Windows IT Pro Blog articles

Hardening administrative actions: What IT pros need to know

DashmeetAjmani — Thu, 09 Apr 2026 16:24:23 GMT

Administrative actions are undergoing hardening changes that reduce the risk of privilege escalation and unauthorized access on Windows devices. These changes strengthen the trust boundary between identity, authentication, and User Account Control (UAC) enforcement. It’s now much harder for an attacker (or a misconfigured cloned device) to reuse or manipulate authentication artifacts after an OS restart to silently gain elevated privileges.

With these hardening changes, Windows now detects and blocks authentication attempts between machines that share duplicate SIDs.

This is by design and should be seen as a security signal, not a code defect.

Some environments deploy Windows devices using automation or virtual machine templates. Some of these methods rely on previously accepted authentication behavior between cloned systems. If you created these deployments without running Sysprep, that’s your case. Recent authentication hardening updates might now require you to rebuild affected devices using supported imaging methods.

A temporary workaround (detailed below) is available to provide time for remediation. However, it reduces the security protections introduced by the latest updates and cannot be used as a permanent solution due to its lifecycle end date.

Running Sysprep prepares a Windows image for deployment. Sysprep removes device-specific identity and security information, allowing each deployed machine to generate a unique system identity and authentication context when it starts.

Let’s take a closer look at why these hardening changes are important to the overall security of your environment and how you can update your cloning, imaging, and authentication practices.

Why administrative action hardening is necessary for security

The current administrative action hardening phase began with the August 2025 non-security update (KB5064081) and the September 2025 security update (KB5065426). These updates strengthen loopback authentication protections. They help ensure that Kerberos authentication is more tightly bound to the current machine state across OS restarts.

Previously, authentication artifacts could persist across restarts in ways that allowed elevated operations to proceed without explicit user approval. Current hardening helps reduce this risk. It improves how machine identity is validated during authentication.

While these changes improve security posture, they might require adjustments to how you deploy and manage devices in some environments.

Symptoms of administrative action hardening

With the installation of Windows updates released on or after August and September 2025, your devices were hardened against unauthorized attempts to bypass loopback detection. This applies to devices running Windows 11, version 24H2 and later as well as Windows Server 2025.

You might have observed authentication failures between machines when accessing SMB shares or connecting via Remote Desktop. Similar failures might also occur with authentication using New Technology LAN Manager (NTLM) or between machines that aren’t joined to a domain.

The target machine shows the following LsaSrv Event ID 6167 in the System event log:

There is a partial mismatch in the machine ID. This indicates that the ticket has either been manipulated or it belongs to a different boot session. Failing authentication.

This is an inconvenient but necessary symptom of administrative action hardening that might require operational change to support your organization’s security posture. Here’s why.

What changed internally

User Account Control (UAC) in Windows primarily acts as a privilege mediation mechanism. It helps ensure that administrative rights are exercised only with explicit user approval. While users may hold administrative credentials, applications they launch initially run with standard user privileges. Privileges must be explicitly elevated through a UAC consent prompt to perform administrative actions.

Recent security investments in Windows have tightened how you approve and enforce administrative actions. These UAC hardening changes reduce the risk of elevation without explicit user consent. Hardening happens through Windows updates and applies regardless of whether Administrator protection is enabled. Administrator protection (available in preview) also benefits from these changes. It helps reduce automatic elevation paths and reinforces explicit, user-approved elevation for administrative operations. The result is a stronger trust boundary between identity, authentication, and UAC enforcement.

Loopback detection and token filtering scenarios are also part of this effort. A machine ID is used to check if a machine is performing loopback authentication, i.e., authenticating to itself. Before the August 2025 non-security update, each boot randomly generated the machine ID. However, authentication artifacts could still persist across a restart in ways that allowed threat actors to bypass token filtering.

Windows updates released on and after August 2025 detect and block such behavior. Windows now persists part of the machine ID across boots.

Before, authentication handshakes between Windows hosts that were cloned from each other succeeded because only per-boot components were checked. Now, authentication handshakes are detected and blocked because the cross-boot component of the machine ID is the same between the two hosts, while the per-boot component is not, resulting in a partial mismatch of machine IDs.

Specifically, if you've cloned machines without running Sysprep, you might see Kerberos and NTLM authentication failures. You can identify them by the LsaSrv event 6167 log in the auth target machine, for both NTLM and Kerberos protocols.

This behavior is not a regression. It’s a direct and intentional consequence of binding loopback authentication more tightly to machine identity across OS boots.

In summary, prior to installing Windows Updates released on or after August 2025:

Machine ID regenerated on every boot.
Loopback detection relied entirely on per-boot state.
Persisted authentication artifacts could bypass token filtering.

After August 2025:

Machine ID combines per-boot and cross-boot components.
Loopback detection survives restarts.
Persisted authentication artifacts are reliably rejected.

Management recommendations for administrative action hardening symptoms

While administrative action hardening improves security, it requires an adjustment in your strategy to clone Windows images. As you embrace administrative action hardening for its security benefit, you should take the following actions:

Stop any automation that clones devices without Sysprep. If not addressed, devices end up with duplicate security IDs (SIDs).
Rebuild all devices with duplicate SIDs from scratch, then run Sysprep. It's not sufficient to unjoin devices and run Sysprep. If needed for transition only: temporarily roll back the hardening change.

Temporary workaround (not recommended)

Important!

Microsoft does not recommend using this temporary registry-based compatibility option. It reduces the security protections introduced by recent updates. If your organization uses enhanced administrator security configurations (including Administrator protection, where applicable), avoid relying on this setting except as a short-term bridge while remediation is underway. Environments that remain in this configuration might be exposed to elevated risk until remediation is complete. Please plan and execute migration to supported deployment practices as soon as possible. See KB5068222: Strengthening administrator protection and Kerberos authentication

We understand that while cloning without Sysprep may have been unsupported, you still may have taken a dependency on it. To help ease the transition to a supported configuration, a temporary compatibility option is now available. This option relaxes the updated authentication behavior to allow continued operation in affected environments. It’s provided solely to facilitate remediation and should not be considered a long-term configuration.

Please contact Microsoft Commercial Customer Service and Support (CSS) to get information about this registry value. Complete the intake form as follows:

Form field	Recommended option
Select the Product family	Windows Servers
What product or service do you need help with?	Windows Server 2025
Select the product version	Windows Server 2025
Which category best describes the issue?	Windows Security Technologies
Which problem best describes the issue	Kerberos authentication OR Legacy authentication (NTLM)

You must have an understanding of the risk of disabling administrative action hardening. You’ll also need to provide:

Reasoning for requiring this temporary workaround
A clear plan for the long-term resolution of reimaging cloned machines in your environment

Important! This workaround is the replacement for the known issue rollback (KIR)-based group policy setting. These settings were released by Windows Updates between August 2025 and March 2026 to disable loopback protections. Your organization can only obtain the new registry key by opening an assisted support case and certifying that you can rebuild cloned devices prior to the end of 2027.

This registry key will act as temporary rollback until it expires and allow authentication that would otherwise by blocked by loopback identity protections. Event Viewer helps you monitor this temporary workaround. If you set this temporary registry value and restart the system, the next authentication attempt will be allowed. An LsaSrv warning event 6168 will be logged in the target machine in the System event log:

UAC bypass via Kerberos vulnerability is explicitly allowed. A Kerberos loopback ticket can be manipulated to gain admin privileges. This is a security risk.

The only way to stop seeing this event is to migrate your environment to a supported state. Once done, please delete the registry key or set it to 0.

Timeline to remove the clones in your environment

The rollback is temporary and will remain available until the end of 2027. We hope this timeframe provides your organization with sufficient opportunity to migrate your environment to a supported state by following established deployment methods for cloning.

For additional information, check out the following resources:

Securing the present, innovating for the future

Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design, by default and during runtime, from Windows to the cloud, enabling trust at every layer of the digital experience.

The updated Windows 11 Security Book and Windows Server Security Book are available to help you understand how to stay secure with Windows. Learn more about Windows 11, Windows Server, and Copilot+ PCs. To learn more about Microsoft security solutions, visit our website.

Bookmark the Security Blog to keep up with our expert coverage on security matters.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Introducing the new Windows 365 monitoring and reporting platform — now in Public Preview

Doug_Coombs — Wed, 08 Apr 2026 16:36:10 GMT

We are excited to announce the new Windows 365 monitoring and reporting platform is now available in Public Preview!

The new Windows 365 monitoring and reporting platform is a unified reporting experience built into the Microsoft Intune admin center, now available in public preview. It consolidates Cloud PC health, performance, and configuration data into integrated dashboards, consolidating information from many locations in Intune, to a central location to monitor end-to-end configuration, detect problem, and troubleshoot.

Additionally, monitoring and reporting is designed to improve discoverability and usability, making the experience more intuitive, comprehensive, and flexible. The platform provides native, user-friendly reports that simplify how administrators access, understand, and act on monitoring data.

By consolidating analytics into a unified experience that highlights potential outliers, the platform can help streamline troubleshooting workflows. In some customer environments, this may contribute to faster issue resolution and reduced reliance on specialized expertise or Microsoft support. The extent to which organizations realize operational efficiency improvements, cost benefits, or uptime gains will depend on individual deployment and usage.

What’s included in the new monitoring and reporting platform

Tenant-level Connection Health dashboards provide comprehensive reliability and experience data with trending and aggregate views covering connection performance, errors, and device health. Operations teams gain at-a-glance visibility into system-wide patterns, helping administrators see issues earlier and investigating sometimes before receiving helpdesk calls.

User and Device insights display connection performance, error trends, connection history, and duration of use for helpdesk troubleshooting. With all relevant data in one place, frontline support staff can more easily diagnose and resolve issues, reducing escalations.

Configuration visuals and trends offer prebuilt, end-to-end visuals that encompass the full environment from user endpoint through service configuration to the Cloud PC configuration. Configuration changes constantly, and understanding historical configuration in the context of any specific connection is critical, especially when Windows 365 is implemented with unmanaged components, such as BYOD user endpoints. This function facilitates correlating configuration changes with outcomes.

Outlier detection surfaces system-identified anomalous metrics to assist administrators in identifying potential emerging issues. Depending on how customers use these insights, some organizations may experience earlier issue identification and reduced escalation, though results will vary.

Actionable charts and data tables let administrators analyze trends and drill into root causes without manual data exports and additional tooling. The intuitive design helps lower the barrier to entry, supporting the confidence of administrators with varied skill levels in issue investigation and resolution.

The bottom line: Today, many organizations resort to exporting, processing and analyzing Cloud PC data, which can increase the complexity and total cost of ownership of Windows 365. The new platform helps reduce reliance on data exports and external tooling.

Try the new monitoring and reporting today

Windows 365 Enterprise customers can access the new dashboards now in the Microsoft Intune admin center. Navigate to Reporting in Intune, then select monitoring and explore the Connection Health, User & Devices, and Configuration pages. Learn more at https://aka.ms/Windows365Monitoring

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

How hotpatch updates help keep Windows secure by design

Katharine_Holdsworth — Mon, 06 Apr 2026 20:53:13 GMT

Windows hotpatch updates allow you to adopt a secure-by-design and secure-by-default approach to keeping Windows 11 protected and productive. The security architecture advantage behind hotpatch updates helps you support continuous protection, accelerate patch compliance, and reduce operational disruption. And since hotpatch updates will be enabled by default across Windows Autopatch for eligible devices in May 2026, you might wonder how this makes your environment even more secure by default.

How hotpatch updates reflect Windows security by design

In Microsoft overarching security-by-design philosophy, security comes first when designing any product or service. Embodying this philosophy are hotpatch updates.

These are the same security fixes that are part of monthly security updates (also known as “B” releases). The distinction is that they get installed without requiring a restart. Hotpatch updates help you:

Reduce downtime for frontline devices, VDI sessions, IT-managed shared PCs, and high uptime systems.
Shrink your vulnerability window (i.e., the time between patch availability and full deployment).
Improve update compliance rates automatically.

Note: Hotpatch updates only apply to devices that meet the prerequisites and receive updates managed by Windows Autopatch. Otherwise, no action is needed. Ineligible devices continue to patch the same way they do today.

How hotpatch update prerequisites strengthen your security baseline

Hotpatch update readiness is built on Windows security capabilities that help ensure that devices are in a trusted state before updates are applied.

