complete Windows cloud portfolio for every scenario

Windows 365 was built on a simple idea: the familiar Windows experience, securely streamed from the Microsoft Cloud to any device, anywhere. Azure Virtual Desktop was built to give organizations the power and customizability of cloud VDI on their own terms. Together, these Windows cloud solutions are how Microsoft supports the full breadth of how people work.

A 20% list price reduction makes Windows 365 Business a better fit for the SMBs it's designed for. And renaming Windows 365 Frontline to Windows 365 Flex reflects an expanded mission: closing the digital divide for the periodic-use workers who have been left out too often. Public preview of Azure Virtual Desktop Hybrid brings cloud-managed VDI to environments that need to stay on premises.

Different audiences. Different segments. Different starting points. One portfolio that expands to meet their needs.

To learn more:

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Windows 365 for Agents now in public preview: Run AI agents securely, at scale

SwarnimSrivastava — Fri, 01 May 2026 15:00:00 GMT

AI agents are rapidly evolving from tools that answer questions to performing human-level work inside an enterprise ecosystem, powering essential business workflows that have traditionally been completed manually. But while governance and policy models are emerging, one critical question remains unresolved for IT: where should agents actually run?

Many applications that enterprises rely on, from legacy line-of-business systems to complex multistep workflows, were not built with APIs. As a result, critical work still happens through user interfaces, where context, data, and intent are conveyed visually. To unlock their full potential, AI agents need to interact with applications the same way people do, using a computer to interact directly through clicks, typing, and navigation. Today, many agents execute on ad hoc infrastructure—local machines, shared virtual machines, or unmanaged cloud environment—creating gaps in identity, policy enforcement, auditability, and control. That makes it difficult for IT teams to confidently scale agentic workloads beyond API- or MCP-based pilots.

Today, we’re bringing Windows 365 for Agents to public preview (US only), providing a secured, purpose-built, IT-managed Cloud PC environment designed specifically for running AI agents at enterprise scale. Windows 365 for Agents provides agents with a dedicated, Microsoft Intune-managed Cloud PC—bringing the same identity, security, and compliance model IT already uses for employees to agent execution.

Windows 365 for Agents works alongside Microsoft Agent 365 (now generally available), which serves as the control plane for AI agents. It's where organizations define agent behavior, set up organizational policies, manage permissions, and maintain visibility into what agents are doing across the enterprise, whether those agents are built by Microsoft or third-party agent makers. Together, these two offerings give IT teams a clear model for governing what agents can do and securely managing where that work runs, enabling organizations to move from early agent experiments to IT-managed, production-ready deployments.

Think of it this way: every employee in an organization has an identity and works on a managed device, such as a Windows 365 Enterprise Cloud PC. Now, each AI agent also has its own identity, governed through Agent 365 and running on a managed Cloud PC provided by Windows 365 for Agents. It’s the same trust model and same IT controls—now extended to AI. By extending this proven model to agent workloads, organizations gain:

Enterprise-grade identity and access controls for every agent
Unified device and policy management through the tools IT already use
Global scalability and geo-level data residency options to meet compliance requirements

How Windows 365 for Agents fits into the Microsoft AI ecosystem

Microsoft 365 Copilot brings AI into the flow of work inside the apps employees already use. Behind it is Microsoft IQ, the intelligence layer that provides shared context across people, work, and the business—helping AI understand what matters in the moment and make informed decisions.

That intelligence enables agents to reason, but completing real work—especially for AI agents that interact with UI-based or legacy applications and browsers through computer-use workflows—requires a secured place to execute. Windows 365 for Agents provides that execution layer, delivering a fully managed Windows environment purpose-built for agentic workloads. Unlike ad-hoc infrastructure, Windows 365 for Agents is a complete, IT-managed Cloud PC service, with identity, security, policy, and lifecycle management handled for you.

Microsoft IQ gives agents the smarts; Windows 365 for Agents gives them the trusted runtime to get work done. All of this runs on Microsoft Azure, the global cloud foundation for secure, scalable AI. Agent 365 complements this model by providing the control plane to govern agent behavior end to end. These capabilities combine to form a single platform that lets organizations scale AI with confidence—without compromising trust.

Windows 365for Agents is the foundational layer for running agents securely across first-party and third-party agent makers.

Evaluating Windows 365 for Agents

Windows 365 for Agents is built for enterprise IT teams and the organizations they support, specifically those that:

Rely on applications that require UI interaction, including legacy tools, browser-based workflows, and systems where APIs alone aren't enough
Need enterprise-grade security and compliance for AI agents, with identity governance, policy controls, and audit trails
Want IT-managed environments for agent workloads without building and maintaining custom infrastructure
Are exploring human-in-the-loop models where agents work alongside people, requesting approval for sensitive actions

This includes IT administrators, security teams, digital workplace leaders, and platform teams responsible for enabling AI safely across the organization.

To bring this to life, this Windows 365 for Agents demo shows how agents move from setup to execution in a secured, managed environment.

