Microsoft's March 2026 Patch Tuesday for Windows 11 delivers more than security fixes. KB5079473, applying to Builds 26200.8037 and 26100.8037, introduces two significant changes: a transition to SHA-3 for Secure Boot and the inclusion of Sysmon as a built-in system component. These updates represent Microsoft's continued evolution of Windows security infrastructure while addressing enterprise monitoring needs.

The Secure Boot Transition to SHA-3

Secure Boot, the firmware-based security feature that prevents unauthorized operating systems from loading during startup, is getting a cryptographic upgrade. Microsoft is transitioning from SHA-2 to SHA-3 hash algorithms for Secure Boot validation. This change affects how Windows verifies the integrity of boot components before allowing them to execute.

The SHA-3 algorithm, standardized by NIST in 2015, offers improved security properties over its predecessors. It provides resistance to length extension attacks and different internal structure that may offer better long-term security guarantees. For Windows 11 systems, this means boot components must be signed with SHA-3 compatible certificates to pass Secure Boot validation.

Microsoft has implemented this transition gradually. Systems will initially support both SHA-2 and SHA-3 during a compatibility period, allowing hardware and software vendors time to update their signed components. The eventual goal is SHA-3-only validation, though Microsoft hasn't announced a specific cutoff date for SHA-2 support.

This cryptographic upgrade requires coordinated updates across the ecosystem. Hardware manufacturers must update their firmware to support SHA-3 validation. Driver developers need to obtain new certificates and resign their boot-critical drivers. Microsoft's own boot components in Windows 11 Builds 26200.8037 and 26100.8037 already include SHA-3 signatures alongside existing SHA-2 signatures.

The practical impact for most users will be minimal during the transition period. Systems will continue to boot normally as long as they receive necessary firmware updates from manufacturers. Enterprise administrators should verify that their custom boot components and security software are compatible with SHA-3 validation before the eventual SHA-2 deprecation.

Sysmon Integration as a Built-in Component

The second major change in KB5079473 is the integration of System Monitor (Sysmon) directly into Windows 11. Previously available as a separate download from Microsoft's Sysinternals suite, Sysmon now ships as a standard Windows component starting with these builds.

Sysmon provides detailed system activity monitoring with a focus on security events. It logs process creation, network connections, file creation time changes, and other system activities that traditional Windows Event Log might not capture comprehensively. The tool has become essential for security teams investigating incidents and monitoring for suspicious activity.

Microsoft's decision to include Sysmon \"in the box\" reflects the growing importance of advanced monitoring capabilities in modern computing environments. With cyber threats becoming more sophisticated, having robust logging capabilities available by default helps organizations improve their security posture without additional software deployment.

The integrated version in Windows 11 Builds 26200.8037 and 26100.8037 includes the same core functionality as the standalone Sysmon tool. It uses the same configuration schema, allowing existing Sysmon configurations to work with the built-in version. Events continue to be logged to the Windows Event Log under the \"Microsoft-Windows-Sysmon/Operational\" channel.

Key monitoring capabilities include:
- Process creation with full command line and parent process information
- Network connections showing source and destination IP addresses and ports
- File creation time changes, useful for detecting timestamp manipulation
- Driver and DLL loading events
- WMI event subscription and permanent event consumption
- Process access events showing when one process opens another

Administrators can configure Sysmon using XML configuration files, just like the standalone version. The tool supports extensive filtering to reduce noise while capturing relevant security events. Microsoft has documented the schema and configuration options in their official documentation.

Enterprise Implications and Deployment Considerations

For enterprise environments, both changes in KB5079473 require planning and testing. The Secure Boot transition to SHA-3 affects all Windows 11 devices in an organization, while Sysmon integration offers new monitoring capabilities that security teams should understand and potentially configure.

The SHA-3 transition timeline presents the most immediate concern. Organizations using custom boot components, specialized hardware with proprietary drivers, or security software that interacts with the boot process must verify compatibility. Microsoft recommends testing systems in a lab environment before widespread deployment of KB5079473.

Enterprise deployment tools like Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager will distribute KB5079473 through normal channels. Administrators should consider creating deployment rings to gradually roll out the update while monitoring for issues related to Secure Boot validation or Sysmon configuration conflicts.

Sysmon's integration changes how organizations approach system monitoring. Previously, deploying Sysmon required separate installation and configuration steps. Now, the capability exists by default, though disabled in its default state. Security teams should develop standardized configurations that align with their monitoring requirements and compliance needs.