The key prerequisite is virtualization-based security (VBS) - a foundational Windows 11 security feature and the core requirement for hotpatch updates at scale. VBS (also known as core isolation) uses hardware virtualization to run a secure kernel alongside the OS in a hypervisor-isolated environment. This separation means that, even if the main OS is compromised, the secure kernel remains protected. For hotpatch updates, VBS provides the trusted environment needed to safely update running kernel code.

Hotpatch updates also require modern Windows 11 hardware that supports VBS. Protections like silicon-rooted security and firmware integrity further strengthen the trusted foundation, in which VBS operates. This way, hotpatch updates apply to devices with an already robust security baseline. In other words, devices that receive hotpatch updates are already trusted and well-protected - reducing risk and strengthening your security posture.

Operational governance through existing update frameworks. Hotpatch updates are delivered using the same Windows Update and Windows Autopatch mechanisms you already manage today. Clean integration of hotpatch updates into existing update rings and policies helps ensure consistent rollout, predictable compliance, and centralized, cloud‑managed enforcement - without introducing a new update model to govern. This means you get the benefits of hotpatch updates with no disruption to your current update processes or compliance reporting.

How hotpatch updates fit into Windows chip-to-cloud security model

Security by design spans from chip to cloud. Hotpatch technology reflects this broader architectural framework in its prerequisites and functionality, designed to keep devices secure end-to-end. Let's take a look at the hardware (chip) layer, the operating system (OS) layer, and the cloud and identity layer of the same chip-to-cloud trust chain you already manage.

Hardware/chip layer. Hotpatch updates are supported only on modern, secure silicon configurations (including Arm64), helping ensure that updates apply on hardware with:

TPM 2.0
UEFI Secure Boot
Measured and trusted boot pathways

This way, the OS environment being patched is already hardware-rooted and trusted.

OS layer. Hotpatch update readiness guidance links directly to VBS, which is core to Windows 11 OS-level protections. These OS-level safeguards help you:

Protect sensitive processes from tampering.
Enforce strong code integrity.
Create a trusted foundation for in-memory patching.

Hotpatch updates use this secure architecture, updating protected code paths while keeping the OS running.

Cloud/identity layer. Hotpatch updates use the same trusted channels as Windows Update. They're managed through:

Windows Update client policies (formerly Windows Update for Business)
Windows Autopatch quality update rings
Microsoft Entra ID (formerly Azure AD)-based device identity

This helps ensure that your patches come from a secure, authenticated cloud source and adhere to your compliance and deployment policies.

Hotpatch updates use the full chip-to-cloud trust chain, so every update is delivered and applied with end-to-end security.

How hotpatch updates reflect Windows security by default

Microsoft Secure Future Initiative defines security as protections that are enforced by default and require no extra effort. Windows 11 security posture, rooted in stronger defaults and continuous innovation, reinforces the security-by-design principles.

Hotpatch updates have always been designed with security at the core, and until now have been an opt-in feature. With the May 2026 security update, Windows Autopatch will enable hotpatch updates by default at the tenant level to help organizations get secure quicker. This change in default behavior is designed to reduce patch friction while keeping your existing update governance intact. Importantly, it doesn't override the controls you already use and comes with new controls to opt out until you're ready.

The default tenant setting is only applied to devices that aren't members of a quality update policy.
Windows Autopatch continues to respect the preferences you've set for deferrals and update ring settings.
Starting April 1, 2026, you can also opt out of this new default behavior at the tenant or device group level. Learn more at Securing devices faster with hotpatch updates on by default.

With hotpatch updates enabled by default, you're secured with Windows security updates during each hotpatch release month, with no additional steps. In addition, critical security out-of-band (OOB) updates can also be delivered as hotpatch updates. This automatically secures you against the threats addressed by the OOB update, and your organization is protected faster, with less effort and fewer manual steps.

Alignment with security best practices

Enrolling in hotpatch updates automatically aligns your devices with Microsoft security best practices. Enroll devices in Windows Autopatch before May, if you haven't yet, and you'll start getting these updates enabled by default! These latest innovations in monthly servicing help keep your environment on a higher-trust, chip-to-cloud–aligned security baseline.

Embrace security by default with hotpatch updates that reduce user downtime and restart-driven tickets, improve update compliance, and shorten vulnerability exposure.

Securing the present, innovating for the future

Learn how to stay secure with Windows. Check out the updated Windows 11 Security Book and Windows Server Security Book, more about Windows 11, Windows Server, Windows hotpatch updates and Copilot+ PCs. To learn more about Microsoft Security Solutions, visit our website.

Bookmark the Microsoft Security Blog to keep up with our expert coverage on security matters. You can also follow Microsoft Security on LinkedIn and @MSFTSecurity on X for the latest news and updates on cybersecurity.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Windows news you can use: March 2026

Chris_Morrissey — Fri, 03 Apr 2026 21:00:00 GMT

This month, our Windows team shared a candid update on how we're thinking about Windows quality, what's changing behind the scenes, and how your real-world feedback is shaping the platform. It's all in a post entitled Our commitment to Windows quality. Windows + Devices EVP Pavan Davuluri walks through how we identify issues, prioritize fixes, and how the Windows Insider community helps make Windows more reliable before updates reach production environments. It's a helpful read if you're interested in learning more about how we build, measure, and strengthen Windows quality.

Now on to more highlights from March in this month's edition of Windows news you can use.

New in Windows update and device management

[AUTOPATCH] – Windows Autopatch update readiness is now generally available. It includes new capabilities to help you proactively detect and remediate device update issues. Reduce downtime, improve update success, and lower the security risk that comes from devices that aren't up to date.
[HOTPATCH] – Windows Autopatch is enabling hotpatch updates by default starting with the May 2026 security update. This change in default behavior will come to all eligible devices in Microsoft Intune and those accessing the service via Microsoft Graph API. New controls are available for those organizations that aren't ready to have hotpatch updates enabled by default.
[RSAT] – Remote Server Administration Tools (RSAT) are now officially supported on Arm-based Windows 11 PCs. You can now remotely manage Windows server roles and features using Windows devices built on Arm processors, just as you would with traditional x64-based PCs.
[SECURE BOOT] – The March 2026 security update introduces two new PowerShell features to help you manage the ongoing Secure Boot certificate rollout. The Get-SecureBootUEFI cmdlet now supports the -Decoded option, which displays Secure Boot certificates in a readable format. The Get-SecureBootSVN cmdlet lets you check the Secure Boot Security Version Number (SVN) of your device's UEFI firmware and bootloader. Use it to report whether the device follows the latest Secure Boot policy.
[PRINT] – Instead of requiring device-specific drivers, Windows is now released with a single, universal, inbox-class driver based on the industry standard IPP protocol and Mopria certification. If you're using a traditional x64 PC, including the latest Copilot+ PC running on Arm-based silicon, the print experience is the same: plug in (or connect over the network) and print.
[W365] – Windows 365 Frontline in shared mode is now available in Brazil South, Italy North, West Europe, New Zealand North, Mexico Central, Europe, Norway East, France Central, Spain Central, Germany West Central, and Switzerland North. Windows 365 is now available for Government Community Cloud (GCC & GCC-High) organizations in the US Gov Texas region. In addition, multi-region selection is now available for Windows 365 GCC & GCC-High.
[RDP] – Microsoft recently released a sample repository demonstrating how to build Remote Desktop Protocol (RDP) plugins using modern tools and development patterns.

New in Windows security

[DRIVERS] – Starting with the April 2026 security update, Microsoft is removing trust for all kernel drivers signed by the deprecated cross-signed root program. This update will help ensure that by default, you can only load kernel drivers the Windows Hardware Compatibility Program (WHCP) passes and signs. This new kernel trust policy applies to devices running Windows 11 and Windows Server 2025.
[SECURE BOOT] – Catch up on the latest FAQs by watching the March edition of Secure Boot: Ask Microsoft Anything (AMA) on demand. The next AMA will be April 23, 2026. Save the date and post your questions in advance or during the live event. New guidance and resources are now available, including:
- Video deep dive: Secure Boot certificate updates explained
- Guide: Secure Boot troubleshooting
- Reference: A closer look at the high confidence database
- Documentation and sample PowerShell scripts: Sample Secure Boot E2E automation
- Guide: Secure Boot certificate update status in the Windows Security app[SYSMON] – System Monitor (Sysmon) functionality is now natively available in Windows. Capture system events for threat detection and use custom configuration files to filter the events you want to monitor. Windows writes captured events to Windows Event Log, which allows security tools and other applications to use them.
[WDS] As announced in January 2026, the Unattend.xml file used in hands‑free deployment with Windows Deployment Services (WDS) poses a vulnerability when transmitted over an unauthenticated RPC channel. Beginning with the April 2026 security update, the second phase of hardening changes for CVE-2026-0386 begins. These changes will make hands‑free deployment disabled by default to enforce secure behavior. For detailed guidance, see Windows Deployment Services (WDS) Hands‑Free Deployment Hardening.

New in AI

[W365] [AGENTS] – Curious about the difference between Windows 365 for Agents and Microsoft Agent 365? Explore the distinct role of each product and learn how to use them together to run agentic workloads securely, at scale, and under enterprise governance.

To learn about latest capabilities for Copilot+ PCs, visit the Windows Roadmap and filter Platform by "Copilot+ PC Exclusives."

New in Windows Server

For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes.

[EVENT] – Save the date for the Windows Server Summit, May 11-13. RSVP for three days of practical, engineering-led guidance on real-world operations, security, and hybrid scenarios supported by live Q&A.
[NVMe] – A basic NVMe-over-Fabrics (NVMe-oF) initiator is available in the latest Windows Server Insiders build. This release introduces an in-box Windows initiator for NVMe/TCP and NVMe/RDMA, enabling early evaluation of networked NVMe storage using native Windows Server components.

New in productivity and collaboration

Install the March 2026 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities, which will be rolling out gradually:

[RECOVERY] – Quick Machine Recovery now turns on automatically for Windows Professional devices that are not domain‑joined and not enrolled in enterprise endpoint management. These devices receive the same recovery features available to Windows Home users. For domain‑joined or enterprise managed devices, Quick Machine Recovery stays off unless you enable it for your organization.
[NETWORK] – A built‑in network speed test is now available from the taskbar. The speed test opens in the default browser and measures Ethernet, Wi‑Fi, and cellular connections.
[CAMERA] – Control pan and tilt for supported cameras in the Settings app.
[SEARCH] – Using search on the taskbar? Preview search results by hovering and quickly seeing when more results are available with group headers.

New features and improvements are coming in the April 2026 security update. You can preview them by installing the March 2026 optional non-security update for Windows 11, versions 25H2 and 24H2. This update includes the gradual rollout of:

[SECURITY] –You can turn Smart App Control on or off without needing a clean install.
[SETTINGS] – The Settings > About page now provides a more structured and intuitive experience. Get clearer device specifications and easier navigation to related device components, including quick access to Storage settings.

Lifecycle reminders

Windows 10 Enterprise 2016 LTSB and Windows 10 IoT Enterprise 2016 LTSB will reach end of support on October 13, 2026. Windows Server 2016 will reach end of support on January 12, 2027. If your organization cannot migrate to newer, supported releases in time, explore the options available to help you keep your devices protected with monthly security updates. Extended Security Updates (ESU) are now available for purchase for Windows 10 Enterprise 2016 LTSB.

Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025.

Additional resources

Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources:

Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name
Microsoft 365 Copilot release notes for latest features and improvements
Windows Insider Blog for what's available in the Canary, Dev, Beta, or Release Preview Channels
Windows Server Insider for feature preview opportunities
Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders

Join the conversation

If you're an IT admin with questions about managing and updating Windows, add our monthly Windows Office Hours to your calendar. We assemble a crew of Windows, Windows 365, security, and Intune experts to help answer your questions and provide tips on tools, best practices, and troubleshooting.

Finally, we're always looking to improve this monthly summary. Drop us a note in the Comments and let us know what we can do to make this more useful for you!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Announcing Windows 365 connector for Microsoft Power Platform and Azure Logic Apps (Public Preview)

ivaylo_ivanov — Thu, 02 Apr 2026 16:00:00 GMT

We are excited to announce the Public Preview of the Windows 365 connector for Power Platform and Azure Logic Apps!

