Tag: windows 10

One Exploited Zero-Day and Record Numbers: The April 2026 Windows Patch Tuesday Breakdown

Posted on by Martin Brinkmann

If March 2026 was a marathon of infrastructure updates, April is a massive avalanche of patches.

Microsoft’s fourth Patch Tuesday of 2026 has arrived, addressing a massive 165 vulnerabilities in total. The sheer volume demands attention. It contains two 0-day vulnerabilities — one of which is actively exploited in the wild — and eight critical flaws affecting a wide range of products, including Office, SharePoint, Microsoft Defender, and Azure.

Here is the breakdown of what you need to know, what to patch first, and what might break.

The April 2026 Patch Day overview

Executive Summary

  • Release Date: April 14, 2026
  • Total Vulnerabilities: 165
  • Critical Vulnerabilities: 8
  • Zero-Days: 2 (SharePoint [Actively Exploited], Microsoft Defender [Publicly Disclosed])

Key Action Item: Administrators must prioritize patching internet-facing SharePoint servers due to the actively exploited spoofing zero-day. Simultaneously, network infrastructure and Active Directory components need immediate updates to mitigate several highly critical Remote Code Execution vulnerabilities.

Important Patches

  • CVE-2026-32201 — Microsoft Office SharePoint Spoofing Vulnerability
  • CVE-2026-33825 — Microsoft Defender Elevation of Privilege Vulnerability
  • CVE-2026-33824 — Windows Internet Key Exchange (IKE) Extension Remote Code Execution Vulnerability
  • CVE-2026-33827 — Windows TCP/IP Remote Code Execution Vulnerability
  • CVE-2026-33826 — Windows Active Directory Remote Code Execution Vulnerability
  • CVE-2026-23666 — .NET Denial of Service Vulnerability

Cumulative Updates

Product, VersionLinksNotes
Windows 11 & Windows 10KB5082200 (Windows 10)
KB5083768 (Windows 11, 26H1)
KB5083769 (Windows 11, version 25H2 and 24H2)

Security updates addressing OS-level RCEs in TCP/IP, IKE, and Active Directory components. Also resolves numerous Elevation of Privilege (EoP) flaws across Windows Kernel, Boot Loader, and BitLocker.
Microsoft SharePoint ServerPatches for SharePoint 2016, 2019, and Subscription Edition to address the actively exploited CVE-2026-32201 spoofing flaw.
Microsoft OfficeSecurity updates addressing multiple Critical Use-After-Free and Untrusted Pointer Dereference vulnerabilities resulting in local code execution

Deep Dive: The Critical Vulnerabilities

Microsoft confirmed that it patched two 0-day vulnerabilities this Patch Day and several critical remote code execution flaws.

Here is the critical overview:

CVE-2026-32201 (Microsoft Office SharePoint Spoofing Vulnerability)

This actively exploited zero-day allows an unauthorized attacker to perform spoofing over a network due to improper input validation in Microsoft Office SharePoint. An attacker who successfully exploits this can view sensitive information and make changes to disclosed information.

CVE-2026-33825 (Microsoft Defender Elevation of Privilege Vulnerability)

A publicly disclosed zero-day flaw in Microsoft Defender that allows privilege escalation to SYSTEM privileges. Microsoft has addressed the flaw in the Microsoft Defender Antimalware Platform update version 4.18.26050.3011, which should be downloaded to (most) systems automatically.

CVE-2026-33824 (Windows Internet Key Exchange (IKE) Extension RCE)

A critical double-free vulnerability in the Windows IKE extension. An unauthenticated attacker can send specially crafted packets to a Windows machine with IKE version 2 enabled to potentially achieve remote code execution. If IKE is not in use, blocking inbound traffic on UDP ports 500 and 4500 acts as a mitigation.

CVE-2026-33827 (Windows TCP/IP Remote Code Execution)

A critical race condition vulnerability in Windows TCP/IP that can result in remote code execution. An unauthenticated actor can send specially crafted IPv6 packets to a Windows node where IPSec is enabled to potentially achieve RCE.

