Microsoft Windows 11 25H2 Update Version OS Builds 26200.8328 and 26100.8328

KB5083631 updates Windows 11 25H2 and 24H2 with production-quality improvements, new features, and fixes. It also includes Secure Boot rollout changes, Remote Desktop and Kerberos fixes, and a known BitLocker recovery-key issue in specific configurations. Reference IDs: KB5088467, KB5089549, CVE-2024-30098.

• Windows driver policy now removes default trust for cross-signed drivers, allowing only WHCP drivers and trusted legacy drivers during phased enforcement.
• Enhanced batch file and CMD script processing adds a more secure mode that prevents batch files from changing during execution.
• Windows Security logging for CVE-2024-30098 now includes the affected application name to help identify impacted smart card certificate users.
• Secure Boot certificate rollout is expanded with additional device targeting data to increase coverage for eligible devices.

• Fixed Remote Desktop Connection security warning dialog rendering in multi-monitor setups with mixed scaling.
• Improved Kerberos authentication in Remote Desktop sessions using Remote Credential Guard, addressing error 0xc000009a.
• Improved File Explorer reliability, including explorer.exe shutdown behavior, dark mode flashes, and folder view persistence.
• Reduced Microsoft Store download and install errors such as 0x80070057, 0x80240008, and 0x80073d28.
• Improved Windows Hello Face reliability and fingerprint persistence across upgrades.
• Improved taskbar system tray loading reliability and general explorer.exe stability.
• Improved storage UI performance for large volumes and increased FAT32 formatting limit from 32 GB to 2 TB.
• Improved Delivery Optimization memory usage and startup app launch performance.
• Improved third-party driver compatibility with midisrv.exe.

• Xbox mode is now available on Windows 11 PCs with a streamlined full-screen gaming interface.
• File Explorer now supports additional archive formats: uu, cpio, xar, and NuGet packages (nupkg).
• Haptic feedback is now supported on compatible input devices for certain actions.
• Voice typing on the touch keyboard has a simplified design without the full-screen overlay.
• The Arabic 101 Legacy keyboard layout is now available.
• Drag Tray has been renamed to Drop Tray and moved under System > Multitasking.
• Agents on Taskbar lets Windows show taskbar progress for supported agents across apps.
• Enterprise State Roaming can now be managed through Windows Backup for Organizations policies.
• Policy-based removal of preinstalled Microsoft apps now supports a dynamic app removal list for Enterprise and Education.
• A new printer icon indicates support for Windows Protected Print Mode.

• Devices with an unrecommended BitLocker Group Policy configuration might prompt for the BitLocker recovery key on the first restart after installing the update.

• Release phases include gradual rollout and normal rollout; feature availability may vary by device.
• Windows Secure Boot certificates used by most devices are set to expire starting in June 2026; Microsoft recommends reviewing the certificate update guidance.
• The dynamic app removal list is not currently available in Intune Settings Catalog and must be validated with Group Policy or custom OMA-URI.
• To avoid the BitLocker recovery-key issue, Microsoft recommends removing the PCR7-related Group Policy configuration before installing the update.
• If needed, BitLocker can be temporarily suspended while installing the Secure Boot update and then re-enabled afterward.
• This update includes servicing stack update KB5088467 (26100.8247).

Product Information

Vendor: Microsoft

Product: Windows 11

Version: OS Builds 26200.8328 and 26100.8328

Release date: Apr 30, 2026