With prebuilt actions and triggers for Windows 365 built on top of Graph, IT and operations teams can:

Use Power Automate and Azure Logic Apps to build Cloud PC workflows, such as sending emails to users when Cloud PCs are provisioned
Use Copilot Studio to build agents to provide guided responses to common questions based on configured knowledge sources

Build repeatable Cloud PC workflows with Power Automate or Azure Logic Apps

Power Automate and Azure Logic Apps are a great fit when you want to turn an event or request into a repeatable sequence of steps. With the Windows 365 connector, you can build flows for both users and admins.

Example: Send an email to a user once a Cloud PC has been provisioned

Permissions needed:

The user that wants to set up the flow must have one of the following roles:

Global Administrator
Intune Service Administrator
Windows 365 Administrator (for Cloud PC-specific operations)
Custom role with Windows 365 permissions (requires Webhook.Create and Webhook.Delete for trigger operations)

How to build this capability in Power Automate:

Log in to Power Automate and click “New” and choose “Automated cloud flow.” Name your flow.
Select the “When a Cloud PC is created or updated” trigger. The trigger will then be added to your new workflow.
Select “When a Cloud PC is created” in the dropdown menu of the trigger.
Select the “Get Cloud PC” action and add the dynamic Cloud PC ID returned from the trigger.
Click the “+” symbol and add the “Get user profile (V2)” action, then add the “User principal name” dynamic field from the “Get a Cloud PC” action above it.
Click the “+” symbol and add the “Send an email (V2)” action.
1. Add the “User principal name” from the “Get a Cloud PC” action to the To line.
2. Add the appropriate subject to the email. Here, you can also include the Display name from the “Get user profile (V2)” action.
3. Add the appropriate body content for your organization, including how your organization’s users can access their Cloud PCs and where to get support.
4. Click Save in the top right to save your flow.

Note: we recommend testing this capability by limiting who it applies to at first. For example, it is possible to set the “To” line in the email action to an IT admin to first test your flow before opening it to more users.

Ideas for how to extend this capability:

Send notifications via Teams instead with the Teams connector
- Use Adaptive Cards and the Adaptive Card Designer to design a notification that has the right information for your users.
Use device preparation policies to ensure that the Cloud PC has the right apps and scripts before user login.

Create a conversational self-service experience with Copilot Studio

Copilot Studio lets you build agents that can surface information from your configured knowledge resources in response to user requests.

Ideas for how to extend this capability:

Start with the IT Helpdesk agent and add your own knowledge base from a SharePoint site, PDF, or Microsoft’s own documentation on learn.microsoft.com
Enable support handoff from virtual to human agents with Dynamics 365 Customer Service

What is Microsoft Power Platform?

Microsoft Power Platform is a low-code platform that enables organizations to analyze data, build custom apps, automate processes, and create agents, while integrating deeply with Microsoft 365, Dynamics 365, Azure, Entra, and many third-party connectors.

Power Automate and Azure Logic Apps for workflow automation across apps and services
Copilot Studio to build and custom AI agents and conversational experiences
Power Apps to build business apps with rich forms and logic
Power Pages to build websites
Power BI to analyze data and share insights

With 1400+ connectors from Microsoft and other companies, plus the ability to create custom connectors, organizations can bring in their own data from systems with a REST API.

Learn more about Power Platform and the connector

Windows 365 - Connectors

Introduction to Microsoft Power Platform

Licensing overview for Microsoft Power Platform

Overview - Azure Logic Apps

We want your feedback!

This feature is in Public Preview, meaning it may have restricted or limited functionality and may go through changes before it becomes generally available. For more information, visit our Public Preview in Windows 365 doc.

As you try it out, please share what’s working, what’s missing, and which scenarios matter most to you and your organization, especially around the triggers and actions we have made available so far.

To provide general feedback, feature requests, and report issues, please visit this form.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Windows 365 Frontline in shared mode now available in Brazil South, Italy North, and West Europe

Vidya_Iyer — Tue, 31 Mar 2026 22:10:14 GMT

We're pleased to announce that Windows 365 Frontline in shared mode continues its global expansion with availability in three new regions spanning Brazil and Europe.

Organizations can now deploy Windows 365 Frontline shared mode Cloud PCs in these regions:

South America geography:

Brazil South

Europe geography:

Italy North
West Europe

This expansion reflects our ongoing commitment to bringing Cloud PCs closer to where shift-based workers operate, enabling organizations to deliver responsive, compliant, and cost-effective desktop experiences. Benefits of the expansion of Windows 365 Frontline in shared mode for these regions include:

Geographic proximity: Reduces network latency by placing Cloud PCs in regions closest to your users. Organizations can significantly improve responsiveness with faster sign-ins, quicker app launches, and smoother interactions; all contribute to better experiences for time-sensitive workflows.
Regulatory compliance: Addresses data residency requirements for industry-specific regulations. Many organizations face regulatory requirements that dictate where data can be stored and processed. With these new regional options, organizations can configure Windows 365 Frontline deployments that keep Cloud PC data within required geographical boundaries.
Aligning with existing infrastructure: Organizations already operating Azure resources in these regions can now co-locate Windows 365 Frontline Cloud PCs, simplifying network architecture and potentially reducing data transfer costs. This alignment creates opportunities for more integrated cloud strategies.

Empowering task-based workers worldwide

Windows 365 Frontline in shared mode addresses a specific workforce need: employees who require intermittent access to Windows applications and tools without the overhead of dedicated, always-on Cloud PCs.

What makes shared mode different?

Unlike traditional Cloud PC deployments where each user receives a dedicated virtual machine, shared mode enables multiple users to access the same Cloud PC at different times. The benefits of shared mode include:

Non-concurrent access: Only one user connects at a time, ensuring optimal performance
Automatic cleanup: User profiles and data are deleted after sign-out
License efficiency: Organizations can provision Cloud PC access for more users with fewer licenses
Rapid availability: The next user can connect as soon as the previous session ends

This model works exceptionally well for roles where employees need periodic access to specific tools—such as checking inventory systems, accessing training materials, or completing administrative tasks—rather than continuous desktop use throughout their workday.

Cloud Apps: Focused access for streamlined workflows

Beyond full desktop experiences, Windows 365 Frontline supports Cloud Apps delivery in shared mode. This capability enables organizations to provide users with access to specific applications—like web browsers, line-of-business tools, or communication platforms—without provisioning an entire Windows desktop.

Cloud Apps are particularly valuable when users need quick access to one or two critical applications rather than navigating a full desktop environment.

Getting started with shared mode in the new regions

Using Microsoft Hosted Network (MHN)

We recommend using Microsoft Hosted Network (MHN), so you can start deploying to the new regions immediately. To do this:

Navigate to your provisioning policy in the Microsoft Intune admin center
Select the appropriate geography (South America or Europe)
Choose your desired region:
1. Brazil: Brazil South
2. Europe: Italy North or West Europe

Using Azure Network Connection (ANC)

For Azure Network Connection deployments, you'll need:

A virtual network (vNet) in your target region (Brazil South, Italy North or West Europe)
Proper service endpoints and connectivity configured for the chosen region
Updated provisioning policies targeting the new region

Remember: With ANC, the Azure virtual network's region determines where your Cloud PC is hosted.

Review the Azure Network Connection documentation and confirm your ANC setup supports your chosen region, including virtual networks and necessary service endpoints.

Recommended next steps

Ready to expand your Windows 365 Frontline deployment to these new regions? Here's how to get started:

Review your requirements: Determine which region best serves your users' location and compliance needs
Check your network setup: Verify your Microsoft Hosted Network or Azure Network Connection configuration
Update provisioning policies: Configure policies to target the new regions
Deploy and monitor: Roll out Cloud PCs and monitor performance and user satisfaction

To explore configuration options and learn more about what's possible next, head over to the Windows 365 documentation.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Windows App Updates: Reliability, Productivity, and Security Improvements

Hilary_Braun — Mon, 30 Mar 2026 17:49:16 GMT

Over a year of continued growth

As more organizations continue to explore Windows 365 and Azure Virtual Desktop to support flexible work, expectations for reliability, performance, and cross‑platform consistency are rising. Over the past year, Windows App has evolved into a solution to support reliable, productive, and secure access to Windows in the cloud, no matter where or how users connected.

Improved reliability

Reliability improvements focused on two critical moments: getting connected, and staying connected.

First, we made targeted transport‑layer improvements when networks fluctuate or devices move between environments. RDP Multipath, uses redundant UDP paths to help improve failover during transient network issues and reduce dropped sessions that can lead to disruptive reconnects.

Secondly, we have made improvements with connection flows across platforms. Together, these changes help reduce common connection‑related friction for end users and IT teams.

Enhancing productivity

Windows App introduces updates intended to reduce workflow friction and help users access their remote resources more efficiently. Users can now launch remote resources from familiar entry points like Windows Start menu and Spotlight search on macOS and iOS, helping minimize the need to search or switch between tools.

On macOS, task switching is designed to feel more consistent with native macOS navigation patterns. The cleaned‑up Option+Tab switcher, along with the ability to switch between remote apps from the Window menu and Dock, lets users move between workloads with the same ease they expect from native macOS apps.

For users with large, high-definition and widescreen monitors who prefer browser-based access, Windows App on the web now supports split-screen layouts. Users accessing Windows App in a browser can work on two virtual monitors within a single browser window. This supports side‑by‑side work scenarios within a single browser window, without requiring an additional physical monitor setup.

Windows App on the web also makes file movement simple with enhanced clipboard‑based file transfer. Users can copy and paste files directly between their local device and their virtual desktop, making it easy to move content in and out of the session without extra setup or tools.

External monitor support is also improved on iOS with user experience optimizations like automatic resolution handling. To add to the desktop‑class experience on mobile, Windows App on iOS now supports Surface mouse. Users can pair a Surface Arc Mouse or Surface Mouse with their iPhone to get precise cursor control, improved navigation, and a more natural remote desktop experience - especially when working with external monitors or larger screens.

Users can resume their sessions through supported URI‑based links. With URI‑based ms‑avd links on Windows, users can launch their remote sessions directly from an email or internal site, jumping back into their workspace. And on iOS and iPadOS based devices, improved handling of lock and unlock events help streamline reconnection.

To enhance the user experience on shared devices, Windows App on Windows now includes auto logoff, helping sessions end cleanly and creating a fresh slate for the next user.

And when something does get in the way, built‑in health checks and diagnostics provide clearer visibility into network and connection conditions, helping users and IT teams identify potential issues.

A more consistent experience across platforms

Consistency across platforms is critical for IT teams supporting diverse devices and user workflows.

In 2025, Windows App expanded platform support and aligned core experiences across Windows, macOS, iOS, Android, and the web, helping organizations deliver a similar access model and collaboration experience.

Remote PC connections, a frequently requested capability, are now available in preview in Windows App on Windows, making it easier for users to connect to their physical or virtual PCs alongside their Cloud PCs and Azure Virtual Desktop resources, all from a single app. This is also available for users without a work or school account.

Windows App for Android became generally available in April of 2025, ensuring access to remote resources from Windows App across most major platforms. Additional updates across Windows 365 including support for external identities, making it easier to provide access to remote resources for external users. Windows 365 Switch support expanded to include Windows 11 Home edition and Windows 365 Boot updates now deliver a streamlined connection experience, a new Connection Center experience for users with multiple Cloud PCs and cross-region disaster recovery.

Collaboration in Windows 365 and Azure Virtual Desktop also expanded with Teams VDI 1.0 support on iOS and Android (GA) and Teams VDI 2.0 on macOS (preview), now providing an improved meeting experience across all native clients.

Strengthening security with Windows App

Security continued to be a key focus area for Windows App in 2025, with new client‑side protections designed to help customers access Cloud PCs and virtual desktops across devices more securely. One important capability is Microsoft Intune Mobile Application Management (MAM) support, which allows organizations to apply data loss prevention (DLP) controls when users access Windows resources through Windows App on iOS and Android. Using Intune App Protection Policies, IT admins can manage how corporate data is accessed and shared, such as helping to prevent copy/paste into personal devices, requiring AV installation, and this approach is well‑suited for BYOD scenarios without requiring full device enrollment.