CVE-2026-33826 (Windows Active Directory Remote Code Execution)

A critical improper input validation flaw in Windows Active Directory. It allows an authenticated attacker to execute code over an adjacent network.

First Steps: Your Patch Tuesday Strategy

  • Prioritize the SharePoint zero-day
  • Address network and directory risks
  • Update Office installations

Microsoft is Radically Changing the Windows Insider Program

Posted on by Martin Brinkmann

If you’ve ever felt completely lost in the web of Windows testing tiers or frustrated by slow A/B feature rollouts, relief may finally have arrived.

Microsoft announced a big overhaul of the Windows Insider Program this week designed to simplify how users test development builds of the operating system.

The company is cutting down the channel list to just two primary ones — Beta and Experimental — and is finally changing how experimental features land on test systems.

Here is a breakdown of the major changes:

  • Two Streamlined Channels: The previously confusing multi-tier system is being condensed into just two primary tracks: Experimental (which replaces the Dev and Canary channels) and Beta (for features that are closer to being ready for the public).
  • The End of A/B Testing: Microsoft is officially dropping its Controlled Feature Rollout (CFR) system for Beta channel participants. This means no more waiting in the dark while other testers randomly receive new features before you do.
  • Manual Feature Flags: You are finally getting direct control over your testing experience. Moving forward, Insiders can manually toggle new features on or off directly within Windows Settings as soon as they are documented in the changelogs.
  • No More “Clean Install” Trap: Historically, leaving the Insider program or dropping down to a more stable channel often required a complete, data-wiping OS reinstall. Microsoft is fixing this by allowing in-place upgrades (IPU), meaning you can transition channels or exit the program while keeping your files and apps intact.
  • Clearer Communication: Release notes and documentation will be much more explicit about who features are for and which channel they belong to, giving IT admins, developers, and enthusiasts a much more transparent roadmap of what to expect.

From a testing perspective, Microsoft is launching several improvements. First, Beta users get access to features directly. No more waiting or using of third-party tools like ViVeTool to enable them.

Second, users in the experimental channel get options to turn certain features on, if they are not already enabled.

Third, switching between channels should get easier and less cumbersome.

Last but not least, more documentation is always welcome, as Microsoft’s attempts have been lackluster at best until now.

While the announcement may instill hope in Windows testers who have been disappointed by Microsoft so far, it is clear that Microsoft has to deliver. If the company does, it could improve its Windows Insider program significantly in the process.

VeraCrypt developer claims that Microsoft has terminated his account

Posted on by Martin Brinkmann

VeraCrypt is a popular cross-platform encryption software that is available for Windows, Linux and macOS. It is one of the successors of TrueCrypt and can be used to encrypt hard drives, including system drives, and to create data containers on drive that are encrypted.

The developer of the application, Mounir Idrassi, published a project update on Sourceforge a few days ago. There, he explained why the project had been silent for the past few months.

According to his description, Microsoft terminated the account that he used to sign Windows drivers and the bootloader. This affects the Windows version of the encryption software, as updates can’t be signed anymore because of this. The Linux and macOS versions of the software are not affected by this.

To make matters worse, a screenshot with a message by Microsoft suggests that an appeal is not available. It is unclear what that means for the project. While a solution may be found eventually, likely through enough outside pressure to get a Microsoft representative to look at the case, it is certainly problematic when a company that operates its own encryption software — Microsoft with BitLocker — is blocking a competitor from releasing updates for his.

Report: Windows has a new 0-day vulnerability called BlueHammer

Posted on by Martin Brinkmann

The next Windows Patch Day is just a week away and it is unclear whether it will include a fix for a recently disclosed 0-day vulnerability.

The new security vulnerability has been disclosed on GitHub, including proof of concept code to exploit the issue. However, there is no explanation how the issue works.