Organizations already using Sysmon should test their existing configurations with the built-in version. While Microsoft maintains backward compatibility, subtle differences in behavior might exist. Testing should verify that all expected events are logged correctly and that performance impact remains acceptable.

For organizations not currently using Sysmon, this integration provides an opportunity to enhance monitoring without additional software costs. The learning curve for Sysmon configuration is significant but worthwhile for security teams. Microsoft provides extensive documentation and community resources to help administrators get started.

Security Impact and Best Practices

The combined effect of these changes strengthens Windows 11's security foundation. SHA-3 provides stronger cryptographic guarantees for Secure Boot, while Sysmon integration improves visibility into system activity that could indicate compromise.

Security teams should update their incident response procedures to incorporate Sysmon logs. The detailed process creation and network connection information can significantly accelerate investigation timelines. Integrating Sysmon events with Security Information and Event Management (SIEM) systems creates a more comprehensive security monitoring solution.

For the SHA-3 transition, organizations should maintain an inventory of boot-critical components and their signing status. This includes UEFI firmware, boot drivers, and any security software that loads early in the boot process. Regular verification that these components remain properly signed with compatible certificates will prevent boot failures when Microsoft eventually requires SHA-3 exclusively.

Microsoft hasn't indicated when SHA-2 support will be removed from Secure Boot validation. The compatibility period allows time for the ecosystem to adapt, but organizations shouldn't delay testing and preparation. Proactive compatibility verification prevents disruption when the transition completes.

Performance and Compatibility Testing Results

Early testing of KB5079473 shows minimal performance impact from both changes. The SHA-3 validation adds negligible overhead to the boot process—typically less than 100 milliseconds on modern hardware. Sysmon's performance impact depends entirely on configuration; heavily configured instances with extensive logging can increase CPU and disk usage, while minimal configurations have almost no measurable effect.

Application compatibility remains strong with KB5079473. The update doesn't change application programming interfaces or system behaviors that would break existing software. The Secure Boot changes occur at a lower level than applications typically interact with, while Sysmon operates as a passive monitoring component that doesn't interfere with application execution.

Hardware compatibility presents the only potential concern. Older devices with firmware that cannot be updated to support SHA-3 validation might eventually become incompatible with Windows 11 Secure Boot requirements. Microsoft hasn't published specific hardware requirements for SHA-3 support, but organizations with aging hardware should monitor manufacturer updates.

Configuration Recommendations for Administrators

For organizations deploying KB5079473, several configuration practices will ensure smooth operation:

  1. Secure Boot Preparation:
    - Inventory all boot-critical components in your environment
    - Contact vendors to verify SHA-3 compatibility timelines
    - Test systems with KB5079473 in isolation before broad deployment
    - Monitor for Secure Boot failures during initial deployment

  2. Sysmon Configuration Strategy:
    - Start with Microsoft's recommended baseline configuration
    - Customize filters to reduce noise while capturing security-relevant events
    - Test configurations in lab environments before production deployment
    - Consider different configurations for different device types (servers vs workstations)

  3. Monitoring and Alerting:
    - Configure alerts for Secure Boot validation failures
    - Integrate Sysmon events into existing SIEM solutions
    - Create dashboards for common attack patterns detectable via Sysmon
    - Establish procedures for investigating Sysmon alerts

  4. Documentation and Training:
    - Update runbooks to include SHA-3 compatibility checks
    - Train security analysts on interpreting Sysmon events
    - Document any custom Sysmon configurations for consistency
    - Create knowledge base articles for common issues

Looking Forward: Windows Security Evolution

KB5079473 represents another step in Microsoft's ongoing security enhancements for Windows 11. The SHA-3 transition aligns with cryptographic best practices as SHA-2 approaches potential theoretical vulnerabilities. Sysmon integration addresses the growing need for detailed system monitoring in an increasingly hostile threat landscape.

Future updates will likely build on these foundations. Microsoft may introduce additional monitoring capabilities or enhance existing ones based on feedback from the built-in Sysmon deployment. The SHA-3 transition will eventually complete, possibly with future updates removing SHA-2 support entirely.

Organizations should view these changes as opportunities to strengthen their security posture. Proactive adaptation to the SHA-3 requirements prevents future disruption. Effective utilization of Sysmon's capabilities improves threat detection and investigation efficiency.

The March 2026 Patch Tuesday demonstrates Microsoft's commitment to both foundational security improvements and practical security tools. KB5079473 balances cryptographic advancement with immediately useful monitoring capabilities, providing value for both security teams and general Windows 11 users.