Join the Windows 365 for Agents public preview (US only)

Ready to try Windows 365 for Agents? You will need:

Agent 365 license
Intune license
An active Azure subscription to support Window 365 for Agents billing

Setup and onboarding

Explore Agent 365 to understand how agents are defined, governed, and managed [Microsoft Agent 365 overview | Microsoft Learn]
Create an agent blueprint for scenarios that require Windows 365 for Agents [Discover, create, and onboard an agent | Microsoft Learn]
Set up billing for Windows 365 for Agents using your existing Azure subscription [Windows 365 for Agents Billing | Microsoft Learn]
Create a Cloud PC pool for agent workloads [Cloud PC Agent Pools | Microsoft Learn]
Explore and validate scenarios by running agents in a secure environment [Use and collaborate with agents in Agent 365 | Microsoft Learn]

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Dynamically remove apps from managed Windows 11 devices

Ingrid_Allen — Thu, 30 Apr 2026 18:00:00 GMT

You can now use policy to remove select pre-installed Microsoft Store apps on devices running Windows 11, version 25H2 or version 24H2. We've also made a significant update to this policy: a dynamic app removal list. This feature lets you remove any preinstalled MSIX/APPX app by referencing its Package Family Name (PFN).

What's the benefit? Fewer unwanted apps, simpler provisioning, and a more tailored desktop for your users. Just use a standard, policy-based approach that integrates with Microsoft Intune and Group Policy. This policy, called "Remove default Microsoft Store packages from the system," is available only on Enterprise and Education devices. The improvements are available starting with the April 2026 Windows non-security update. Additional Intune capabilities are coming.

Dynamic app removal list

Microsoft offers a set of robust policy controls to help you customize app availability for your users. With the latest updates to the RemoveDefaultMicrosoftStorePackages policy, you can now remove any MSIX/APPX packaged app. Just add its Package Family Name (PFN) to the new dynamic app removal list. Today, you can use Group Policy Object (GPO) or custom OMA-URI for mobile device management (MDM).

Group Policy

Here's how you can make it work using Group Policy:

Find the app's PFN using PowerShell. Use the following example, replacing "Notepad" with your desired app:
```
Get-AppxPackage *Notepad* | Select-Object PackageFamilyName
```
Open Group Policy Editor (gpedit.msc). Navigate to Computer Configuration > Administrative Templates > Windows Components > App Package Deployment and select Remove default Microsoft Store packages from the system.
Add the PFN to the multi-text list under Specify additional package family names to remove. Enter one package family name per line.

Custom OMA-URI

Alternatively, you can configure devices with the RemoveDefaultMicrosoftStorePackages Policy CSP. This ADMX-backed policy uses an XML payload to specify which apps to remove. For example, to remove Bing News and the Windows Alarms apps, see the last entry.

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RemoveDefaultMicrosoftStorePackages
Data type: string

Value:

<enabled/>
<data id="WindowsFeedbackHub" value="false"/>
<data id="MicrosoftOfficeHub" value="false"/>
<data id="Clipchamp" value="false"/>
<data id="Copilot" value="false"/>
<data id="BingNews" value="true"/>
<data id="Photos" value="false"/>
<data id="MicrosoftSolitaireCollection" value="true"/>
<data id="MicrosoftStickyNotes" value="true"/>
<data id="MSTeams" value="false"/>
<data id="Todo" value="false"/>
<data id="BingWeather" value="true"/>
<data id="OutlookForWindows" value="false"/>
<data id="Paint" value="false"/>
<data id="QuickAssist" value="false"/>
<data id="ScreenSketch" value="false"/>
<data id="WindowsCalculator" value="false"/>
<data id="WindowsCamera" value="false"/>
<data id="MediaPlayer" value="false"/>
<data id="WindowsNotepad" value="false"/>
<data id="WindowsSoundRecorder" value="false"/>
<data id="WindowsTerminal" value="false"/>
<data id="GamingApp" value="true"/>
<data id="XboxGamingOverlay" value="true"/>
<data id="XboxIdentityProvider" value="true"/>
<data id="XboxSpeechToTextOverlay" value="true"/>
<data id="XboxTCUI" value="true"/>
<data id="DynamicRemovalList" value="Microsoft.BingNews_8wekyb3d8bbwe&#x0D;&#x0A;Microsoft.WindowsAlarms_8wekyb3d8bbwe"/>

The XML payload includes a static list of app names (preceded by "data id") and corresponding values. Apps with the value of "true" will be removed. Apps with the value of "false" won't be removed.

You can remove additional apps by adding them to the value field of the "DynamicRemoval List" at the end of the payload. Separate multiple apps by the HTML-encoded carriage return + line feed characters ( 
), indicating a new line between each app name.

IMPORTANT: If you create a custom OMA-URI, you must open the dynamic list entry in the registry once on each device to which the policy is targeted. This helps ensure the correct format for the items in the dynamic list. Here is the entry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\RemoveDefaultMicrosoftStorePackages

Once configured, change happens at provisioning or on next user sign-in. The device uninstalls the apps you specify in the following two areas:

The default checkbox selections
The dynamic PFN list

Removed apps remain blocked from reinstallation while the policy is active.

IMPORTANT:

Removing an app also removes any associated on-disk app data. Therefore, notify users in advance if they need to save local data.

You can't use the dynamic list to remove system components. These components aren't supposed to be removed.

Prepare for Microsoft Intune capabilities

The Intune settings catalog entry for this policy doesn't yet contain the dynamic list option. It will be available in the following months.

When this feature becomes generally available in Intune, search for "Remove Default Microsoft Store packages" in the settings picker to locate it.