Well-known security researcher Will Dormann commented on the issue and confirmed that it is working. He admitted that it “may not be 100%” reliable though. It seems that frustration with MSRC, the Microsoft Security Research Center, and how it operates, was the reason for the public disclosure of the vulnerability. Whether that is true or not can’t be verified though.

So, what do we know about the vulnerability so far?

  • What it is: “BlueHammer” is an unpatched zero-day Local Privilege Escalation (LPE) vulnerability affecting Microsoft Windows.
  • Impact: It allows a local attacker with limited, low-level user access to escalate their permissions to SYSTEM or elevated administrator rights. This effectively grants the attacker full control over the compromised machine.
  • Current Status: Microsoft has not yet released an official patch or mitigation, making it a true zero-day.

Security experts (such as Will Dormann) describe it as a flaw that combines a TOCTOU (Time-of-Check to Time-of-Use) vulnerability with path confusion. At a high level, it appears to weaponize Windows Defender-related interfaces (the leaked source code contains files like windefend.idl and windefend_c.c). By bypassing the system’s original validation, a local attacker can gain access to the Security Account Manager (SAM) database, which stores local account password hashes, ultimately allowing them to spawn SYSTEM-level shells.

Good news is that the flaw is a local privilege escalation, which means that attackers can’t exploit it to hack into Windows PCs remotely. However, if they were to gain access to a Windows system, they could use it to expand access or even take over a system completely.

How to batch test archives on Windows

Posted on by Martin Brinkmann

File archives serve plenty of purposes. They compress one or multiple files and folders and make them available as a single file; ideal for distribution and storage.

Many backup tools, for instance, support compressing backups to save storage space.

But how do you ensure that the archives are not corrupt? There are several options, including generating hashes and running verifiers.

However, if you have not created hashes in first place or find this too time consuming or unmanageable, you could test the archives directly using archivers.

PeaZip is an open source archiver for several operating systems. Version 11.0 was released recently and it includes a batch testing option.

Throw any number of support archive formats at the app and it will check each archive. It does so automatically and the only exception to that is when it encounters a password protected archive, as it will prompt for the password in that case.

You get a full list of results in the end that you can go through to find any archives that are damaged.

PeaZip supports all major archive formats. To name a few: ZIP, 7z, BR, TAR, ZipX, RAR, APK, CAB, ISO, and ACE.

Here is how you run the test:

  1. Download and install the latest version of the archiver. You can download a portable version or use winget install -e peazip to install it from the command line.
  2. Open the application and use the file manager to navigate to the folder with the archives that you want to test.
  3. Select them all, for instance by holding down Ctrl and left-clicking on each archive, using Ctrl-A, or right-clicking and picking “select all” from the context menu.
  4. Right-click on the selection and select More > Test to start the verification process.

PeaZip tests one archive after another, displaying results in a separate window. You could move all archives into a single folder to make this operation easier, or switch folders to continue testing archives.

All in all, this is a straightforward option to batch test archives on Windows (or any other of the supported operating systems).

IT Crowd Turning it off and on again

Two Public Zero-Days: The March 2026 Windows Patch Tuesday Breakdown

Posted on by Martin Brinkmann

If February 2026 was the sprint, March is a marathon of essential infrastructure updates.

Microsoft’s third Patch Tuesday of 2026 has arrived, addressing 84 vulnerabilities in total. While the total count is typical, the release demands close attention: it contains two publicly disclosed zero-day vulnerabilities and eight critical flaws affecting a wide range of enterprise products, including SQL Server, Office, and Azure components.

Here is the breakdown of what you need to know, what to patch first, and what might break.

The March 2026 Patch Day overview

Executive Summary

  • Release Date: March 10, 2026
  • Total Vulnerabilities: 84
  • Critical Vulnerabilities: 8
  • Zero-Days (Publicly Disclosed): 2 (SQL Server, .NET)
  • Key Action Item: Administrators must prioritize database and application servers due to the SQL Server elevation of privilege flaw and the .NET denial of service vulnerability. Simultaneously, ensure Office updates are deployed to workstations to prevent potential zero-click remote code execution via the Preview Pane.