Windows App also introduced keyboard input protection, which is designed to help reduce exposure to certain keylogging and keystroke injection techniques during supported remote sessions. This client‑side security feature is particularly important in sensitive environments where users access high‑value workloads and data through virtualized Windows experiences. Together, these capabilities support Windows App as an access experience with built‑in security features for Windows in the cloud.

Preparing for the transition ahead

Starting March 27, 2026, the Remote Desktop client for Windows (MSI) and the web-based Remote Desktop client will no longer be supported in commercial clouds. Support for the Windows (MSI) client in Azure Government and Azure 21Vianet clouds ends on September 28, 2026. To maintain supported access to Azure Virtual Desktop and Windows 365 resources after these dates, customers are encouraged to begin planning migration to Windows App. Windows App on Windows now provides updated capabilities and IT management controls, and key feature gaps noted in the end-of-support blog have been addressed.

Your Feedback Matters

We welcome feedback through the Microsoft Store and Feedback Hub to help guide future improvements.

Get Started

Learn more in the Windows App documentation and find out about new features on the What’s new page. Find out more about what each platform supports here and join the conversation in the Windows Tech Community.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Windows 365 Frontline in shared mode expands to New Zealand North, Mexico Central, and Europe

Vidya_Iyer — Thu, 26 Mar 2026 20:53:04 GMT

Editor’s note, March 26, 2026: An earlier version of this post listed West Europe as a newly supported region for Windows 365 Frontline in shared mode. This has been corrected. Windows 365 Frontline shared mode is now available in New Zealand North, Mexico Central, Poland Central, and Sweden Central. The availability and deployment guidance below reflect this update.

We're excited to announce that Windows 365 Frontline in shared mode is now available in five new regions, expanding our global footprint and bringing Cloud PCs closer to organizations across Australasia, Central America and Europe.

Starting today, customers can deploy Windows 365 Frontline shared mode Cloud PCs in:

Australasia geography

New Zealand North

Central America geography

Mexico Central

Europe geography:

Poland Central
Sweden Central

This expansion enables organizations to place Cloud PCs closer to their users, reducing latency and supporting local data residency requirements—critical for meeting regulatory compliance and delivering optimal user experiences.

Windows 365 Frontline in shared mode is designed for employees who need quick, intermittent access to task-based tools—like retail staff checking inventory, contractors requiring temporary access, or new hires completing onboarding training.

How Frontline in shared mode works

Shared mode Cloud PCs provide a secure, non-persistent desktop experience where:

Only one user can connect at a time
User profile data is deleted when they sign out
The Cloud PC is released for the next user
Organizations optimize costs by providing access to multiple users with a single license

In addition to full desktop access, organizations can also deliver Cloud Apps using the same shared mode foundation. This is ideal for users who only need a focused set of business-critical applications—like browsers, email, inventory systems, and so on—without the overhead of a full desktop environment.

This makes shared mode ideal for scenarios where users don't need data persistence but require quick access to specialized tools and applications.

Key benefits of regional expansion

Improved user experience

Bringing Cloud PCs closer to users in Mexico, Poland, and Sweden improves responsiveness and reduces latency—essential for frontline workers who need to complete time-sensitive tasks quickly and efficiently.

Compliance and data sovereignty

Keeping data within geographical boundaries helps organizations meet local regulatory requirements. Whether organizations are navigating data sovereignty regulations in Latin America or GDPR compliance in Europe, regional deployment options provide the flexibility organizations need.

Simplified IT management

IT admins can set up Cloud PCs with just a few clicks, while users benefit from faster sign-in and immediate productivity. Windows 365 Frontline shared mode removes the complexity of traditional VDI or shared physical device deployments.

Getting started with the new regions

Using Microsoft Hosted Network (MHN)

We recommend using Microsoft Hosted Network (MHN), so you can start deploying to the new regions immediately. To do this:

Navigate to your provisioning policy in the Microsoft Intune admin center
Select the appropriate geography (Central America or Europe)
Choose your desired region:
- Australasia: New Zealand North
- Central America: Mexico Central
- Europe: Poland Central or Sweden Central

Microsoft automatically optimizes Cloud PC placement for performance and resilience within your selected geography.

Learn more about how Microsoft Hosted Network improves resiliency and regional coverage.

Using Azure Network Connection (ANC)

For Azure Network Connection (ANC) deployments, you'll need:

A virtual network (vNet) in your target region (Mexico Central, Poland Central, or Sweden Central)
Proper service endpoints and connectivity configured for the chosen region
Updated provisioning policies targeting the new region

Remember: With ANC, the Azure virtual network's region determines where your Cloud PC is hosted.

Review the Azure Network Connection documentation and confirm your ANC setup supports your chosen region, including virtual networks and necessary service endpoints.

Recommended next steps

Ready to expand your Windows 365 Frontline deployment to these new regions? Here's how to get started:

Review your requirements: Determine which region best serves your users' location and compliance needs
Check your network setup: Verify your Microsoft Hosted Network or Azure Network Connection configuration
Update provisioning policies: Configure policies to target the new regions
Deploy and monitor: Roll out Cloud PCs and monitor performance and user satisfaction

To explore configuration options and learn more about what's possible next, head over to the Windows 365 documentation.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Advancing Windows driver security: Removing trust for the cross-signed driver program

Peter_Waxman — Thu, 26 Mar 2026 16:00:00 GMT

How our new approach strengthens customer protection while preserving app compatibility

Today, we’re excited to announce a significant step forward in our ongoing commitment to Windows security and system reliability: the removal of trust for all kernel drivers signed by the deprecated cross-signed root program. This update will help protect our customers by ensuring that only kernel drivers that the Windows Hardware Compatibility Program (WHCP) have passed and been signed can be loaded by default. To raise the bar for platform security, Microsoft will maintain an explicit allow list of reputable drivers signed by the cross-signed program. The allow list ensures a secure and compatible experience for a limited number of widely used, and reputable cross-signed drivers. This new kernel trust policy applies to systems running Windows 11 24H2, Windows 11 25H2, Windows 11 26H1, and Windows Server 2025 in the April 2026 Windows update. All future versions of Windows 11 and Windows Server will enforce the new kernel trust policy. This update continues a long sequence of changes Microsoft has taken over the years to reduce the attack surface on Windows and reinforces our commitment to safeguarding customers. Drivers are a critical part of the Windows ecosystem, and ensuring their integrity is essential to providing a secure and trustworthy environment.

The Microsoft WHCP certification program is a rigorous driver signing process that helps us ensure  our driver vendor partners are continuously vetted and comply with the latest security and compliance requirements. The WHCP program scans all driver submissions for malware and requires Hardware Lab Kit (HLK) test results to verify drivers are compatible with the Windows OS and Windows hardware. Driver submissions that pass partner identity vetting and security and compatibility scanning are signed by Microsoft-owned and protected code signing certificates that authorize trust for the drivers across the Windows ecosystem.

Despite the high security and compliance bar imposed by the WHCP program, third-party drivers signed by the cross-signed root program are until now still broadly trusted in the Windows kernel. The cross-signed root program was introduced in the early 2000s to support and enable code integrity for third-party drivers on the Windows platform. This program provided driver publishers with Windows-trusted code signing certificates with varying degrees of partner vetting and zero assurances around the security and compatibility of kernel code. The signing program, administered by third-party certificate authorities, required driver authors to store and protect the private keys of the certificate, which led to abuse and credential theft that put our customers and their platforms at risk. The program was deprecated in 2021, and all certificates have since expired. However, trust for these certificates has persisted in specific use cases and scenarios. That changes starting now.

Balancing security with compatibility

We know our customers depend on a diverse set of applications and hardware, many of which today rely on third-party cross-signed drivers. We know driver and application security are required by our customers but cannot come at the expense of compatibility and productivity. As a result, our new kernel trust policy responsibly raises the security bar while ensuring essential and reputable cross-signed drivers are still trusted in Windows. This helps minimize disruption and preserve the rich compatibility for which Windows is known. The new trust policy is carefully curated based on billions of driver load signals and real-world usage data across Windows 11 and Windows Server 2025 from the past two years. The driver load signals and input from our vibrant developer community have helped shape this policy and feature to help ensure a smooth transition for our customers.

How the secure enablement works

To make this transition as seamless as possible, the new kernel trust policy will roll out in evaluation mode starting with the April 2026 Windows update servicing release to Windows 11 24H2, 25H2, 26H1, and Windows Server 2025. During evaluation mode, the Windows kernel will monitor and audit all driver loads to determine if the new trust policy can be safely activated without causing compatibility issues caused by blocking critical cross-signed drivers. A system will remain in evaluation mode until all evaluation criteria are met: 

Evaluation Criteria	Evaluation Metric
Number of system hours	Windows 11 – 100 hours Windows Server 2025 – 100 hours
Number of boot sessions	Windows 11 – 3 restarts Windows Server 2025 – 2 restarts

By requiring two distinct evaluation criteria, we ensure that a diverse set of drivers across boot-start and runtime scenarios is evaluated before activating the feature. Once all evaluation criteria are met, the feature determines whether the system should activate the policy by assessing the drivers loaded during evaluation mode:

If all drivers loaded during the evaluation period are trusted by the kernel policy, the system activates and enforces the new kernel trust policy. Enforced systems are now protected against untrusted drivers from the cross-signed program, not on the kernel trust policy. These drivers will be blocked from running on enforced systems and the following notification is displayed:

If any cross-signed drivers are audited during the evaluation period and determined they would not pass the new kernel trust policy, the policy is not activated and remains in evaluation, and the evaluation period is reset. The system stays in evaluation mode until the drivers blocking enablement are no longer audited.

The evaluation mode ensures that systems using untrusted cross-signed drivers for legitimate, less frequent scenarios won’t be impacted by an ecosystem-wide enforced policy. At the same time, systems where driver compatibility is not impacted by the policy will safely enforce to reduce the kernel attack surface and improve security.  Application Control for Business always provides the ability to configure a more restrictive security policy, if desired, enabling you to further restrict the drivers and applications running on your systems.

For more information on the driver policy, please visit https://go.microsoft.com/fwlink/?linkid=2352532

Allowing custom kernel drivers via App Control policy

To run certain drivers not supported by the new kernel policy in your environment, Windows now supports a method to securely override the default kernel policy using an Application Control for Business (formerly WDAC) policy. Confidential drivers that cannot be signed through the Microsoft Windows Hardware Compatibility Program (WHCP) via Hardware Dev Center (HDC) and drivers developed for internal only scenarios are well positioned for this policy. Otherwise, drivers targeted for the Windows ecosystem must be WHCP certified and signed through the Microsoft HDC portal.

Customers with confidential or internal-only driver scenarios, who have control over the UEFI Secure Boot authorities , can use this new feature to allow custom signers not trusted in the Windows kernel by default. The App Control policy enables customers to run privately signed drivers on enrolled systems without degrading security. The policy must be signed by an authority in the device’s Secure Boot Platform Key (PK) or Key Exchange Key (KEK) variables to ensure the policy is applicable to only their environment. By default, Application Control policies are designed to restrict the default kernel policy. When these policies are PK or KEK signed, kernel trust can be expanded to trust components and certificates otherwise not trusted in Windows.

The April 2026 Windows update servicing release will support this new policy type in Application Control for Business on systems running Windows 11 24H2, 25H2, 26H1 and Windows Server 2025. For more information on allowing custom kernel drivers and building a custom policy, visit https://go.microsoft.com/fwlink/?linkid=2348122.

We are committed to delivering the best possible Windows experience - one that is secure, reliable, and fully compatible with your workflows. As we roll out the kernel trust policy, we’ll continue to listen to customer feedback, work closely with hardware and software partners, and refine our processes to ensure both security and compatibility remain top priorities. Thank you for joining us on this journey toward a safer, more resilient Windows ecosystem.

Securing the present, innovating for the future

Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design and by default, from Windows to the cloud, enabling trust at every layer of the digital experience.

The updated Windows Security book and Windows Server Security book are available to help you understand how to stay secure with Windows. Learn more about Windows 11, Windows Server, and Copilot+ PCs. To learn more about Microsoft Security Solutions, visit our website.

Bookmark the Security blog to keep up with our expert coverage on security matters.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Windows 365 available in US Gov Texas for Government Community Cloud customers

Ron_Coleman — Mon, 23 Mar 2026 18:00:00 GMT

Today, we’re pleased to announce that Windows 365 is now available in the US Gov Texas region for customers in the United States (US) Government Community Cloud (GCC & GCC-High).