During rollout of the updated RemoveDefaultMicrosoftStorePackages policy, devices in your environment might support different CSP versions. If a device receives a policy that doesn't match its supported schema, the policy might fail to parse and won't be applied.

To prevent this, maintain your existing policy for older devices. Create a separate policy that includes the new dynamic app removal list for newer devices. Use Intune assignment filters or targeting rules (such as OS version or update rings) to help ensure that each device receives a compatible policy.

Once all devices are updated, and Intune fully supports the new CSP, you can safely consolidate policies.

Extended support: Windows 11, version 24H2 and later

The updated app removal policy is now extended to Windows 11, version 24H2 Enterprise and Education editions. Originally, you could only use this feature on devices running Windows 11, version 25H2 or newer. If your organization has standardized on the 2024 release, you can benefit from policy-driven app management without a full OS version upgrade. The same Group Policy path and enforcement behavior apply to all supported versions.

Supported Windows versions: Windows 11, version 24H2 and later
Supported Windows editions: Enterprise and Education (Home and Pro remain unsupported)

IMPORTANT: Ensure that your devices have the latest cumulative updates installed to receive these improvements. You need at least the April 2026 Windows non-security update. If you're a Windows Insider, you'd have this feature with the March 13, 2026 builds in the Dev and Beta channels.

Control your preinstalled apps like a pro

With dynamic app removal, you can remove any preinstalled app with a simple policy change. Benefit from a cleaner, more controlled Windows experience across your organization, now on even more devices. Start planning this policy rollout across your enterprise today.

Have feedback? Share your thoughts in the Feedback Hub (accessible using the shortcut WIN + F) under Developer Platform > App Deployment.

Learn more with additional resources:

Public Preview: User-initiated provisioning for Windows 365 Reserve

Logan_Silliman — Tue, 28 Apr 2026 16:00:00 GMT

When an employee loses access to their primary work device, every minute offline can impact productivity, slow progress on work, and add strain for IT teams.

Launched in December 2025, Windows 365 Reserve is a business continuity solution that helps restore employee access when their primary device becomes unavailable by providing a Cloud PC when it’s needed most.

Today, we’re announcing the public preview of user‑initiated provisioning for Windows 365 Reserve. This new, IT enabled setting allows eligible users to initiate provisioning themselves within existing policy and security controls from Windows App, helping reduce the need for manual IT provisioning.

Enabling this setting helps provide eligible users with more direct access to Reserve Cloud PCs when their primary devices are unavailable, especially during large-scale device disruptions, for time-critical roles, or when support teams are already under load.

This capability was teased at Microsoft Ignite and is now available in public preview!

User-initiated provisioning for Windows 365 Reserve is disabled by default

User-initiated provisioning is a new Windows App setting IT can apply to user groups in Intune.

By default, with user-initiated provisioning disabled, Windows 365 Reserve relies on IT to provision Cloud PCs on demand from Intune.
With user-initiated provisioning enabled, specific user groups can also initiate provisioning themselves directly from the Windows App.

This setting is off by default, fully governed by IT, and scoped to specific Microsoft Entra ID user groups.

What's new

With the setting enabled, eligible users can:

Sign in to the Windows App from any device
Provision their own Windows 365 Reserve Cloud PC
Get back to work without waiting for manual IT provisioning

What does not change

Licensing requirements remain the same
Reserve provisioning policies still govern the Cloud PC configuration
IT retains ownership of Cloud PC lifecycle and management
IT can still provision Cloud PCs from Intune as before
This does not automatically provision Cloud PCs for all users

IT admin configuration for user-initiated provisioning

User-initiated provisioning is configured through Windows App settings for Windows 365 in Microsoft Intune.

Admin setup

In Intune, go to Devices > Windows 365 > Settings
Select Create > Windows App settings (Preview)
Under Configuration settings, enable: Enable users to provision new Cloud PC instances
Assign the policy to Microsoft Entra ID user groups
1. Note: Users must be licensed for Windows 365 Reserve and assigned to Reserve provisioning policies
Review and create the policy

End user experience

User steps

Sign in to the Windows App (or web) from any device
Locate the Reserve Cloud PC card
Click anywhere on the card
Review and confirm to proceed with provisioning
When provisioning completes, click to connect to the Reserve Cloud PC

Try public preview and share feedback!

We’re looking forward to hearing your feedback as you test public preview of user-initiated provisioning for Windows 365 Reserve!

What scenarios does this unlock for your organization?
Which user groups benefit most?
What additional controls or signals would you want to see?

Let us know in the comments below.

To learn more about user-initiated provisioning for Windows 365 Reserve, see Manage Windows 365 Reserve.

Preview note

This capability is currently in public preview and may change before general availability. See preview limitations in documentation: Windows 365 public preview overview.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Protect your estate: Reassess your Windows update policies

AriaUpdated — Thu, 30 Apr 2026 22:46:23 GMT

Editor's note 4.30.2026: The new Windows Autopatch overview report is now available for all tenants.

A new Windows Autopatch report reflects updated recommendations on patch compliance and highlights risk exposure based on patch status and configured policies.

Keeping devices up to date has never been more critical for security. As noted in a recent post AI-powered defense for an AI-accelerated threat landscape, by Ales Holecek, Chief Architect and Corporate Vice President of Microsoft Security, organizations need to rethink exposure, response, and risk. This is especially true when it comes to keeping Windows devices patched with the latest security updates.