Important Patches

  • CVE-2026-21262 — Microsoft SQL Server Elevation of Privilege Vulnerability
  • CVE-2026-26127 — .NET Denial of Service Vulnerability
  • CVE-2026-21536 — Microsoft Devices Pricing Program Remote Code Execution Vulnerability
  • CVE-2026-26110 — Microsoft Office Remote Code Execution Vulnerability
  • CVE-2026-25187 — Windows Winlogon Elevation of Privilege Vulnerability

Cumulative Updates

Product, VersionKB ArticleNotes
Windows 11, Version 24H2 / 25H2KB5079473Security updates and non-security changes. Adds built-in Sysmon, Emoji 16.0, and prepares infrastructure for upcoming Secure Boot certificate updates.
Windows 11, Version 26H1KB5079466Security updates. Improves how Windows Defender Application Control (WDAC) handles COM objects allowlisting policies.
Windows 10, Version 22H2KB5078885Security updates. Includes a GPU stability fix and Secure Boot updates.

Deep Dive: The Critical Vulnerabilities

Microsoft confirmed two publicly disclosed zero-day vulnerabilities are fixed this month. Furthermore, Microsoft fixed several critical remote code execution (RCE) and elevation of privilege (EoP) flaws.

Attackers may exploit the issues on systems that have not been patched to bypass protections, elevate privileges, or execute malicious payloads remotely.

Here is the critical overview:

CVE-2026-21262 (Microsoft SQL Server Elevation of Privilege)

This publicly disclosed zero-day allows an authorized attacker to elevate privileges over a network. Due to improper access control, a logged-in user can quietly elevate to become a full database administrator (sysadmin). With that level of control, they can read, modify, or delete data without user interaction.

CVE-2026-26127 (.NET Denial of Service)

The second publicly disclosed zero-day is an out-of-bounds read flaw in the .NET platform (versions 9.0 and 10.0). It allows an unauthenticated remote attacker to crash .NET applications over the network, resulting in a denial of service for any app running on the affected runtime libraries.

CVE-2026-21536 (Microsoft Devices Pricing Program Remote Code Execution)

Scoring a critical 9.8 out of 10 on the CVSS scale, this is the most severe flaw of the month. It allows remote attackers to execute arbitrary code over the network without privileges or user interaction. Notably, this flaw was discovered by an autonomous AI penetration testing agent. Microsoft notes that the vulnerability has been fully mitigated on their end, requiring no direct action from users.

CVE-2026-26110 & CVE-2026-26113 (Microsoft Office Remote Code Execution)

These type confusion and untrusted pointer dereference flaws in Microsoft Office enable remote code execution when malicious files are processed. They are particularly dangerous because they can potentially allow zero-click exploitation if a user simply views a booby-trapped document in the Outlook Preview Pane.

CVE-2026-25187 (Windows Winlogon Elevation of Privilege)

Discovered by Google Project Zero, this vulnerability leverages improper link resolution in the Winlogon process. A locally authenticated attacker with low privileges could exploit a link-following condition to effortlessly escalate to SYSTEM privileges.

Significant Changes in the March 2026 updates

  • Sysmon is now built-in: Previously a manual download from Sysinternals, Sysmon is now included as a native component in Windows 11 for better security auditing and monitoring of malicious activity.
  • Secure Boot certificate preparation: Windows systems are receiving infrastructure updates to prepare for the upcoming expiration of Secure Boot certificates, which will begin rotating in June 2026.
  • Quick Machine Recovery (QMR) expansion: QMR is now turned on automatically on more hardware. This feature allows administrators to revert endpoints to a working state if a disastrous third-party update takes down the system.
  • RSAT on Arm64: Remote Server Administration Tools are finally supported on Windows 11 Arm64 devices, allowing administrators to manage Windows Server environments directly from Arm-powered PCs.