This new regional availability helps US government organizations deploy Cloud PCs closer to users while meeting data residency, compliance, and performance requirements in an Azure Government environment.

Provision Cloud PCs in US Gov Texas

Admins can select US Gov Texas directly in the Microsoft Intune admin center when creating or updating a Windows 365 provisioning policy.

Built for government needs

With support for US Gov Texas, GCC customers can:

Keep Cloud PC data and compute within a US sovereign Azure Government region
Reduce latency for users in Texas and surrounding areas
Deploy Cloud PCs using Windows 365’s simple, SaaS-based model

Get started

GCC customers can begin provisioning Windows 365 Cloud PCs in US Gov Texas today by selecting the region when creating or updating provisioning policies in Microsoft Intune.

Learn more about the supported regions for Windows 365 Cloud PC provisioning in our Government Community Cloud.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Announcing Multi‑Region Selection for Windows 365 in Government Community Cloud

Ron_Coleman — Mon, 23 Mar 2026 18:00:00 GMT

Government organizations rely on Windows 365 to deliver secure, reliable Cloud PCs for mission critical work. Following our recent announcement of resiliency improvements with Microsoft Hosted Network (MHN), we’re pleased to share that Multi-Region Selection is now available for Windows 365 in our Government Community Cloud (GCC & GCC-High). 

This capability extends Microsoft’s service managed resiliency investments to US government customers, helping improve Cloud PC availability while maintaining the simplicity and security expected from a SaaS solution.

What is Multi‑Region Selection?

Multi‑Region Selection allows Windows 365 to automatically distribute Cloud PCs across multiple Azure regions within the US Government region group, rather than provisioning all Cloud PCs in a single region.

In GCC environments, Cloud PCs are deployed within the US Government region group, which includes multiple Azure Government regions. When Multi‑Region Selection is enabled, Windows 365 can intelligently place Cloud PCs across the available regions in this group to improve resiliency and reduce dependency on any single region.

Customers can choose to allow automatic placement across the US Government region group or configure one or more specific regions that best meet their organizational needs.

When Microsoft Hosted Network is configured, Microsoft manages both the networking and regional placement of Cloud PCs. Customers select the region group or regions they want to use, and Windows 365 takes care of the underlying networking, placement, and optimization.

Why does this matter for GCC customers?

With Multi-Region Selection enabled, Windows 365 customers in GCC can benefit from:

Improved resiliency: Cloud PCs are distributed across multiple regions, helping reduce the blast radius of regional issues.
Simplified operations: No manual region selection or Azure networking configuration required, Microsoft manages placement automatically after a geography or region group is selected.
Consistent user experience: End users continue to connect to their Cloud PCs the same way, with resiliency built in by design.

How to configure Multi‑Region Selection

Multi‑Region Selection is configured in the Microsoft Intune admin center as part of creation of a Windows 365 provisioning policy.

When Microsoft Hosted Network is used, admins have the option to select the US Government region group which includes all regions available or select specific regions, and Windows 365 automatically manages Cloud PC placement across those regions.

Once enabled, Cloud PCs are provisioned with built-in multi-region resiliency, without requiring architectural changes or additional configuration.

Get started

Multi-Region Selection is available now for Windows 365 customers in GCC using Microsoft Hosted Network. Customers can begin using this capability by enabling it in new or existing provisioning policies.

Learn more about how Windows 365 is enhancing Microsoft Hosted Network Cloud PC resiliency with Multi-Region Selection.

For a full list of Azure regions currently supported for Windows 365 Government, visit our Requirements for Windows 365 documentation.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Introducing Teams optimizations for Windows App on iOS & Android — Now Generally Available

PavithraT — Wed, 18 Mar 2026 17:46:54 GMT

Today, we’re announcing the general availability of Teams optimizations (WebRTC Redirector Service) for Windows App on iOS and Windows App on Android, expanding support for optimized Microsoft Teams experiences when connecting to Windows 365 and Azure Virtual Desktop from mobile devices.

Optimized Teams experiences for mobile devices

Teams optimizations for Windows App on iOS and Android are designed to improve how audio and video are handled during Teams calls and meetings in virtualized environments. By leveraging media redirection techniques, audio and video processing can occur on the local device rather than entirely within the virtual session, which is intended to support more responsive interactions during meetings.

Teams optimizations are designed to support:

Improved audio and video handling during Teams calls and meetings
More consistent media experiences across a range of network conditions
A familiar Teams experience when joining meetings from mobile devices using Windows App

During public preview, customers evaluated these optimizations in real‑world scenarios.

With this release, organizations can begin deploying Windows App on iOS and Android with support for Teams media optimizations as a generally available capability when accessing Azure Virtual Desktop and Windows 365, subject to supported configurations.

Try it today

If you’re using Windows App on iOS or Android, you can start using Teams optimizations today. Windows App is available on the Apple App Store and Google Play Store.

We want your feedback

Customer feedback continues to play an important role in how Windows 365 and Azure Virtual Desktop experiences evolve. We encourage you to share what’s working well and where there are opportunities for improvement.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Windows 365 Frontline in shared mode expands to Norway East, France Central and Spain Central

Vidya_Iyer — Wed, 18 Mar 2026 16:00:00 GMT

We're excited to announce that Windows 365 Frontline in shared mode is now available in three new regions, expanding our global footprint and bringing Cloud PCs closer to organizations across Europe.

Starting today, customers can deploy Windows 365 Frontline shared mode Cloud PCs in:

Europe geography:

Norway East
France Central
Spain Central

This expansion enables organizations to place Cloud PCs closer to their users, reducing latency and supporting local data residency requirements, critical for meeting regulatory compliance, and delivering optimal user experiences.

Windows 365 Frontline in shared mode is designed for employees who need quick, intermittent access to task-based tools—like retail staff checking inventory, contractors requiring temporary access, or new hires completing onboarding training.

How Frontline in shared mode works

Shared mode Cloud PCs provide a secure, non-persistent desktop experience where:

Only one user can connect at a time
User profile data is deleted when they sign out
The Cloud PC is released for the next user
Organizations optimize costs by providing access to multiple users with a single license

In addition to full desktop access, organizations can also deliver Cloud Apps using the same shared mode foundation. This is ideal for users who only need a focused set of business-critical applications like browsers, email, inventory systems, and so on, without the overhead of a full desktop environment.

This makes shared mode ideal for scenarios where users don't need data persistence but require quick access to specialized tools and applications.

Key benefits of regional expansion

Expanding Windows 365 Frontline shared mode to the new regions provides benefits including:

Improved user experience - Bringing Cloud PCs closer to users improves responsiveness and reduces latency.
Compliance and data sovereignty - Keeping data within geographical boundaries can help organizations meet local regulatory requirements. Whether they're navigating GDPR in Europe or data sovereignty regulations in the Middle East, regional deployment options provide the flexibility they need.
Simplified IT management - IT admins can set up Cloud PCs with just a few clicks, while users benefit from faster sign-ins and immediate productivity.

Getting started with the new regions

Using Microsoft Hosted Network (MHN)

We recommend using Microsoft Hosted Network (MHN), so you can start deploying to the new regions immediately. To do this:

Navigate to your provisioning policy in the Microsoft Intune admin center
Select the appropriate geography (Europe)
Choose your desired region:
1. Europe: Norway East, France Central or Spain Central

Microsoft automatically optimizes Cloud PC placement for performance and resilience within your selected geography.

Learn more about how Microsoft Hosted Network improves resiliency and regional coverage.

Using Azure Network Connection (ANC)

For Azure Network Connection deployments, you'll need:

A virtual network (vNet) in your target region (Norway East, France Central or Spain Central)
Proper service endpoints and connectivity configured for the chosen region
Updated provisioning policies targeting the new region

Remember: With ANC, the Azure virtual network region determines where your Cloud PC is hosted.

Review the Azure Network Connection documentation.

Recommended next steps

Ready to expand your Windows 365 Frontline deployment to these new regions? Here's how to get started:

Review your requirements: Determine which region best serves your users' location and compliance needs
Check your network setup: Verify your Microsoft Hosted Network or Azure Network Connection configuration
Update provisioning policies: Configure policies to target the new regions
Deploy and monitor: Roll out Cloud PCs and monitor performance and user satisfaction

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

Unlocking Secure Agentic Productivity with Windows 365 for Agents

Joydeep_Mukherjee — Wed, 18 Mar 2026 20:27:52 GMT

The future of enterprise automation isn’t just about building smarter agents, it’s about enabling you to do more with agents, across more of the organization, directly within environments companies already rely on. This means AI agents need access to enterprise applications, not just APIs.

With our latest innovations announced at Ignite 2025 and our vision for AI agents, Windows 365 is becoming a foundational execution layer where people run agents to work through software UI, unlocking productivity while preserving enterprise trust boundaries. Windows 365 for Agents is the next evolution of Cloud PCs—extending the trusted Windows 365 platform from human users to AI agents so organizations can run agentic workloads securely, at scale, and under enterprise governance.

Scaling AI agent productivity securely

While Model Context Protocol (MCP) servers enable automation in modern apps that have an API-based interaction layer, many mission-critical workflows still live in UI-driven legacy apps and bespoke internal sites where APIs are incomplete or unavailable. Equally important, business logic and decision context often live in the UI, not the API: warnings, approvals, conditional flows, and exception handling are communicated visually, and API-only agents miss this operational nuance. As a result, there are limits to how even highly capable agents can operate where real work happens. Windows 365 for Agents closes this gap by giving AI agent workloads a secured Cloud PC to reliably work through the same Windows and browser UIs employees use.

With Agent 365, (generally available May 1) enterprise governance extends natively into the agent execution environment. Agent 365 gives organizations a single, trusted way to observe, govern, and secure agentic workloads—whether built by Microsoft, partners, or organizations—using the same identity, security, and management systems they already use for employees.

That governance also applies to agents working in Windows 365 for Agents Cloud PCs—bringing managed, policy-controlled desktop execution to agentic workloads. Together, Windows 365 for Agents and Agent 365 create a consistent and secure environment to run and govern agents, with each platform serving a distinct role:

Agent 365 determines what work an agent should be able to perform and how it fits into the broader business workflows, using shared organizational policies and identity to govern behavior and access.
Windows 365 for Agents defines where that work executes, providing Cloud PCs to enable agents to operate inside their own desktops and applications, including UI‑driven and non‑API systems, within a fully managed and auditable environment.

These Cloud PCs can run Windows or Linux (coming soon) and are:

Entra ID-joined
Microsoft Intune-managed
Policy-enforced
Auditable by design

This means identity, access controls, compliance policies, and audit logs are inherited from the enterprise environment from day one.

To see what this looks like in practice, the video below shows how an expense report agent managed in Agent 365 can complete a routine expense report task using an assigned Cloud PC.

Managing agents consistently – no matter who builds them

We know that enterprises are increasingly drawing upon internal knowledge to build and deploy AI agents that operate directly within their core Windows applications. At the same time, a growing ecosystem of agent-builder platforms is giving organizations new, external paths to create and deploy agents tailored to their unique business needs. Agent 365 serves as the control plane that brings these internally and externally created agents together under a single governance model.

To support this, Microsoft has partnered with innovators like GenSpark to ensure we’re providing the tools required to bring externally created agents into production securely, compliantly, and at scale—without sacrificing enterprise governance.

“What stood out to us about Agent 365 is that Microsoft focused on trust, not just technology. Security, governance, and compliance are built in from the start, enabling IT leaders to deploy AI with confidence. Through this partnership, we’re able to bring GenSpark’s AI directly into Teams, Microsoft Word, Microsoft 365 apps, Copilot, and computer‑using workflows powered by Windows 365 for Agents—all under enterprise IT control. At the same time, employees get a seamless experience right where they work. That’s the future we’re excited to help build.”
— Eric Jing, CEO, GenSpark

Expanding what agents can do without expanding risk

Combining Agent 365 management with Windows 365 for Agents execution lets enterprises extend automation into the long tail of UI-based work that lives outside the API world—without sacrificing governance or control.

Key outcomes include:

Agents operate across applications and browsers,
Complete multi-step operational tasks, and
Operate under the same policies and controls as human users.