On April 22, 2026, Microsoft Intune released a new security update status dashboard offering centralized visibility into update compliance across Windows client, Windows Server, and Microsoft 365 apps. The dashboard provides a clear, current view for IT and security teams, backed by current data, and without the need to switch between multiple reports or tools.

Today, we're announcing that Windows Autopatch offers an extension to that dashboard offering more detailed information on client patching status and policy risk exposure. This new Windows Autopatch report:

Breaks down specific patch versions within your estate.
Informs you of policies putting your estate at risk.
Provides actionable workflows to help reduce exposure.

Updated recommendations for servicing Windows

Strategies for reducing risk and staying current are changing. Across the industry, organizations often had a 14- or 28-day SLA to patch devices across their estate. In today's threat landscape, this can leave users in an exposed or critical vulnerability state.

Aligned with the recommendations provided in the recent post from Microsoft Security we are adjusting our recommendations and encourage organizations to install the latest security updates:

Within 3 days to be considered current (and reported as current)
Within 7 days to help ensure devices aren’t subject to vulnerabilities (and reported as critical)
Between 3 and 7 days, devices are considered exposed (and reported as exposed)

To view which policies in your tenant are not configured per recommendations, navigate to the Windows Autopatch overview pane and select View policies leading to increased risk exposure, a poor experience. From here, you can see which policies are configured in a way that falls short of these recommendations.

We recognize that more aggressive timelines can introduce disruption. However, given the pace of today's threat landscape, these updated recommendations are intended to balance stronger security while maintaining user productivity and stability.

To help ensure devices stay secure, while having an optimal experience, we recommend using Windows Autopatch and configuring the following policies:

Quality update deferral of < 3 days
Quality update deadline of 0 or 1 day
Grace period of 1 or 2 days
Enable hotpatch updates (Note: Hotpatch updates will be enabled by default for all eligible devices that haven't been opted out starting in May 2026.)

We also recommend using Extended Security Updates (ESU) for all eligible devices still running Windows 10 so those devices continue to receive critical security updates.

Reassess and stay protected

Now is the time to reassess your risk profile and patching deployments. We continue to improve Windows Autopatch reports to give you the information you need to help reduce threats to your estate. By using the new report, you can identify where to take action to stay even more protected in this ever-evolving threat landscape.

Additional resources:

Hardening administrative actions: What IT pros need to know

DashmeetAjmani — Thu, 09 Apr 2026 16:24:23 GMT

Administrative actions are undergoing hardening changes that reduce the risk of privilege escalation and unauthorized access on Windows devices. These changes strengthen the trust boundary between identity, authentication, and User Account Control (UAC) enforcement. It’s now much harder for an attacker (or a misconfigured cloned device) to reuse or manipulate authentication artifacts after an OS restart to silently gain elevated privileges.

With these hardening changes, Windows now detects and blocks authentication attempts between machines that share duplicate SIDs.

This is by design and should be seen as a security signal, not a code defect.

Some environments deploy Windows devices using automation or virtual machine templates. Some of these methods rely on previously accepted authentication behavior between cloned systems. If you created these deployments without running Sysprep, that’s your case. Recent authentication hardening updates might now require you to rebuild affected devices using supported imaging methods.

A temporary workaround (detailed below) is available to provide time for remediation. However, it reduces the security protections introduced by the latest updates and cannot be used as a permanent solution due to its lifecycle end date.

Running Sysprep prepares a Windows image for deployment. Sysprep removes device-specific identity and security information, allowing each deployed machine to generate a unique system identity and authentication context when it starts.

Let’s take a closer look at why these hardening changes are important to the overall security of your environment and how you can update your cloning, imaging, and authentication practices.

Why administrative action hardening is necessary for security

The current administrative action hardening phase began with the August 2025 non-security update (KB5064081) and the September 2025 security update (KB5065426). These updates strengthen loopback authentication protections. They help ensure that Kerberos authentication is more tightly bound to the current machine state across OS restarts.

Previously, authentication artifacts could persist across restarts in ways that allowed elevated operations to proceed without explicit user approval. Current hardening helps reduce this risk. It improves how machine identity is validated during authentication.

While these changes improve security posture, they might require adjustments to how you deploy and manage devices in some environments.

Symptoms of administrative action hardening

With the installation of Windows updates released on or after August and September 2025, your devices were hardened against unauthorized attempts to bypass loopback detection. This applies to devices running Windows 11, version 24H2 and later as well as Windows Server 2025.

You might have observed authentication failures between machines when accessing SMB shares or connecting via Remote Desktop. Similar failures might also occur with authentication using New Technology LAN Manager (NTLM) or between machines that aren’t joined to a domain.

The target machine shows the following LsaSrv Event ID 6167 in the System event log:

There is a partial mismatch in the machine ID. This indicates that the ticket has either been manipulated or it belongs to a different boot session. Failing authentication.

This is an inconvenient but necessary symptom of administrative action hardening that might require operational change to support your organization’s security posture. Here’s why.

What changed internally

User Account Control (UAC) in Windows primarily acts as a privilege mediation mechanism. It helps ensure that administrative rights are exercised only with explicit user approval. While users may hold administrative credentials, applications they launch initially run with standard user privileges. Privileges must be explicitly elevated through a UAC consent prompt to perform administrative actions.