First Steps: Your Patch Tuesday Strategy

  • Prioritize the zero-days: Map your exposure and prioritize the two zero-day vulnerabilities, focusing heavily on SQL Server environments and .NET application servers.
  • Update Office installations: Deploy Microsoft Office updates to all workstations immediately to mitigate the risk of zero-click remote code execution via the Preview Pane.
  • Prepare for Secure Boot changes: Ensure your enterprise environment allows the new Secure Boot allowed Key Exchange Key (KEK) updates to install properly to avoid boot issues in the coming months.

Here is what the Windows UserChoice Protection Driver UCPD does

Posted on by Martin Brinkmann

Have you ever heard of the Userchoice Protection Driver (UCPD.sys) that Microsoft added to its Windows 10 and Windows 11 operating systems in 2024? It is a protective driver designed to prevent third-party applications or scripts from making changes to Registry keys that fall into the UserChoice category. This includes system defaults, such as the web browser, PDF viewer, or widgets.

Before the introduction, apps or scripts could make changes to default settings on Windows by editing certain keys in the Registry directly. With UCPD active, Microsoft implemented a check that allows or disallows changes to these keys.

If the change comes from a legitimate Microsoft process, it is allowed. If the change comes from a non-Microsoft process,, it is not allowed.

So, using the Settings application works, while using a script to make the changes does not.

While Microsoft has not revealed much about the motivation behind the introduction of the driver, it was at least partially introduced to make hijacking of important user settings difficult.

Granted, this had the added effect that it would be harder for competitors to change the defaults, even when users wanted it to happen.

The Impact

Most users may never notice that Microsoft introduced the feature in the first place. Changing defaults via the Settings app is not prevented and so is not a direct edit to the Registry using the Registry Editor.

However, for system administrators and some advanced users, UCDP has been a major headache as it broke command line tools and scripts.

How to check if the driver is running

Here is one easy method to check if the driver is active on your Windows PC:

  1. Open the Start menu.
  2. Type cmd and press the Enter-key to load the Command Prompt.
  3. Type sc query ucpd.

If you see running next to state, then you have confirmation that the service is active.

Can you do something about it? (Should you?)

The short answer: yes, you can turn this off, but it is not as straightforward as you might want it to be.

Here are the required steps:

  • Run sc config UCPD start= disabled from an elevated command prompt window.
  • Open Task Scheduler, navigate to \Microsoft\Windows\AppxDeploymentClient, and disable the UCDP velocity task so that it does not turn the driver back on.
  • Reboot the system.

I suggest you check whether UCDP is running using the command prompt again to make sure.

Should you disable the feature? My advice: if you did not notice any issues so far, you might not need to disable it. If you have run into problems recently running scripts or apps, then you could consider it, especially if you run them regularly.

Keep in mind though that this is also blocking malicious scripts and apps from making those changes.

Windows updates

Six Zero-Days in the Wild: The February 2026 Windows Patch Tuesday Breakdown

Posted on by Martin Brinkmann

If January was the warm-up, February is the sprint.

Microsoft’s second Patch Tuesday of 2026 has arrived with significant urgency, addressing 59 vulnerabilities in total. While the total count is manageable, the severity is high, as it contains six zero-day vulnerabilities that are currently being exploited in the wild.

Here is the breakdown of what you need to know, what to patch first, and what might break.

The February 2026 Patch Day overview

Executive Summary

  • Release Date: February 10, 2026
  • Total Vulnerabilities: 59
  • Critical Vulnerabilities: 5
  • Zero-Days (Actively Exploited): 6 (Windows Shell, MSHTML, Word, DWM, RDP, Remote Access Connection Manager)
  • Key Action Item: Administrators must prioritize workstation patching immediately due to three “one-click” security bypasses (Shell, MSHTML, Word) that allow code execution without user confirmation. Simultaneously, restrict and patch RDP servers to prevent the active SYSTEM-level escalation exploit (CVE-2026-21533).

