November 11, 2025—KB5068861 (OS Build 26100.7171)

Announcements and messages

This section provides key notifications related to this release, including announcements, change logs, and end-of-support notices.

Improvements

This security update contains fixes and quality improvements from KB5066835 (released October 14, 2025), KB5070773 (released October 20, 2025), and KB5070881 (released October 23, 2025). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change. ​​​​

If you've already installed previous updates, your device will download and install only the new updates included in this package.

• [Start menu] New! We are adding a Boolean option to the Configure Start Pins policy to allow admins to apply Start menu pins once. This means that a user will receive admin pins on day 0 but can then make any changes to their Start pinned layout and have those changes safeguarded. 

• [Post-Quantum Cryptography] New! Building on post-quantum cryptography (PQC) algorithms in SymCrypt, this update adds API support for NIST post-quantum cryptography algorithms ML-KEM and ML-DSA in accordance with FIPS 203 and FIPS 204 standards. These algorithms can be used for key exchange, signing, and decryption via Cryptography: Next Generation (CNG) and .NET. 

• [Active Directory (known issues)] 

  • Fixed: This update addresses an issue in Active Directory where duplicate entries could be added to a multi-valued attribute that requires unique values. Schema modifications to these attributes could result in replication failures due to a schema mismatch.

  • Fixed: This update addresses an issue that could cause incomplete synchronization of large Active Directory groups (over 10,000 members) when using the directory synchronization (DirSync) control for on-premises Active Directory Domain Services (AD DS). This problem occurred after installing KB5065426 and affected apps that use DirSync, such as Microsoft Entra Connect Sync.

• [Authentication] Fixed: This update addresses an issue that affects the Local Security Authority Subsystem Service (LSASS). LSASS might stop responding during machine password changes with specific audit settings.

• [Desktop icons] Fixed: If you have an app pinned to your desktop and it updates, the app icon might not display correctly and instead show a white page.

• [File Explorer]

  • Fixed: If you open More options  in File Explorer to view the full list of folders for the current path, the dropdown menu might not display completely, making the bottom part inaccessible.

  • Fixed: File operation progress dialogs might stop appearing when displayed from apps.

  • Fixed: Syncing more SharePoint sites to File Explorer might slow performance when navigating folders or opening the context menu. This can also affect how quickly files launch.

  • Fixed: File Explorer Home might unexpectedly only display a single folder (for example, Desktop), rather than the expected content with recent files and more.

• [Graphics] An issue where external graphics cards connected through Thunderbolt weren’t always recognized in some cases.

• [Notifications] Fixed: When you select a Windows notification, it might not bring the related app to the foreground as expected—for example, this can happen with Outlook notifications.

• [Settings] Fixed: Settings might stop responding when you try to save Wi-Fi network credentials.

• [Stability issue] This update addresses an issue observed in rare cases after installing the May 2025 security update and subsequent updates causing devices to experience stability issues. Some devices became unresponsive and stopped responding in specific scenarios.

• [Windows Firewall (known issue)] Fixed: This update addresses an issue found in Event Viewer as Event 2042 for Windows Firewall with Advanced Security. The event appears as "Config Read Failed" with the message "More data is available." For more information about this issue, see "Error events are logged for Windows Firewall" in the Windows Health Dashboard.​​​​​​​

• [Networking]

  • Fixed (known issue): An issue occurred where web servers using HTTP.sys (such as Internet Information Services [IIS]) rejected incoming HTTP requests with a “NOT_SUPPORTED” error. This issue can occur after installing KB5066835.

  • Fixed: This update fixes an issue in the HTTP.sys request parser, a Windows component that reads and processes HTTP requests. The parser allowed a single line break within HTTP/1.1 chunk extensions, where the RFC 9112 standard requires a carriage return and line feed (CRLF) sequence to terminate each chunk. This can cause a parsing discrepancy when front end proxies are a part of the setup.
    
    To turn off strict parsing, use the following registry key:

    Registry Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Http\Parameters]

    Registry value: "HttpAllowLenientChunkExtParsing"=dword:00000001

    Data to be set: 1 

For more information about security vulnerabilities, please refer to the Security Update Guide and the November 2025 Security Updates.

Known issues in this update

How to get this update

Before you install this update

​​​​​​​Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

To install this update, use one of the following Windows and Microsoft release channels.

Windows UpdateBusinessCatalogServer Update Services

Available	Next Step
	This update downloads and installs automatically from Windows Update and Microsoft Update.

File Information

For a list of the files provided in this update, download the file information for cumulative update 5068861. 

For a list of the files provided in the servicing stack update, download the file information for the SSU (KB5067035) - version 26100.7010.