Recent security investments in Windows have tightened how you approve and enforce administrative actions. These UAC hardening changes reduce the risk of elevation without explicit user consent. Hardening happens through Windows updates and applies regardless of whether Administrator protection is enabled. Administrator protection (available in preview) also benefits from these changes. It helps reduce automatic elevation paths and reinforces explicit, user-approved elevation for administrative operations. The result is a stronger trust boundary between identity, authentication, and UAC enforcement.

Loopback detection and token filtering scenarios are also part of this effort. A machine ID is used to check if a machine is performing loopback authentication, i.e., authenticating to itself. Before the August 2025 non-security update, each boot randomly generated the machine ID. However, authentication artifacts could still persist across a restart in ways that allowed threat actors to bypass token filtering.

Windows updates released on and after August 2025 detect and block such behavior. Windows now persists part of the machine ID across boots.

Before, authentication handshakes between Windows hosts that were cloned from each other succeeded because only per-boot components were checked. Now, authentication handshakes are detected and blocked because the cross-boot component of the machine ID is the same between the two hosts, while the per-boot component is not, resulting in a partial mismatch of machine IDs.

Specifically, if you've cloned machines without running Sysprep, you might see Kerberos and NTLM authentication failures. You can identify them by the LsaSrv event 6167 log in the auth target machine, for both NTLM and Kerberos protocols.

This behavior is not a regression. It’s a direct and intentional consequence of binding loopback authentication more tightly to machine identity across OS boots.

In summary, prior to installing Windows Updates released on or after August 2025:

Machine ID regenerated on every boot.
Loopback detection relied entirely on per-boot state.
Persisted authentication artifacts could bypass token filtering.

After August 2025:

Machine ID combines per-boot and cross-boot components.
Loopback detection survives restarts.
Persisted authentication artifacts are reliably rejected.

Management recommendations for administrative action hardening symptoms

While administrative action hardening improves security, it requires an adjustment in your strategy to clone Windows images. As you embrace administrative action hardening for its security benefit, you should take the following actions:

Stop any automation that clones devices without Sysprep. If not addressed, devices end up with duplicate security IDs (SIDs).
Rebuild all devices with duplicate SIDs from scratch, then run Sysprep. It's not sufficient to unjoin devices and run Sysprep. If needed for transition only: temporarily roll back the hardening change.

Temporary workaround (not recommended)

Important!

Microsoft does not recommend using this temporary registry-based compatibility option. It reduces the security protections introduced by recent updates. If your organization uses enhanced administrator security configurations (including Administrator protection, where applicable), avoid relying on this setting except as a short-term bridge while remediation is underway. Environments that remain in this configuration might be exposed to elevated risk until remediation is complete. Please plan and execute migration to supported deployment practices as soon as possible. See KB5068222: Strengthening administrator protection and Kerberos authentication

We understand that while cloning without Sysprep may have been unsupported, you still may have taken a dependency on it. To help ease the transition to a supported configuration, a temporary compatibility option is now available. This option relaxes the updated authentication behavior to allow continued operation in affected environments. It’s provided solely to facilitate remediation and should not be considered a long-term configuration.

Please contact Microsoft Commercial Customer Service and Support (CSS) to get information about this registry value. Complete the intake form as follows:

Form field	Recommended option
Select the Product family	Windows Servers
What product or service do you need help with?	Windows Server 2025
Select the product version	Windows Server 2025
Which category best describes the issue?	Windows Security Technologies
Which problem best describes the issue	Kerberos authentication OR Legacy authentication (NTLM)

You must have an understanding of the risk of disabling administrative action hardening. You’ll also need to provide:

Reasoning for requiring this temporary workaround
A clear plan for the long-term resolution of reimaging cloned machines in your environment

Important! This workaround is the replacement for the known issue rollback (KIR)-based group policy setting. These settings were released by Windows Updates between August 2025 and March 2026 to disable loopback protections. Your organization can only obtain the new registry key by opening an assisted support case and certifying that you can rebuild cloned devices prior to the end of 2027.

This registry key will act as temporary rollback until it expires and allow authentication that would otherwise by blocked by loopback identity protections. Event Viewer helps you monitor this temporary workaround. If you set this temporary registry value and restart the system, the next authentication attempt will be allowed. An LsaSrv warning event 6168 will be logged in the target machine in the System event log:

UAC bypass via Kerberos vulnerability is explicitly allowed. A Kerberos loopback ticket can be manipulated to gain admin privileges. This is a security risk.

The only way to stop seeing this event is to migrate your environment to a supported state. Once done, please delete the registry key or set it to 0.

Timeline to remove the clones in your environment

The rollback is temporary and will remain available until the end of 2027. We hope this timeframe provides your organization with sufficient opportunity to migrate your environment to a supported state by following established deployment methods for cloning.

For additional information, check out the following resources:

Securing the present, innovating for the future

Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design, by default and during runtime, from Windows to the cloud, enabling trust at every layer of the digital experience.

The updated Windows 11 Security Book and Windows Server Security Book are available to help you understand how to stay secure with Windows. Learn more about Windows 11, Windows Server, and Copilot+ PCs. To learn more about Microsoft security solutions, visit our website.

Bookmark the Security Blog to keep up with our expert coverage on security matters.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Introducing the new Windows 365 monitoring and reporting platform — now in Public Preview

Doug_Coombs — Wed, 08 Apr 2026 16:36:10 GMT

We are excited to announce the new Windows 365 monitoring and reporting platform is now available in Public Preview!