Important Patches

  • CVE-2026-21510 — Windows Shell Security Feature Bypass Vulnerability
  • CVE-2026-21513 — MSHTML Platform Security Feature Bypass Vulnerability
  • CVE-2026-21514 — Microsoft Office Word Security Feature Bypass Vulnerability
  • CVE-2026-21519 — Desktop Window Manager Elevation of Privilege Vulnerability
  • CVE-2026-21533 — Windows Remote Desktop Services Elevation of Privilege Vulnerability

Cumulative Updates

Product, VersionKB ArticleNotes
Windows 10, Version 22H2KB5075912ESU Only. Security updates. Fixes the VSM shutdown/restart bug introduced in January.
Windows 11, Version 23H2KB5075941Security updates.
Windows 11, Version 24H2 / 25H2KB5077181Security updates and non-security changes. Adds “Cross-Device resume” and MIDI 2.0 support.

Deep Dive: The Critical Vulnerabilities

Microsoft confirmed that six already exploited zero-day vulnerabilities are fixed after installing the cumulative updates. Attackers may exploit the issues on unpatched systems to bypass protections and gain system-level access.

Here is the critical overview:

CVE-2026-21510 (Windows Shell Security Feature Bypass)

Allows attackers to craft malicious links or shortcut files to bypass Mark of the Web (MotW) and Windows SmartScreen prompts. As a result, malicious payloads may execute on unpatched systems without the usual “Are you sure” security warnings of SmartScreen.

CVE-2026-21513 (MSHTML Platform Security Feature Bypass):

Allows attackers to bypass security prompts using malicious HTML files, if the Internet Explorer engine (MSHTML) is used for rendering. The threat is similar to the Windows Shell issue described above, as it may be used to skip security screens to run malicious code on target systems.

CVE-2026-21514 (Microsoft Word Security Feature Bypass)

The third of the feature bypasses, this exploits an issue in Object Linking & Embedding (OLE) in Microsoft Office. Attackers may use it to run malicious Word documents and sidestep certain protections designed to block the execution of risky external content.

CVE-2026-21519 (Desktop Window Manager Elevation of Privilege)

The vulnerability is a type confusion flaw in the Desktop Windows Manager (DWM). Attackers need basic access for exploitation, but if they have, they may use the flaw to elevate their privileges to SYSTEM level, which allows them to take control of the system.

CVE-2026-21533 (Windows Remote Desktop Services Elevation of Privilege)

Describes an improper privilege management flaw in Remote Desktop Protocol. Exploitation opens another route to SYSTEM privileges on unpatched system. Especially problematic in Enterprise environments, which usually use RDP a lot.

CVE-2026-21525 (Windows Remote Access Connection Manager Denial of Service)

A null pointer dereference issue in the VPN / Dial-up manager. A local attacker, even with low privileges, may use the issue to crash the service repeatedly.

Significant Changes in the February 2026 updates

  • The Virtual Secure Mode (VSM) restart loop bug is fixed.
  • Cross-Device resume arrives in Windows 11. When a phone is paired with the Windows system, its recent activities are now displayed in Start. You can continue those. Requires the latest Link to Windows app.
  • Native MIDI 2.0 support. The new protocol is now supported, which creators and audio engineers may take advantage of.
  • The Secure Boot change is entering the targeting phase. In this phase, Windows can determine whether the device’s UEFI is compatible with the upcoming certificate rotation. If it is, it will be queued to receive the actual update in the coming months. No user action required.

First Steps: Your Patch Tuesday Strategy

  1. Patch the six zero-day vulnerabilities immediately. Start with user workstations.
  2. If you paused updates in January because of the VSM restart loop bug, deploy this month’s cumulative update to get it fixed.

The Road to Recovery: How Microsoft Plans to Make You Love Windows Again

Posted on by Martin Brinkmann

For years, Windows has felt less like a trusted tool and more like a construction site that never quite cleared the rubble. Whether it’s the lingering inconsistency of the UI, the intrusion of unwanted ads, the performance hiccups, or that many users now expect to experience issues when Microsoft releases an update for the operating system.

