Microsoft Windows 11 24H2 Update Version OS Builds 26200.8328 and 26100.8328

KB5083631 updates Windows 11 25H2 and 24H2 with production-quality improvements, new features, and reliability fixes for File Explorer, input, storage, Windows Hello, and more. It also includes Secure Boot rollout changes and a known BitLocker recovery-key issue in specific configurations. Reference IDs: KB5088467, KB5089549, CVE-2024-30098.

• Windows driver policy hardens kernel trust by removing default trust for cross-signed drivers while allowing WHCP and trusted legacy drivers.
• Enhanced batch file and CMD script processing adds a more secure mode to prevent batch files from changing during execution.
• Windows Security event logging for CVE-2024-30098 now includes the affected application name to aid remediation.
• Secure Boot certificate rollout is expanded with higher-confidence targeting to help devices receive new certificates safely.
• Kerberos authentication in Remote Desktop sessions using Remote Credential Guard is improved.

• Fixes Remote Desktop Connection security warning dialog rendering in multi-monitor setups with different scaling.
• Improves File Explorer reliability, including explorer.exe shutdown behavior, dark mode flashes, and folder view/sort persistence.
• Reduces Microsoft Store download and install errors such as 0x80070057, 0x80240008, and 0x80073d28.
• Improves Windows Hello Face reliability and fingerprint persistence across upgrades.
• Improves taskbar system tray loading reliability and general explorer.exe stability.
• Improves storage UI performance for large volumes and increases FAT32 formatting limit from 32 GB to 2 TB.
• Improves Delivery Optimization memory usage and startup app launch performance.
• Improves third-party audio driver compatibility with midisrv.exe.

• Xbox mode is available on Windows 11 PCs with a streamlined full-screen gaming interface.
• File Explorer now supports additional archive formats: uu, cpio, xar, and nupkg.
• Haptic feedback is supported on compatible input devices for certain actions such as snapping or resizing windows.
• Voice typing on the touch keyboard uses a simpler design without the full-screen overlay.
• The Arabic 101 Legacy keyboard layout is now available.
• Drag Tray has been renamed to Drop Tray and moved under System > Multitasking.
• Agents on Taskbar lets Windows show progress for supported agents from the taskbar.
• Enterprise State Roaming can now be managed through Windows Backup for Organizations policies.
• Policy-based removal of preinstalled Microsoft apps now supports a dynamic app removal list for Enterprise and Education.
• Printing settings now show a Windows Protected Print Mode icon for supported printers.

• Devices with an unrecommended BitLocker Group Policy configuration may prompt for the BitLocker recovery key on the first restart after installing the update.
• The BitLocker recovery-key issue affects devices with PCR7 explicitly included in the TPM platform validation profile and specific Secure Boot/Boot Manager conditions.

• Release phases include gradual rollout and normal rollout; feature availability may vary by device.
• The update includes servicing stack update KB5088467 for OS build 26100.8247.
• Microsoft recommends reviewing Secure Boot certificate expiration guidance before June 2026.
• For the BitLocker known issue, Microsoft recommends removing the PCR7 Group Policy configuration before installing the update.
• If the BitLocker policy cannot be removed, BitLocker can be temporarily suspended before installing the Secure Boot update.
• The dynamic app removal list is not currently available in Intune Settings Catalog and must be validated with Group Policy or custom OMA-URI.
• The new batch-file protection can be enabled with registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\LockBatchFilesWhenInUse.

Product Information

Vendor: Microsoft

Product: Windows 11

Version: OS Builds 26200.8328 and 26100.8328

Release date: Apr 30, 2026