The new Windows 365 monitoring and reporting platform is a unified reporting experience built into the Microsoft Intune admin center, now available in public preview. It consolidates Cloud PC health, performance, and configuration data into integrated dashboards, consolidating information from many locations in Intune, to a central location to monitor end-to-end configuration, detect problem, and troubleshoot.

Additionally, monitoring and reporting is designed to improve discoverability and usability, making the experience more intuitive, comprehensive, and flexible. The platform provides native, user-friendly reports that simplify how administrators access, understand, and act on monitoring data.

By consolidating analytics into a unified experience that highlights potential outliers, the platform can help streamline troubleshooting workflows. In some customer environments, this may contribute to faster issue resolution and reduced reliance on specialized expertise or Microsoft support. The extent to which organizations realize operational efficiency improvements, cost benefits, or uptime gains will depend on individual deployment and usage.

What’s included in the new monitoring and reporting platform

Tenant-level Connection Health dashboards provide comprehensive reliability and experience data with trending and aggregate views covering connection performance, errors, and device health. Operations teams gain at-a-glance visibility into system-wide patterns, helping administrators see issues earlier and investigating sometimes before receiving helpdesk calls.

User and Device insights display connection performance, error trends, connection history, and duration of use for helpdesk troubleshooting. With all relevant data in one place, frontline support staff can more easily diagnose and resolve issues, reducing escalations.

Configuration visuals and trends offer prebuilt, end-to-end visuals that encompass the full environment from user endpoint through service configuration to the Cloud PC configuration. Configuration changes constantly, and understanding historical configuration in the context of any specific connection is critical, especially when Windows 365 is implemented with unmanaged components, such as BYOD user endpoints. This function facilitates correlating configuration changes with outcomes.

Outlier detection surfaces system-identified anomalous metrics to assist administrators in identifying potential emerging issues. Depending on how customers use these insights, some organizations may experience earlier issue identification and reduced escalation, though results will vary.

Actionable charts and data tables let administrators analyze trends and drill into root causes without manual data exports and additional tooling. The intuitive design helps lower the barrier to entry, supporting the confidence of administrators with varied skill levels in issue investigation and resolution.

The bottom line: Today, many organizations resort to exporting, processing and analyzing Cloud PC data, which can increase the complexity and total cost of ownership of Windows 365. The new platform helps reduce reliance on data exports and external tooling.

Try the new monitoring and reporting today

Windows 365 Enterprise customers can access the new dashboards now in the Microsoft Intune admin center. Navigate to Reporting in Intune, then select monitoring and explore the Connection Health, User & Devices, and Configuration pages. Learn more at https://aka.ms/Windows365Monitoring

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

How hotpatch updates help keep Windows secure by design

Katharine_Holdsworth — Mon, 06 Apr 2026 20:53:13 GMT

Windows hotpatch updates allow you to adopt a secure-by-design and secure-by-default approach to keeping Windows 11 protected and productive. The security architecture advantage behind hotpatch updates helps you support continuous protection, accelerate patch compliance, and reduce operational disruption. And since hotpatch updates will be enabled by default across Windows Autopatch for eligible devices in May 2026, you might wonder how this makes your environment even more secure by default.

How hotpatch updates reflect Windows security by design

In Microsoft overarching security-by-design philosophy, security comes first when designing any product or service. Embodying this philosophy are hotpatch updates.

These are the same security fixes that are part of monthly security updates (also known as “B” releases). The distinction is that they get installed without requiring a restart. Hotpatch updates help you:

Reduce downtime for frontline devices, VDI sessions, IT-managed shared PCs, and high uptime systems.
Shrink your vulnerability window (i.e., the time between patch availability and full deployment).
Improve update compliance rates automatically.

Note: Hotpatch updates only apply to devices that meet the prerequisites and receive updates managed by Windows Autopatch. Otherwise, no action is needed. Ineligible devices continue to patch the same way they do today.

How hotpatch update prerequisites strengthen your security baseline

Hotpatch update readiness is built on Windows security capabilities that help ensure that devices are in a trusted state before updates are applied.

The key prerequisite is virtualization-based security (VBS) - a foundational Windows 11 security feature and the core requirement for hotpatch updates at scale. VBS (also known as core isolation) uses hardware virtualization to run a secure kernel alongside the OS in a hypervisor-isolated environment. This separation means that, even if the main OS is compromised, the secure kernel remains protected. For hotpatch updates, VBS provides the trusted environment needed to safely update running kernel code.

Hotpatch updates also require modern Windows 11 hardware that supports VBS. Protections like silicon-rooted security and firmware integrity further strengthen the trusted foundation, in which VBS operates. This way, hotpatch updates apply to devices with an already robust security baseline. In other words, devices that receive hotpatch updates are already trusted and well-protected - reducing risk and strengthening your security posture.

Operational governance through existing update frameworks. Hotpatch updates are delivered using the same Windows Update and Windows Autopatch mechanisms you already manage today. Clean integration of hotpatch updates into existing update rings and policies helps ensure consistent rollout, predictable compliance, and centralized, cloud‑managed enforcement - without introducing a new update model to govern. This means you get the benefits of hotpatch updates with no disruption to your current update processes or compliance reporting.