Microsoft’s flagship OS has faced a widening trust gap with its most loyal users. Now, in a strategic pivot aimed at 2026, the tech giant is launching an internal “swarming” initiative to prioritize stability and refinement over flashy new AI features.

Swarming, in this context, refers to engineering teams working on core reliability issues, including performance lags, to address major pain points of Windows users.

This year you will see us focus on addressing pain points we hear consistently from customers: improving system performance, reliability, and the overall experience of Windows.

The quote comes from the president of Windows and devices at Microsoft, and it was published by Tom Warren at The Verge on January 29, 2026.

A bad start of the year for Windows users

If anyone needed a refresher of the challenges that Microsoft is facing, they do not need to look far. When Microsoft released the first update for Windows in 2026, it probably did not expect it to cause a considerable number of issues on user computers: from broken Remote Desktop Connections over a shutdown bug to a severe bug affecting Outlook that needed an out-of-band update for fixing.

While it is bad enough that users and organizations feel issues hitting them left and right at times, it is the image of Windows that seems to be starting to worry Microsoft. Up until now, Microsoft pushed what it thought served it best onto Windows. Ads, AI, limited user control, features that barely anyone asked for. Yes, there was the occasional feature that users liked, but most changes were met with a good portion of skepticism at best.

While Microsoft received criticism, most users did not seem to mind as long as the operating system worked. Most features could be turned off or disabled. Yes, some had the nasty habit of being turned on again at times, which was annoying.

Now it appears that Windows is at a critical junction, one that even Microsoft can’t ignore going forward.

The foundation needs to be stabilized before Microsoft can continue to use Windows as a vehicle for selling subscriptions and other products.

It remains to be seen how dedicated Microsoft will be and whether it manages to make a U-turn regarding stability of its operating system. With Linux gaining essential support for PC games, there is not really much that Windows has to offer that is not also possible on Linux.

1 Billion and Counting: Windows 11 Reaches Massive User Milestone Faster Than Windows 10

Posted on by Martin Brinkmann

Microsoft launched its newest operating system Windows 11 back in October 2021 to mixed reviews. Its predecessor, Windows 10, held the top spot firmly at the time while Windows 7 and Windows 8 were reaching the official end of life dates. While companies could extend support of Windows 7 by three years, Microsoft did not give home users such an option.

Microsoft CEO Satya Nadella announced during the company’s FY26 second-quarter earnings call that Windows 11 has officially surpassed one billion monthly active users.

Windows reached a big milestone: One billion Windows 11 users, up over 45% year-over-year.

In about four years, Windows 11 managed to reached the coveted one billion users mark. Windows 10, which was equally criticized when it launched in 2015, took longer to reach the important milestone.

How much longer? Not that much, it turns out. Let us take a look at the official dates that Microsoft provided for Windows 10 and Windows 11 first.

Windows 10Windows 11
Launch DateJuly 29, 2015October 5, 2021
1 Billion Users DateMarch 16, 2020January 2026

Windows 10 reached 1 billion monthly active users 1,706 days after it was released by Microsoft. Windows 11 managed to cross the one billion monthly active users mark in 1,576 days.

That is 130 days faster. While not impressively faster, it is important to note that Windows 11 had a handicap all along: new system requirements prevented a sizeable chunk of Windows 10’s userbase from upgrading directly to Windows 11.

While Microsoft never released numbers, estimates suggest that several hundred million devices can’t be upgraded directly. While a high percentage of these devices can be upgraded by skipping the requirements checks, the technical nature of the process likely prevents this on the vast majority of devices running Windows 10.

For users, it does not really matter how fast or slow an operating system growth, provided that it manages to reach a number of users that is sizeable enough to warrant continued support.

Windows 10 Home and Pro editions will reach end of servicing later this year. It will be interesting to see what the millions of home users will do when that time comes.