This is what work-aware AI can look like in practice.

Ready to get started?

If you’re an agent maker, IT leader, or developer interested in being among the first to try Windows 365 for Agents, sign up here to express your interest in our preview.
If you are an enterprise looking for a no-code agent building experience powered by Windows 365 for Agents, get started with Microsoft Copilot Studio today: Automate web and desktop apps with computer use (preview)
If you are an agent developer looking to solve agentic work for enterprises – get started with your Agent 365 integration today: Microsoft Agent 365 SDK and CLI | Microsoft Learn

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Announcing the RDP dynamic virtual channel plugin samples

DenisGundarev — Mon, 16 Mar 2026 16:00:00 GMT

Extending Remote Desktop Protocol (RDP) is one of those areas where the documentation technically explains everything, but the real-world picture can still be difficult to piece together.

At its core, the concept is straightforward: an RDP plugin consists of two cooperating components:

A client-side component running alongside the RDP client (mstsc.exe or Windows App)
A server-side component running inside the remote session

When a user connects through RDP, the client component is loaded by the RDP client and advertises one or more virtual channels. Applications inside the remote session can open those channels and exchange data with the client over the same RDP connection.

RDP defines two types of virtual channels:

Static virtual channels (SVC) — the original model with several limitations
Dynamic virtual channels (DVC) — the modern model used by most current RDP features

Static channels are still supported on Windows. However, they are not supported in Windows 365 or Azure Virtual Desktop and have several architectural constraints that make them unsuitable for new development.

Modern extensions rely on dynamic virtual channels, which allow channels to be created and closed dynamically during an active session. This mechanism powers many core RDP capabilities, including graphics, clipboard synchronization, audio redirection, device forwarding, and diagnostics.

Dynamic virtual channels in practice

Dynamic virtual channels have existed since Windows Vista and have been available to third-party developers for nearly two decades. During that time, hundreds of third-party plugins have been built using DVCs — from media optimization stacks for communication platforms, to advanced device redirection, monitoring agents, and internal enterprise integrations.

Despite this widespread use, practical end-to-end examples have remained surprisingly rare. The only official reference sample, TS Teleport, was published in 2007. While it demonstrates the concept, it uses old development patterns, tooling, and deployment approaches that make it difficult to apply directly to modern projects.

A modern sample repository

To address this gap, we are releasing a sample repository demonstrating how to build RDP plugins using modern tools and development patterns.

https://github.com/microsoft/rdp-dvc-plugin-samples

What you get

Working client plugins and in-session server implementations across multiple languages
Examples of plugin activation models (LocalServer32, InprocServer32, directentrypoint)
Lifecycle guidance (connect, disconnect, reconnect) and a shared baseline protocol for validation

The goal is to provide practical, end-to-end examples that developers and IT professionals can use as a starting point when building real-world RDP integrations.

Core concepts used in this article

RDP Client: Any RDP client that implements loading third-party plugins – It could be built-in Remote Desktop Client (mstsc.exe) on Windows 11 or Windows Server, Windows App or any other application that is using Remote Desktop ActiveX.

RDP Server: A Windows 11 or Windows Server endpoint you connect to via RDP (including Azure Virtual Desktop/Windows 365 scenarios), where the server-side app runs inside the remote session and opens the DVC via the WTS APIs.

What is a dynamic virtual channel?

A dynamic virtual channel (DVC) is a virtual channel created and managed dynamically during a live RDP session. Both sides agree on a channel name, which is the only address required.

The client side is implemented as a COM object (IWTSPlugin) loaded by the RDP client.

The server side is a normal Windows application running inside the RDP session that uses the Windows Terminal Services (WTS) API to open the channel and exchange data.

Under the hood, DVCs are multiplexed over the RDP transport.

Overview of a RDP plugin architecture

A diagram displaying simplified interaction between RDP plugin components

What is the Repository?

Simple samples

Start with the Simple samples. Each one implements the same ping/echo protocol: the server sends a message with a sequence number, timestamp, and 5 KB payload; the client plugin echoes it back; the server logs round-trip time. That is the baseline.

Seven languages — C++, .NET 8, .NET Framework 4.8, Go, Rust, Python, and Electron — all using LocalServer32 activation, all sharing the same channel name and wire format. Any client plugin can talk to any server binary. Each client side executable accepts /register and /unregister flags to manage its own registry entries under HKCU (HKEY_CURRENT_USER) — no elevation required.

The Simple samples deliberately leave out session reconnection, render hints, and alternative activation models.

Advanced samples

The Advanced samples are the ones to read once the Simple sample works. They implement: reconnects, different activation models, and rarely used render interfaces. They cover all three activation models in both C++ and .NET 8, sharing a single rdp-plugin-common library across the three client projects, so you can see exactly what differs between activation models without duplicating everything else.

Activation models

RDP Client loads DVC plugins at startup via a well-known registry key under HKCU|HKLM\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\. The Name value under that key determines how the plugin is activated:

Model	How RDP Client activates	Stability
LocalServer32 (out-of-process EXE)	CoCreateInstance → COM Service Control Manager (SCM) launches the EXE	Crash in the plugin does not take down mstsc
InprocServer32 (in-process Dynamic-Link Library (DLL))	CoCreateInstance → COM loads the DLL into mstsc	Crash or heap corruption affects the RDP client
Direct exported entrypoint	LoadLibraryEx + resolves VirtualChannelGetInstance	Same in-proc risk; no COM registration needed

If you are building a plugin, start with LocalServer32 unless you have a specific reason not to. It isolates the plugin process, makes debugging straightforward, and means a crash in your code does not take down the user's RDP client.

How registration works

Plugins are registered under:

HKCU\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\SampleRdpPlugin

Example:

Name = "{D9B80669-C06A-4BD1-9CB1-3B7168C9E3A3}"

This CLSID maps to the COM registration:

HKCU\Software\Classes\CLSID\{D9B80669-C06A-4BD1-9CB1-3B7168C9E3A3}\LocalServer32
(Default) = "C:\path\to\rdp-plugin.exe"

Process Lifetime (LocalServer32)

Each RDP connection causes mstsc.exe to call CoCreateInstance.

Depending on how the server is implemented, this may:

Reuse an existing process via CoRegisterClassObject
Launch a new process instance

Getting started

Requirements

Client and server must run supported versions of Windows 11 or Windows Server 2019 or later. You can use either built-in mstsc.exe, or Windows 365/Azure Virtual Desktop

Install required tools

Open a PowerShell window.

Install Git and Visual Studio Code:

winget install Git.Git
winget install vscode

Restart the PowerShell window if necessary.

Clone the repository

mkdir C:\sources
cd C:\sources
git clone https://github.com/microsoft/rdp-dvc-plugin-samples.git
cd rdp-dvc-plugin-samples

Build a sample

Navigate to a language under the simple folder.

Example:

cd simple\dotnet

Each language directory contains a build.ps1 script that can be used to required build tools:

.\build.ps1 -Install

This step only needs to be performed once.

Restart PowerShell if required.

Build the sample:

.\build.ps1

Run the sample

On the client machine:

rdp-plugin.exe /register

This registers the plugin. Start the plugin or let the RDP client launch it automatically when a connection is established.

Connect to the RDP server, note the plugin output window logs

On the server machine:

Copy the server binary and run it inside the RDP session.

You should see ping/echo output in both consoles, confirming that the DVC channel is functioning.

If the plugin does not load, the most common causes are:

Missing registry registration
Running the plugin elevated while the RDP client is not

See TROUBLESHOOTING.md for the full checklist.

Conclusion

Dynamic virtual channels are one of the most powerful extensibility points in the Remote Desktop Protocol stack. Whether the goal is device redirection, custom signaling, telemetry, or entirely new client capabilities, DVCs provide a flexible and well-integrated mechanism to extend the RDP experience.

If you are new to DVC development, start with the official documentation to understand the protocol model and API surface:

https://learn.microsoft.com/en-us/windows/win32/termserv/dynamic-virtual-channels

Then explore the sample repository to see complete, working implementations across multiple languages and activation models:

https://github.com/microsoft/rdp-dvc-plugin-samples

Clone the repository, run the simple samples to validate your environment, and then use the advanced samples as a foundation for building production-ready RDP plugins.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.

RSAT capabilities arrive on Arm-based Windows 11 PCs

Zane_Szafraniec — Tue, 10 Mar 2026 17:00:00 GMT

Remote Server Administration Tools (RSAT) are now officially supported on Arm-based Windows 11 PCs. You can now remotely manage Windows server roles and features using Windows devices built on Arm processors, just as you would with traditional x64-based PCs. Supporting RSAT on Windows 11 on Arm marks a significant milestone and addresses one of your top requests for enterprise management.

RSAT tools now available for Windows on Arm

With the February 2026 Windows non-security preview update, five of the most widely used RSAT components are available on Arm-based devices:

Active Directory Domain Services & AD LDS Tools – Remotely manage Active Directory domains, users, and Lightweight Directory Services (AD LDS) instances.
Active Directory Certificate Services Tools – Administer and manage certificate services and Public Key Infrastructure (PKI) on Windows Servers.
Group Policy Management Console (GPMC) – Create, edit, and manage Group Policy Objects to control settings in Active Directory environments.
DNS Server Tools – Configure and monitor DNS servers via the DNS Manager snap-in and command-line DNS utilities.
DHCP Server Tools – Manage DHCP servers and scopes to administer IP address allocation in your networks.

These familiar utilities have long been available on x64 Windows clients. They're now compiled natively for the 64-bit Arm architecture and supported on Windows 11 Pro and Enterprise editions. With these tools, you can accomplish everyday system administrator tasks directly from an Arm-based Windows 11 PC. Add users to Active Directory, edit GPOs, configure DNS and DHCP servers, and more.

Why RSAT on Arm64 matters

For the past several years, if you've used Windows on Arm, you had to rely on alternative management methods (such as Windows Admin Center) or switch to an x64 device for certain tasks. Similarly, testing newer Arm-powered laptops for your enterprise highlighted the pressing need for RSAT support on Arm64 devices.

With RSAT support, Windows 11 on Arm becomes a more viable platform for enterprise IT management. It boosts confidence in the Windows on Arm ecosystem for business use. Put simply, you can now manage Windows servers from an Arm-based client, using the same robust GUI and PowerShell tools you know.

RSAT on different Windows 11 versions

Depending on your Windows 11 version, RSAT are either available as optional components or Features on Demand (FODs).

Windows 11, versions 25H2 and 24H2^[1] on Arm: For today's broadly released and supported Windows 11 versions, RSAT support for Arm64 is available starting with the February 2026 Windows non-security preview update. The tools are enabled as optional components.
Windows 11, version 26H1: New Arm-based devices with the targeted Windows 11, version 26H1 release have these RSAT capabilities integrated directly as FODs. This release brings the Arm64 edition closer to parity with x64 in terms of RSAT functionality.

How to enable RSAT on Arm-based Windows 11 PCs

Optional components for Windows 11, versions 25H2 and 24H2

Your devices with an Arm64 processor must be running Windows 11, version 25H2 or 24H2 and be updated with the February 2026 Windows non-security preview update or later.

To add RSAT as optional components via the Control Panel^[2]:

Open the Control Panel.
Select Programs > Turn Windows features on or off.
Check the boxes for the RSAT components you need.

The RSAT components will then be installed and available for use on your Arm-based Windows 11 PC.

When you install optional components through the Control Panel user interface, you'll see the DisplayName showing RSAT.

However, when using command‑line tools, you'll only see the FeatureName. Please use the FeatureName to install a specific optional component.

Examples:

dism /online /get-features /format:table | findstr /i "Enabled"

Get-WindowsOptionalFeature -Online | Where-Object State -eq "Enabled"

Output sample:

FeatureName State
----------- -----

CertificateServices-Tools Enabled
ServerManager-Tools Enabled
ActiveDirectory-DS-LDS-Tools Enabled

Commands to install:

# Enable ADLDS
Enable-WindowsOptionalFeature -Online -FeatureName ActiveDirectory-DS-LDS-Tools -All -NoRestart
# Enable ADCS
Enable-WindowsOptionalFeature -Online -FeatureName CertificateServices-Tools -All -NoRestart

Additionally, for an individual feature:

Get-WindowsOptionalFeature -Online -FeatureName <FeatureName>

The output will include the DisplayName, which shows the corresponding RSAT label.