How hotpatch updates fit into Windows chip-to-cloud security model

Security by design spans from chip to cloud. Hotpatch technology reflects this broader architectural framework in its prerequisites and functionality, designed to keep devices secure end-to-end. Let's take a look at the hardware (chip) layer, the operating system (OS) layer, and the cloud and identity layer of the same chip-to-cloud trust chain you already manage.

Hardware/chip layer. Hotpatch updates are supported only on modern, secure silicon configurations (including Arm64), helping ensure that updates apply on hardware with:

TPM 2.0
UEFI Secure Boot
Measured and trusted boot pathways

This way, the OS environment being patched is already hardware-rooted and trusted.

OS layer. Hotpatch update readiness guidance links directly to VBS, which is core to Windows 11 OS-level protections. These OS-level safeguards help you:

Protect sensitive processes from tampering.
Enforce strong code integrity.
Create a trusted foundation for in-memory patching.

Hotpatch updates use this secure architecture, updating protected code paths while keeping the OS running.

Cloud/identity layer. Hotpatch updates use the same trusted channels as Windows Update. They're managed through:

Windows Update client policies (formerly Windows Update for Business)
Windows Autopatch quality update rings
Microsoft Entra ID (formerly Azure AD)-based device identity

This helps ensure that your patches come from a secure, authenticated cloud source and adhere to your compliance and deployment policies.

Hotpatch updates use the full chip-to-cloud trust chain, so every update is delivered and applied with end-to-end security.

How hotpatch updates reflect Windows security by default

Microsoft Secure Future Initiative defines security as protections that are enforced by default and require no extra effort. Windows 11 security posture, rooted in stronger defaults and continuous innovation, reinforces the security-by-design principles.

Hotpatch updates have always been designed with security at the core, and until now have been an opt-in feature. With the May 2026 security update, Windows Autopatch will enable hotpatch updates by default at the tenant level to help organizations get secure quicker. This change in default behavior is designed to reduce patch friction while keeping your existing update governance intact. Importantly, it doesn't override the controls you already use and comes with new controls to opt out until you're ready.

The default tenant setting is only applied to devices that aren't members of a quality update policy.
Windows Autopatch continues to respect the preferences you've set for deferrals and update ring settings.
Starting April 1, 2026, you can also opt out of this new default behavior at the tenant or device group level. Learn more at Securing devices faster with hotpatch updates on by default.

With hotpatch updates enabled by default, you're secured with Windows security updates during each hotpatch release month, with no additional steps. In addition, critical security out-of-band (OOB) updates can also be delivered as hotpatch updates. This automatically secures you against the threats addressed by the OOB update, and your organization is protected faster, with less effort and fewer manual steps.

Alignment with security best practices

Enrolling in hotpatch updates automatically aligns your devices with Microsoft security best practices. Enroll devices in Windows Autopatch before May, if you haven't yet, and you'll start getting these updates enabled by default! These latest innovations in monthly servicing help keep your environment on a higher-trust, chip-to-cloud–aligned security baseline.

Embrace security by default with hotpatch updates that reduce user downtime and restart-driven tickets, improve update compliance, and shorten vulnerability exposure.

Securing the present, innovating for the future

Learn how to stay secure with Windows. Check out the updated Windows 11 Security Book and Windows Server Security Book, more about Windows 11, Windows Server, Windows hotpatch updates and Copilot+ PCs. To learn more about Microsoft Security Solutions, visit our website.

Bookmark the Microsoft Security Blog to keep up with our expert coverage on security matters. You can also follow Microsoft Security on LinkedIn and @MSFTSecurity on X for the latest news and updates on cybersecurity.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Windows news you can use: March 2026

Chris_Morrissey — Fri, 03 Apr 2026 21:00:00 GMT

This month, our Windows team shared a candid update on how we're thinking about Windows quality, what's changing behind the scenes, and how your real-world feedback is shaping the platform. It's all in a post entitled Our commitment to Windows quality. Windows + Devices EVP Pavan Davuluri walks through how we identify issues, prioritize fixes, and how the Windows Insider community helps make Windows more reliable before updates reach production environments. It's a helpful read if you're interested in learning more about how we build, measure, and strengthen Windows quality.

Now on to more highlights from March in this month's edition of Windows news you can use.

New in Windows update and device management

[AUTOPATCH] – Windows Autopatch update readiness is now generally available. It includes new capabilities to help you proactively detect and remediate device update issues. Reduce downtime, improve update success, and lower the security risk that comes from devices that aren't up to date.
[HOTPATCH] – Windows Autopatch is enabling hotpatch updates by default starting with the May 2026 security update. This change in default behavior will come to all eligible devices in Microsoft Intune and those accessing the service via Microsoft Graph API. New controls are available for those organizations that aren't ready to have hotpatch updates enabled by default.
[RSAT] – Remote Server Administration Tools (RSAT) are now officially supported on Arm-based Windows 11 PCs. You can now remotely manage Windows server roles and features using Windows devices built on Arm processors, just as you would with traditional x64-based PCs.
[SECURE BOOT] – The March 2026 security update introduces two new PowerShell features to help you manage the ongoing Secure Boot certificate rollout. The Get-SecureBootUEFI cmdlet now supports the -Decoded option, which displays Secure Boot certificates in a readable format. The Get-SecureBootSVN cmdlet lets you check the Secure Boot Security Version Number (SVN) of your device's UEFI firmware and bootloader. Use it to report whether the device follows the latest Secure Boot policy.
[PRINT] – Instead of requiring device-specific drivers, Windows is now released with a single, universal, inbox-class driver based on the industry standard IPP protocol and Mopria certification. If you're using a traditional x64 PC, including the latest Copilot+ PC running on Arm-based silicon, the print experience is the same: plug in (or connect over the network) and print.
[W365] – Windows 365 Frontline in shared mode is now available in Brazil South, Italy North, West Europe, New Zealand North, Mexico Central, Europe, Norway East, France Central, Spain Central, Germany West Central, and Switzerland North. Windows 365 is now available for Government Community Cloud (GCC & GCC-High) organizations in the US Gov Texas region. In addition, multi-region selection is now available for Windows 365 GCC & GCC-High.
[RDP] – Microsoft recently released a sample repository demonstrating how to build Remote Desktop Protocol (RDP) plugins using modern tools and development patterns.

