Release Date:

1/23/2024

Version:

OS Builds 22621.3085 and 22631.3085

UPDATED 2/27/24 IMPORTANT: New dates for the end of non-security updates for Windows 11, version 22H2

The new end date is June 24, 2025 for Windows 11, version 22H2 Enterprise, Education, IoT Enterprise, and Enterprise multi-session editions. Home, Pro, Pro Education, and Pro for Workstations editions of version 22H2 will receive non-security preview updates until June, 26, 2024. 

After these dates, only cumulative monthly security updates will continue for the supported editions of Windows 11, version 22H2. The initial date communicated for this change was February 27, 2024. Based on user feedback, this date has been changed so more customers can take advantage of our continuous innovations.

For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 11, version 23H2, see its update history page.  

Note Follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard.      

Highlights

  • This update addresses an issue that stops search from working on the Start menu for some users. The issue occurs because of a deadlock.

  • This update addresses an issue to make video calls more reliable.

  • This update addresses an issue that causes your device to stop responding. This is intermittent and occurs after you install a print support app.

  • This update addresses an issue that affects the File Explorer Gallery. It stops you from closing a tooltip.

  • This update addresses an issue that affects Bluetooth Low Energy (LE) Audio earbuds. They lose sound when you stream music.

  • This update addresses an issue that affects a Bluetooth phone call. It stops the audio from routing through the PC when you answer the call on your PC.

Improvements

Note: To view the list of addressed issues, click or tap the OS name to expand the collapsible section.

Important: Use EKB KB5027397 to update to Windows 11, version 23H2.

This non-security update includes quality improvements. Key changes include:

This non-security update includes quality improvements. When you install this KB:

  • This update addresses an issue that affects certain types of 7-Zip files. They appear as empty in File Explorer.

  • This update addresses an issue that affects Wi-Fi Protected Access 3 (WPA3) in the Group Policy editor. HTML preview rendering fails.

  • This update addresses an issue that affects Windows Management Instrumentation (WMI). A caching issue occurs. The issue causes CurrentTimeZone to change to the wrong value.

  • This update makes Windows more reliable during power transitions. This reduces the risk of a stop error.

  • This update addresses an issue that affects the OpenType font driver. On a certain architecture, the issue might affect how text renders for third-party applications.

  • The update addresses a known issue that affects the color font format for COLRv1. It now renders properly. Windows uses this format to display emoji with a 3D-like appearance.

  • This update addresses an issue that stops WMI from working. This occurs in certain scenarios with mobile device management (MDM) providers, such as Microsoft Intune.

  • This update addresses a known issue that affects BitLocker data-only encryption. A mobile device management (MDM) service, such as Microsoft Intune, might not get the right data. This occurs when you use the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node.

  • This update addresses an issue that affects Access Point Name (APN) profiles. It stops you from automatically configuring APN profiles for cellular enabled devices. This occurs when you run the “netsh mbn show readyinfo *” command.

  • This update addresses an issue that affects Trusted Platform Modules (TPM). On certain devices, they did not initialize correctly. Because of this, TPM-based scenarios stopped working.

  • This update includes quarterly changes to the Windows Kernel Vulnerable Driver Blocklist file, DriverSiPolicy.p7b. It adds to the list of drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks.

  • This update affects Unified Extensible Firmware Interface (UEFI) Secure Boot systems. It adds a renewed signing certificate to the Secure Boot DB variable. You can now opt for this change. For more details, see KB5036210.

  • This update addresses an issue that affects RemoteApp windows. In certain cases, they persist on client devices after you close them.

  • This update addresses an issue that affects a remote desktop client. It might connect to a wrong instance of a user's session. This occurs if a user has multiple sessions on the host.

  • This update addresses an issue that occurs when you change the keyboard language. The change fails to apply to RemoteApps in some scenarios.

  • This update addresses an issue that affects Windows Local Administrator Password Solution (LAPS) Post Authentication Actions (PAA). The actions occur at restart instead of at the end of the grace period.

  • This update addresses an issue that affects Active Directory. Bind requests to IPv6 addresses fail. This occurs when the requestor is not joined to a domain.

  • This update addresses an issue that affects the LocalUsersAndGroups CSP. It stops processing group memberships if it cannot find a group.

  • This update addresses an issue that affects Group Policy Folder Redirection in a multi-forest deployment. The issue stops you from choosing a group account from the target domain. Because of this, you cannot apply advanced folder redirection settings to that domain. This issue occurs when the target domain has a one-way trust with the domain of the admin user. This issue affects all Enhanced Security Admin Environment (ESAE), Hardened Forests (HF) or Privileged Access Management (PAM) deployments.

  • This update changes a setting in Active Directory Users & Computers. By default, the snap-in now uses a strong certificate mapping of X509IssuerSerialNumber. It does not use the weak mapping of x509IssuerSubject.

  • This update addresses an issue that affects the display of a smart card icon. The icon does not appear when you sign in. This occurs when there are multiple certificates on the smart card.

  • This update addresses an issue that causes your device to shut down after 60 seconds. This occurs when you use a smart card to authenticate on a remote system.

  • This update affects the Windows Backup app. It will no longer show on the user interface of enterprise-managed devices. To learn more, see KB5032038.

If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.

Windows 11 servicing stack update - 22621.3073 and 22631.3073

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. 

Applies to

Symptom

Workaround

All users

Windows devices using more than one (1) monitor might experience issues with desktop icons moving unexpectedly between monitors or other icon alignment issues when attempting to use Copilot in Windows (in preview).

This issue is addressed on the service-side for Windows 11, versions 22H2 and 23H2 on devices with updates released January 9, 2024, or later.

Note Managed devices in your environment that have been used or are currently being used in a multimonitor configuration will not yet have Copilot for Windows available.

How to get this update

Before installing this update

Microsoft combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

Release Channel

Available

Next Step

Windows Update or Microsoft Update

Yes

Go to Settings Update & Security > Windows Update. In the Optional updates available area, you’ll find the link to download and install the update.

Windows Update for Business

No

None. These changes will be included in the next security update to this channel.

Microsoft Update Catalog

Yes

To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows Server Update Services (WSUS)

No

You can import this update into WSUS manually. See the Microsoft Update Catalog for instructions.

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File information

For a list of the files that are provided in this update, download the file information for cumulative update 5034204.  

For a list of the files that are provided in the servicing stack update, download the file information for the SSU - versions 22621.3073 and 22631.3073

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.