Features on Demand for Windows 11, version 26H1

The RSAT components are available to you as Windows features on devices with Windows 11, version 26H1.

To add RSAT tools as FODs via Windows Settings:

Navigate to Settings > System > Optional Features > Add an optional feature.
Find and select the desired "RSAT" components to install, such as RSAT: Active Directory Domain Services and LDS Tools, RSAT: DNS Server Tools, etc.

This is what RSAT as FODs look like on Windows 11, version 26H1:

Manage Windows infrastructure more efficiently

We hope you will take advantage of these newly available RSAT components on your Arm64 devices and let us know how this investment helps your team manage Windows infrastructure more efficiently.

By introducing RSAT for Windows 11 on Arm, the platform takes another step toward giving you a consistent management experience across more of your Windows devices. This removes a key barrier for your organization to adopt Arm-powered PCs for benefits like battery life and connectivity. Just use your preferred server management workflows on any Windows 11 PC.

This update underscores our commitment to support Windows on Arm for enterprise use cases. We'll continue welcoming feedback as we enhance Windows 11 for all platforms.

Happy server managing, now on Arm!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

^[1] Non-Arm, x64 devices on Windows 11, versions 25H2 and 24H2 are Features on Demand.
^[2] As a shortcut for installing optional components via the Control Panel, press Win + R, type optionalfeatures.exe, and press Enter.

Securing devices faster with hotpatch updates on by default

Chris_Tulip — Mon, 09 Mar 2026 21:00:00 GMT

Windows Autopatch is enabling hotpatch security updates by default to help secure devices even faster. This change in default behavior comes to all eligible[i] devices in Microsoft Intune and those accessing the service via Microsoft Graph API starting with the May 2026 Windows security update. Applying security fixes without waiting for a restart can get organizations to 90% compliance in half the time, while you remain in control.

One month before this shift, starting on April 1, 2026, new controls become available if you're not ready for this change. Here's why and how you can decide on your next move.

The advantage of hotpatch updates

Every month, Windows publishes security updates to address common vulnerabilities and exposures (CVEs) to help keep users at your organization secure. When you roll out these updates as an IT admin, you may wait for days for devices to restart before they become compliant. Typically, you'd allow 3-5 days after installing those fixes before forcing a restart to apply them. When hotpatch updates launched about a year ago, we changed the game. Security updates take effect as soon as they are installed – no restart required.

This change in approach patches devices significantly faster since they aren't waiting for that restart. To see how this is working in the real world, we asked four different companies with 30-70K devices about their gains in the number of days to security compliance. They all reported achieving 90% patch compliance in half the previous time, without making any policy changes (see chart below).

Today, there are over 10 million production devices enrolled in hotpatch updates, showing the level of adoption and trust companies like yours have in this capability. Learn more about the efficiency of smaller hotpatch update sizes and how we implement hotpatch updates internally at Microsoft.

Hotpatch by default: How it works

Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch updates by default to help your organization get more secure, quicker. This change applies whether you use Windows Autopatch through Microsoft Intune or the Windows updates API in Microsoft Graph.

What does it mean in practice? All update policies in Microsoft Intune depend on Windows Autopatch. The default tenant setting is only applied to devices that aren't members of a quality update policy. Windows Autopatch respects your configuration of quality update policies. If a device is assigned to one of those policies, the hotpatch setting from that policy is the one applied. Your preferences for update deferrals and update ring settings are also respected.

Note: Hotpatch updates only apply to devices that meet the hotpatch prerequisites. Devices that don't meet these prerequisites will continue to patch in the same way they do today.

When will my devices start receiving hotpatch updates?

If a device meets the prerequisites and has taken the April 2026 security update (a baseline update), it will start receiving hotpatch updates with the May 2026 security update. Double-check whether a device is enrolled in hotpatch updates with new Windows Autopatch update readiness tools.

Note: Hotpatch updates are applied from the latest baseline release. If a device is enrolled in hotpatch updates but isn't yet on the latest baseline, Windows Autopatch first installs the latest baseline update, which requires a restart. Once the device is on the latest baseline, it continues receiving hotpatch updates without requiring restarts going forward. For more information on the latest schedule for these releases, see Release notes for hotpatch.

How do I know if a device will receive a hotpatch update?

Before the May 2026 hotpatch update, review the Hotpatch quality updates report in Intune. It shows devices that have hotpatch updates enabled and meet the prerequisites. You can easily see which devices will receive a hotpatch update in the Hotpatch ready column. Devices successfully patched are in the Hotpatched column.

You can also look at the Quality update status report in Intune to check which devices are ready to receive a hotpatch update. In this report, the column labeled Hotpatch Readiness indicates if the device meets the prerequisites for hotpatch updates. A new column called Hotpatch enabled will be added showing the status of each device.

Embracing the change at your own pace

Windows Autopatch is enabling hotpatching by default because hotpatch updates are the quickest way to get secure. As such, we recommend keeping hotpatch updates enabled for your devices. If you're not ready for this change, you can opt out groups of devices or the whole tenant.

The tenant setting to opt out of hotpatch updates is scheduled to go live on April 1, 2026. And because April is a hotpatch baseline month, you have until May 11, 2026 before any hotpatch updates are deployed.

How to opt out of hotpatch updates across your tenant

Once the changes are live in April, configure the default hotpatch update behavior for your tenant as follows:

Open Microsoft Intune.
Navigate to Tenant administration > Windows Autopatch > Tenant management.
Select the Tenant settings tab.
Toggle the "When available, apply updates without restarting the device ("hotpatch") setting to either Allow or Block.

How to opt out of hotpatch updates for groups of devices

Want to specify the desired behavior for a group of devices? Simply assign them to a quality update policy. Windows Autopatch respects your intention set at the policy level over the tenant-level default. To create a quality update policy, take the following steps:

Open Microsoft Intune.
Navigate to Devices > Manage updates > Windows updates.
Select the Quality updates tab.
Select Create.
Select Windows quality update policy from the drop-down menu.
Fill out the title and details on the Basics tab and select Next.
In the Settings step, toggle the "When available, apply without restarting the device ("hotpatch") setting to either Allow or Block, then select Next.
Apply any scope tags, then select Next.
Assign your desired Microsoft Entra groups, then select Next.
Select Create.

You can disable hotpatch updates at the tenant level and enable them for specific devices and vice versa. When you're ready for hotpatch updates by default, just toggle "When available, apply without restarting the device ("hotpatch") back to Allow.

To start taking advantage of hotpatch updates enabled by default, check that your devices meet the prerequisites. To learn more and get started, see Hotpatch updates and the Windows Autopatch frequently asked questions (FAQ).

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

^[i] See prerequisites for hotpatch updates in Hotpatch updates.

Frontline shared mode expands to Germany West Central & Switzerland North

Vidya_Iyer — Tue, 10 Mar 2026 18:07:58 GMT

Today, I’m pleased to announce that Windows 365 Frontline in shared mode is now available in Germany West Central and Switzerland North within the Europe geography, bringing Cloud PCs even closer to customers across Europe.

With Germany West Central and Switzerland North now supported, customers can place Cloud PCs closer to users to realize lower latency and local data residency through the Microsoft Cloud.

This expansion strengthens global coverage and helps customers who need to keep data within national borders, meet industry or government compliance expectations, or provide users with faster, more consistent Cloud PC experiences.

What Windows 365 Frontline shared mode enables

Windows 365 Frontline in shared mode is built for workers who need short, task-based access to a Cloud PC and don’t require data persistence. Only one user can connect at a time, and when a user signs out, user data is deleted. Then, the Cloud PC is released for the next user, helping standardize access for shared, rotating workforces.

Windows 365 Frontline also supports delivering Cloud Apps (instead of the full desktop) using the same shared mode foundation—helpful when frontline users primarily need a small set of business apps.

Benefits

Better user experience (low latency and consistency). Bringing Cloud PCs closer can improve responsiveness for users in and around Germany and Switzerland, aligning with the broader goal of a faster, more consistent Cloud PC experience.
Data residency and compliance readiness. These regions help organizations that need data within national borders and/or must meet local regulatory expectations.

Recommended Next Steps 

Below are a few actions to help you take advantage of Windows 365 Frontline in shared mode availability in Germany West Central and Switzerland North, depending on how your provisioning policies are configured.

Using Microsoft Hosted Network (MHN)? 

MHN customers can start benefiting from the newly available Germany West Central and Switzerland North regions right away. Because Microsoft manages the networking for you, choosing the Europe geography where both these regions have been added to let the service optimize Cloud PC placement automatically for performance and resilience.

To enable the Germany West Central region:

Learn more about how Microsoft Hosted Network improves resiliency and regional coverage.

Configure provisioning policy to use the Europe geography > Germany (EU) region group > Germany West Central region.

To enable the Switzerland North region:

Configure provisioning policy to use the Europe geography > Switzerland region group > Switzerland North region.

Using Azure Network Connection (ANC)?

If you're using ANC, you stay in control of your network topology and Cloud PCs are provisioned into the virtual network (vNet) + subnet you specify.

Important: With ANC, the Azure virtual network’s region determines where the Cloud PC is created and hosted, so deploying into Germany West Central or Switzerland North requires a vNet in those regions.

To use new regions, your environment may require a quick validation/update to ensure your configuration supports provisioning in those regions. 

To enable the newly available regions of Germany West Central or Switzerland North:

Review the Azure Network Connection documentation.
Confirm your ANC setup supports your chosen region (Germany West Central or Switzerland North), including virtual networks and necessary service endpoints.
Once ready, adjust your provisioning policies to target your chosen region (Germany West Central or Switzerland North).

Get started 

With Germany West Central and Switzerland North now available for Windows 365 Frontline in shared mode, this is a great time to bring Cloud PCs closer to your users, while keeping the service straightforward for admins to deploy and manage.

To explore configuration options and learn more about what’s possible next, head over to Windows 365 documentation. 

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A. 

Building a modern, secure, and seamless print experience for Windows

Mike_Bell — Thu, 05 Mar 2026 17:00:00 GMT

For more than three decades, printing has been an essential, but often fragmented, part of how people work. In every industry, across every type of business, printing is woven into daily workflows: reports sent to office printers, shipping labels generated on shop floors, contracts finalized for signature, and countless documents for routine tasks in between. Yet the underlying print experience has historically been complicated by one persistent challenge: every device required its own driver.

That model, built for a very different era of computing, has created friction for businesses and consumers alike. Device-specific drivers increase IT overhead, introduce reliability gaps, and create security risks, particularly as Windows has evolved and diversified across architectures and devices. For commercial environments relying on print management software, the complexity compounded: hardware vendors built drivers tuned to specific chips, while software vendors built their own layers on top.

Today, Microsoft is replacing that long-standing complexity with a fundamentally modern approach.

A universal print foundation for every Windows device

The modern print platform represents a major shift in how printing works on Windows. Instead of requiring device-specific drivers, Windows now ships with a single, universal, inbox-class driver based on the industry standard IPP protocol and Mopria certification. This model, sometimes described as “driverless” (although a universal driver still exists under the hood), enables Windows to connect seamlessly to a broad range of printers without requiring customers to download anything.

More importantly, this architecture is processor agnostic. Whether a customer is using a traditional x64 PC or the latest Copilot+ PC running on Arm-based silicon, the print experience is the same: plug in (or connect over the network) and print.

Enabling differentiated experiences through print support apps

While the universal driver standardizes core functionality, manufacturers still need ways to differentiate their products. To enable that, we created the Print Support App (PSA) Framework, an API that our print partners can use to develop lightweight, Microsoft Store-delivered applications (PSAs) that unlock brand-specific features, advanced print settings, and richer UI experiences. Many companies, including HP, Brother, Canon, Xerox, Ricoh, and others, have already shipped PSAs, and more continue to onboard them. For users, nothing extra is required: Windows automatically acquires the PSA when a supported printer is connected. PSAs also work across architectures, giving manufacturers one way to support all Windows customers without maintaining parallel driver stacks.