New in Windows security

[DRIVERS] – Starting with the April 2026 security update, Microsoft is removing trust for all kernel drivers signed by the deprecated cross-signed root program. This update will help ensure that by default, you can only load kernel drivers the Windows Hardware Compatibility Program (WHCP) passes and signs. This new kernel trust policy applies to devices running Windows 11 and Windows Server 2025.
[SECURE BOOT] – Catch up on the latest FAQs by watching the March edition of Secure Boot: Ask Microsoft Anything (AMA) on demand. The next AMA will be April 23, 2026. Save the date and post your questions in advance or during the live event. New guidance and resources are now available, including:
- Video deep dive: Secure Boot certificate updates explained
- Guide: Secure Boot troubleshooting
- Reference: A closer look at the high confidence database
- Documentation and sample PowerShell scripts: Sample Secure Boot E2E automation
- Guide: Secure Boot certificate update status in the Windows Security app[SYSMON] – System Monitor (Sysmon) functionality is now natively available in Windows. Capture system events for threat detection and use custom configuration files to filter the events you want to monitor. Windows writes captured events to Windows Event Log, which allows security tools and other applications to use them.
[WDS] As announced in January 2026, the Unattend.xml file used in hands‑free deployment with Windows Deployment Services (WDS) poses a vulnerability when transmitted over an unauthenticated RPC channel. Beginning with the April 2026 security update, the second phase of hardening changes for CVE-2026-0386 begins. These changes will make hands‑free deployment disabled by default to enforce secure behavior. For detailed guidance, see Windows Deployment Services (WDS) Hands‑Free Deployment Hardening.

New in AI

[W365] [AGENTS] – Curious about the difference between Windows 365 for Agents and Microsoft Agent 365? Explore the distinct role of each product and learn how to use them together to run agentic workloads securely, at scale, and under enterprise governance.

To learn about latest capabilities for Copilot+ PCs, visit the Windows Roadmap and filter Platform by "Copilot+ PC Exclusives."

New in Windows Server

For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes.

[EVENT] – Save the date for the Windows Server Summit, May 11-13. RSVP for three days of practical, engineering-led guidance on real-world operations, security, and hybrid scenarios supported by live Q&A.
[NVMe] – A basic NVMe-over-Fabrics (NVMe-oF) initiator is available in the latest Windows Server Insiders build. This release introduces an in-box Windows initiator for NVMe/TCP and NVMe/RDMA, enabling early evaluation of networked NVMe storage using native Windows Server components.

New in productivity and collaboration

Install the March 2026 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities, which will be rolling out gradually:

[RECOVERY] – Quick Machine Recovery now turns on automatically for Windows Professional devices that are not domain‑joined and not enrolled in enterprise endpoint management. These devices receive the same recovery features available to Windows Home users. For domain‑joined or enterprise managed devices, Quick Machine Recovery stays off unless you enable it for your organization.
[NETWORK] – A built‑in network speed test is now available from the taskbar. The speed test opens in the default browser and measures Ethernet, Wi‑Fi, and cellular connections.
[CAMERA] – Control pan and tilt for supported cameras in the Settings app.
[SEARCH] – Using search on the taskbar? Preview search results by hovering and quickly seeing when more results are available with group headers.

New features and improvements are coming in the April 2026 security update. You can preview them by installing the March 2026 optional non-security update for Windows 11, versions 25H2 and 24H2. This update includes the gradual rollout of:

[SECURITY] –You can turn Smart App Control on or off without needing a clean install.
[SETTINGS] – The Settings > About page now provides a more structured and intuitive experience. Get clearer device specifications and easier navigation to related device components, including quick access to Storage settings.

Lifecycle reminders

Windows 10 Enterprise 2016 LTSB and Windows 10 IoT Enterprise 2016 LTSB will reach end of support on October 13, 2026. Windows Server 2016 will reach end of support on January 12, 2027. If your organization cannot migrate to newer, supported releases in time, explore the options available to help you keep your devices protected with monthly security updates. Extended Security Updates (ESU) are now available for purchase for Windows 10 Enterprise 2016 LTSB.

Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025.

Additional resources

Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources:

Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name
Microsoft 365 Copilot release notes for latest features and improvements
Windows Insider Blog for what's available in the Canary, Dev, Beta, or Release Preview Channels
Windows Server Insider for feature preview opportunities
Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders

Join the conversation

Finally, we're always looking to improve this monthly summary. Drop us a note in the Comments and let us know what we can do to make this more useful for you!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.