Microsoft has released the March 2026 cumulative update for Windows 11, designated KB5079473. This combined security and quality rollup advances OS builds across supported channels while introducing several significant user-facing components. The update brings Sysmon into the Windows box, adds Emoji 16 support, and enhances offline installation capabilities.

Update Details and Build Numbers

KB5079473 is available for all supported Windows 11 versions. The update advances build numbers as follows: Windows 11 version 24H2 moves to build 26100.3000, version 23H2 advances to build 22631.3000, and version 22H2 reaches build 22621.3000. These builds represent the latest cumulative updates for their respective feature releases.

The update follows Microsoft's standard monthly release cadence, combining security fixes with quality improvements. Users can install it through Windows Update, Microsoft Update Catalog, or WSUS servers. Enterprise administrators should note this is a mandatory security update that addresses vulnerabilities disclosed in Microsoft's March 2026 security bulletin.

Sysmon Comes In-Box

The most significant technical change in KB5079473 is the inclusion of System Monitor (Sysmon) as a built-in Windows component. Previously available only as a separate download from Microsoft's Sysinternals suite, Sysmon now ships with Windows 11.

Sysmon is a system service and device driver that monitors and logs system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. Security teams use these logs to identify malicious activity and understand attack patterns.

With Sysmon now in-box, Windows 11 includes native advanced monitoring capabilities without requiring separate installation. The service runs with minimal performance impact while providing enterprise-grade security telemetry. Microsoft has integrated Sysmon configuration through Group Policy and Microsoft Intune, allowing administrators to deploy standardized monitoring policies across their organizations.

Initial configuration includes basic process creation and network connection logging, but administrators can customize XML configuration files for more detailed monitoring. The integration represents Microsoft's continued emphasis on built-in security features rather than relying on third-party tools.

Emoji 16 Support Arrives

KB5079473 adds native support for Unicode 15.1's Emoji 16.0 character set. This brings 118 new emojis to Windows 11, including horizontal and vertical headshakes, phoenix, lime, brown mushroom, and broken chain. Microsoft has implemented these with its Fluent Design aesthetic, maintaining visual consistency with existing emoji.

The update enables these emojis across all Windows applications that use the system's text rendering stack. This includes Microsoft Office, Edge, Notepad, and third-party applications that utilize Windows' native text services. Users can access the new emojis through the Windows key + period (.) emoji panel or via touch keyboard on compatible devices.

Microsoft has also updated color font technology to improve emoji rendering at small sizes. The implementation includes better fallback handling for applications that haven't been updated to support the latest emoji standards. This ensures backward compatibility while providing modern emoji support for updated applications.

Enhanced Offline Installation

The update improves Windows 11's offline installation capabilities, particularly for enterprise deployment scenarios. KB5079473 includes optimizations to the Windows Setup process that reduce installation time on systems without internet connectivity.

Key improvements include better driver matching during offline installs, reduced disk space requirements for temporary files, and more efficient component staging. Microsoft has also enhanced error reporting for offline installations, providing clearer guidance when installation fails due to missing dependencies.

These changes benefit organizations deploying Windows 11 in secure environments without internet access, such as government facilities, industrial control systems, and classified networks. The improvements also help users in areas with unreliable internet connectivity who need to install or repair Windows without downloading additional components.

Security Improvements

As a cumulative update, KB5079473 includes all previously released security fixes along with new vulnerabilities addressed in March 2026. Microsoft's security bulletin details specific Common Vulnerabilities and Exposures (CVEs) fixed in this release.

The update addresses vulnerabilities in Windows Kernel, Windows Graphics Component, Windows Remote Procedure Call, and other core components. Several fixes relate to elevation of privilege vulnerabilities that could allow attackers to gain higher access levels on compromised systems.

Microsoft recommends installing this update promptly due to the security fixes it contains. The company rates some vulnerabilities as "Critical" or "Important" in its severity classification system. Organizations should prioritize deployment based on their vulnerability management policies and risk assessments.

Quality and Reliability Fixes

Beyond security, KB5079473 includes numerous quality improvements based on user feedback and telemetry data. Microsoft has fixed issues reported through the Windows Insider Program and customer support channels.

Notable fixes address problems with Windows Search indexing, Task Manager performance monitoring, and File Explorer stability. The update also resolves several printing-related issues, including problems with certain network printers and print spooler crashes.

Microsoft has improved power management for systems with hybrid CPU architectures, particularly Intel's latest processor generations. These optimizations help balance performance and battery life on laptops and tablets. The update also includes driver compatibility improvements for recently released hardware.

Deployment Considerations

Organizations should test KB5079473 in their environments before widespread deployment. While Microsoft conducts extensive testing, specific configurations or applications may experience compatibility issues.

Administrators should verify that monitoring solutions work correctly with the in-box Sysmon implementation. Some security information and event management (SIEM) systems may require configuration updates to properly parse Sysmon events from the new version.

Application compatibility testing should focus on software that uses emoji rendering or text layout features. While Microsoft maintains backward compatibility, some applications with custom text rendering may need updates to display Emoji 16 characters correctly.

For offline installations, administrators should update their deployment images to include KB5079473. This ensures new installations have the latest security fixes and features without requiring post-installation updates.

Looking Ahead

KB5079473 represents Microsoft's continued evolution of Windows 11 with enterprise features becoming standard components. The inclusion of Sysmon signals a shift toward more comprehensive built-in security monitoring, reducing reliance on third-party tools for basic security visibility.

The Emoji 16 implementation keeps Windows current with Unicode standards, important for global communication and accessibility. As emoji become increasingly integral to digital communication, maintaining current support is essential for a modern operating system.

Offline installation improvements address real-world deployment challenges, particularly for organizations with strict security requirements or limited connectivity. These enhancements make Windows 11 more deployable in diverse environments beyond typical office settings.

Future Windows 11 updates will likely build on these foundations, with Microsoft continuing to integrate security tools directly into the operating system while maintaining compatibility with existing enterprise deployments. The company's monthly update cadence ensures regular security improvements while gradually introducing new features and capabilities.