Stronger security by design

Moving away from legacy third-party driver models also improves Windows’ security posture. Traditional drivers operated with broad system privileges and represented a persistent vector for vulnerabilities. By consolidating print functionality into a standardized, hardened platform and reducing reliance on custom drivers, we shrink the surface area available to attackers. As previously announced, we’re taking additional steps to deprecate and restrict new third-party driver submissions, accelerating the ecosystem’s move toward safer, modern alternatives.

A better experience for IT professionals and organizations

The modern print platform simplifies deployment, reduces troubleshooting overhead, and ensures consistent experiences across hardware refresh cycles. For print management developers and silicon partners, it eliminates the need to rebuild their software to support new Windows platforms or editions. And for organizations adopting new Windows devices, especially Arm-powered ones, it removes longstanding compatibility blockers.

This ecosystem shift is already well underway. Modernizing an industry as broad and diverse as Windows print is a large undertaking, but the progress is real and the momentum is accelerating. At Microsoft, our goal is simple: make printing on Windows effortless, secure, and reliable for everyone. With the modern print platform, we’re building a future where the print experience just works, no matter the device, no matter the architecture, and no matter how complex the environment behind it.

To learn more about new, modern, and secure print experiences from Windows, refer to our documentation.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Windows news you can use: February 2026

Chris_Morrissey — Mon, 02 Mar 2026 22:00:00 GMT

Welcome to the February 2026 edition of Windows news you can use. Today marks the start of Microsoft Technical Takeoff—four Mondays of demos, deep dives, and live Q&A for the IT pro community. If you're not tuning in live, all sessions will be recorded, so definitely bookmark any topics of interest and catch up on demand.

Speaking of events, we're hosting another Secure Boot AMA on March 12. Post your questions in advance or during the live event. New and updated resources and tools help you monitor the status of Secure Boot certificate updates across your estate. Look for more details on those below.

New in Windows update and device management

[BACKUP] [RESTORE] – The first sign-in restore experience is now part of Windows Backup for Organizations. Empower people to restore their settings and Microsoft Store app list automatically at first sign-in, including those using Microsoft Entra hybrid joined devices, Cloud PCs, and multi‑user devices. For the first time, users who sign in with a Microsoft Entra ID on eligible devices will be able to restore their environment if they missed the option during first sign-in.
[START MENU] – The new Start menu will be available to organizations in the second quarter of this calendar year. Two policies allow IT admins to further customize the Start menu: HideCategoryView and ConfigureStartPins. For more details, see the Start Policy CSP and Start policy settings.
[WINDOWS 365] – By pairing Windows 365 Reserve with Windows 365 Boot, you can keep Windows 11 devices preconfigured with Windows 365 Boot. When users need access, simply assign a Windows 365 Reserve license in Microsoft Intune and hand the device to a user. No additional setup required.
[WINDOWS 365] – Windows 365 is now supported in New Zealand North. This supports organizations who need to keep data within national borders, meet industry or government compliance expectations, or simply provide your workforce with a faster, more consistent Cloud PC experience.
[26H1] – Windows 11, version 26H1 is a targeted release designed to support the next generation of silicon. Find out what you need to know about version 26H1 and why Windows 11, versions 25H2 and 24H2 remain the recommended releases for enterprise deployment.
[ADMIN] – Learn how to filter and focus Message center in the Microsoft 365 admin center to prioritize Windows information with a new step-by-step guide.
[WINDOWS] [5G] – Windows enterprise managed cellular connectivity is in private preview. This native Windows capability provides organizations with centralized management and customization of 5G cellular connectivity on Windows 11 PCs. This solution is integrated with Intune and validated on Surface 5G-enabled devices (available now).

New in Windows security

[SECURE BOOT] – New tools and guidance are available to help you actively monitor and manage the update of Secure Boot certificates across your device fleet.

Explore the latest OEM pages for Secure Boot.
Find out what happens when Secure Boot certificates expire on Windows devices.
Quickly get a device-level view of Secure Boot across your Windows Autopatch-managed devices with the Secure Boot status report.
For devices not enrolled in Windows Autopatch, learn how to monitor Secure Boot certificate status with Microsoft Intune remediations.
Access tailored guidance for managing Secure Boot certificate updates for Windows Server, Windows 365, and Azure Virtual Desktop.
Review updated FAQs about the Secure Boot update process.
Stay updated as new resources become available by bookmarking the new Updates and announcements section of https://aka.ms/GetSecureBoot.
Tune in live—and post your questions in advance—for the March 12 Secure Boot Ask Microsoft Anything session on the Microsoft Tech Community. Want a primer before the AMA? Tune in March 9 to Secure Boot certificates explained at Tech Takeoff.

New in AI

[MECHANICS] – For those seeking to better understand Microsoft 365 Copilot and AI experiences on Windows 11 PCs, check out the new episode of Microsoft Mechanics. See how to access Copilot and agents from the taskbar. Find answers across files, email, and meetings, and turn ideas into polished content using voice or text.

To learn about latest capabilities for Copilot+ PCs, visit the Windows Roadmap and filter Platform by “Copilot+ PC Exclusives.”

New in productivity and collaboration

Install the February 2026 security update for Windows 11, versions 25H2 and 24H2 to get these and other capabilities.

[SECURITY] – You can now set how often Data Protection Application Programming Interface (DPAPI) domain backup keys rotate automatically. This strengthens cryptographic security and reduces reliance on older encryption algorithms.
[MOBILE] – Cross‑Device Resume now includes the ability to continue activities from your Android phone on your PC based on the apps and services you use. Resume Spotify playback, work in Word, Excel, or PowerPoint, or continue a browsing session.
[ACCESSIBILITY] – Narrator now gives you more control over how it announces on‑screen controls. You can choose which details are spoken and adjust their order to match how you navigate apps.

New features and improvements are coming in the March 2026 security update. You can preview them by installing the February 2026 optional non-security update for Windows 11, versions 25H2 and 24H2. This update includes the gradual rollout of:

[RECOVERY] – Quick Machine Recovery now turns on automatically for Windows Professional devices that are not domain‑joined and not enrolled in enterprise endpoint management. These devices receive the same recovery features available to Windows Home users. For domain‑joined or enterprise managed devices, Quick Machine Recovery stays off unless you enable it for your organization.
[NETWORK] – A built‑in network speed test is now available from the taskbar. The speed test opens in the default browser and measures Ethernet, Wi‑Fi, and cellular connections.
[CAMERA] – Control pan and tilt for supported cameras in the Settings app.
[SYSMON] – System Monitor (Sysmon) functionality is now natively available in Windows. Capture system events for threat detection and use custom configuration files to filter the events you want to monitor. Windows writes captured events to Windows Event Log, which allows security tools and other applications to use them.
[SEARCH] – When using search on the taskbar, preview search results by hovering and quickly seeing when more results are available with group headers.
[RSAT] – This update adds support for Remote Server Administration Tools (RSAT) on Windows 11 Arm64 devices.

New for developers

[STORE] – Explore new features and updates for those developing for the Microsoft Store on Windows. Check out developer analytics, a web installer, and new developer tools.

New in Windows Server

For the latest features and improvements for Windows Server, see the Windows Server 2025 release notes and Windows Server, version 23H2 release notes.

[SECURE BOOT] – The original Secure Boot certificates introduced in 2011 are approaching the end of their planned lifecycle, with expirations beginning in late June 2026. While many recent platforms include the supported 2023 certificates in firmware, you'll need to manage the process manually for any that require updating. Get started today with the Windows Server Secure Boot playbook for certificates expiring in 2026.
[ReFS] – Resilient File System (ReFS) boot support is now available for Windows Server Insiders in Insider Preview builds.
[DNS] – A public preview of DNS over HTTPS (DoH) for Windows DNS Server is now available. DoH support in Windows DNS Server complements broader Zero Trust DNS efforts already introduced on Windows clients to enable organizations to adopt encrypted, authenticated DNS across endpoints and on-premises infrastructure.
[WS2025] – Looking for help with capacity planning of Remote Desktop Session Host servers running Windows Server 2025? Check out the new guide.

Lifecycle milestones

Windows 10 Enterprise 2016 LTSB and Windows 10 IoT Enterprise 2016 LTSB will reach end of support on October 13, 2026. Windows Server 2016 will reach end of support on January 12, 2027. If your organization cannot migrate to newer, supported releases in time, explore the options available to help you keep your devices protected with monthly security updates.

Check out our lifecycle documentation for the latest updates on Deprecated features in the Windows client and Features removed or no longer developed starting with Windows Server 2025.

Additional resources

Looking for the latest news and previews for Windows, Copilot, Copilot+ PCs, the Windows and Windows Server Insider Programs, and more? Check out these resources:

Windows Roadmap for new Copilot+ PCs and Windows features – filter by platform, version, status, and channel or search by feature name
Microsoft 365 Copilot release notes for latest features and improvements
Windows Insider Blog for what's available in the Canary, Dev, Beta, or Release Preview Channels
Windows Server Insider for feature preview opportunities
Understanding update history for Windows Insider preview features, fixes, and changes to learn about the types of updates for Windows Insiders

Join the conversation

Finally, we're always looking to improve this monthly summary. Drop us a note in the Comments and let us know what we can do to make this more useful for you!

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.

Windows IT Pro Blog articles

Hardening administrative actions: What IT pros need to know

Why administrative action hardening is necessary for security

Symptoms of administrative action hardening

What changed internally

Management recommendations for administrative action hardening symptoms

Recommended solution

Temporary workaround (not recommended)

Timeline to remove the clones in your environment

Introducing the new Windows 365 monitoring and reporting platform — now in Public Preview

What’s included in the new monitoring and reporting platform

Try the new monitoring and reporting today

How hotpatch updates help keep Windows secure by design

How hotpatch updates reflect Windows security by design

How hotpatch update prerequisites strengthen your security baseline

How hotpatch updates fit into Windows chip-to-cloud security model

How hotpatch updates reflect Windows security by default

Alignment with security best practices

Windows news you can use: March 2026

New in Windows update and device management

New in Windows security

New in AI

New in Windows Server

New in productivity and collaboration

Lifecycle reminders

Additional resources

Join the conversation

Announcing Windows 365 connector for Microsoft Power Platform and Azure Logic Apps (Public Preview)

Build repeatable Cloud PC workflows with Power Automate or Azure Logic Apps

Example: Send an email to a user once a Cloud PC has been provisioned

Create a conversational self-service experience with Copilot Studio

What is Microsoft Power Platform?

Learn more about Power Platform and the connector

We want your feedback!

Windows 365 Frontline in shared mode now available in Brazil South, Italy North, and West Europe

Empowering task-based workers worldwide

What makes shared mode different?

Cloud Apps: Focused access for streamlined workflows

Getting started with shared mode in the new regions

Using Microsoft Hosted Network (MHN)

Using Azure Network Connection (ANC)

Recommended next steps

Windows App Updates: Reliability, Productivity, and Security Improvements

Over a year of continued growth

Improved reliability

Enhancing productivity

A more consistent experience across platforms

Strengthening security with Windows App

Preparing for the transition ahead

Your Feedback Matters

Get Started

Windows 365 Frontline in shared mode expands to New Zealand North, Mexico Central, and Europe

How Frontline in shared mode works

Key benefits of regional expansion

Improved user experience

Compliance and data sovereignty

Simplified IT management

Getting started with the new regions

Using Microsoft Hosted Network (MHN)

Using Azure Network Connection (ANC)

Recommended next steps

Advancing Windows driver security: Removing trust for the cross-signed driver program

How our new approach strengthens customer protection while preserving app compatibility

Balancing security with compatibility

How the secure enablement works

Allowing custom kernel drivers via App Control policy

Securing the present, innovating for the future

Windows 365 available in US Gov Texas for Government Community Cloud customers

Provision Cloud PCs in US Gov Texas

Built for government needs

Get started

Announcing Multi‑Region Selection for Windows 365 in Government Community Cloud

What is Multi‑Region Selection?

Why does this matter for GCC customers?

How to configure Multi‑Region Selection

Get started

Introducing Teams optimizations for Windows App on iOS & Android — Now Generally Available

Optimized Teams experiences for mobile devices

Try it today

We want your feedback

Advancing Windows driver security: Removing trust for the cross-signed driver program

How our new approach strengthens customer protection while preserving app compatibility

How the secure enablement works

Allowing custom kernel drivers via App Control policy

Recommended Next Steps 

Using Microsoft Hosted Network (MHN)? 

Get started 