KB5078766: March 2026 Cumulative Security Update for Windows Server 2022 (OS Build 20348.4893)
March 10, 2026 cumulative security update for Windows Server 2022, bringing OS to build 20348.4893 with security fixes and quality improvements.
Summary
This is the March 10, 2026 cumulative security update for Windows Server 2022, identified as KB5078766. It brings the OS to build 20348.4893 and was released on March 10, 2026. It incorporates all security fixes from the current month plus non-security quality improvements carried forward from the previous month's optional preview release. Source: Microsoft Support.
Improvements and fixes
This update includes fixes and quality improvements from KB5075906 (released February 10, 2026) and KB5082314 (released March 2, 2026). The following changes are documented:
- Secure Boot certificate targeting: Windows quality updates now include additional high-confidence device targeting data, which broadens the pool of devices eligible to receive new Secure Boot certificates automatically. This targeting relies primarily on client device diagnostic data. Because servers tend to have limited diagnostic data available, they are unlikely to qualify for automatic certificate delivery, though they are not explicitly excluded. Devices only receive new certificates after demonstrating sufficient successful update signals, keeping the rollout controlled and phased.
- Windows System Image Manager reliability: The update improves how the tool handles trusted catalog file selection. A new warning dialog prompts you to confirm that any file you choose comes from a trusted source before proceeding.
Known issues
WSUS does not display synchronization error details
Symptom: After installing KB5070884 or any later update, Windows Server Update Services (WSUS) no longer displays synchronization error details within its error reporting interface.
Workaround: Microsoft states this functionality was temporarily removed to address the Remote Code Execution Vulnerability CVE-2025-59287. No additional workaround is documented on the page at this time.
How to get this update
Before installing, note that Microsoft now combines the latest servicing stack update (SSU) with the latest cumulative update (LCU) into a single package. For offline OS image servicing, your image must include KB5030216 (released September 12, 2023) or a later LCU before you apply this update. That LCU sets the minimum required SSU version to 20348.1960, which prevents error 0x800f0823 (CBS_E_NEW_SERVICING_STACK_REQUIRED).
This update is available through the following channels:
- Windows Update and Microsoft Update: Downloads and installs automatically.
- Windows Update for Business: Downloads and installs automatically in accordance with configured policies.
- Microsoft Update Catalog: A standalone package is available for manual download.
- Windows Server Update Services (WSUS): Syncs automatically when Products and Classifications are configured as follows - Product: Microsoft Server operating system-21H2; Classification: Security Updates.
This update also includes the Windows Server 2022 servicing stack update KB5078763, which brings the servicing stack to version 20348.4880.
If you need to remove the LCU after installing the combined SSU and LCU package, use the DISM /Remove-Package command with the LCU package name as the argument. Running wusa.exe with the /uninstall switch will not work on the combined package because it contains the SSU, and the SSU cannot be removed after installation.
Frequently asked questions
Will my Windows Server 2022 instance automatically receive new Secure Boot certificates after this update?
Not necessarily. The new targeting mechanism prioritizes client devices with sufficient diagnostic data. Servers are unlikely to qualify automatically due to limited available data, though they are not explicitly excluded. Administrators should consult the Secure Boot Playbook for Windows Server for manual guidance and check device status in the Windows Security app.
Is the combined SSU and LCU package handled differently than previous separate packages?
Yes. Microsoft now ships the servicing stack update and cumulative update together in a single package. Because of this, you cannot use wusa.exe /uninstall to remove the LCU. Instead, use the DISM /Remove-Package command. The SSU component cannot be removed from the system once installed.
What prerequisite is required before applying this update to an offline OS image?
Your offline image must already include KB5030216 (released September 12, 2023) or a later LCU. Skipping this step can result in error 0x800f0823, which indicates that the minimum required servicing stack version (20348.1960) is not present on the image being serviced.
Why is WSUS not showing synchronization error details after recent updates?
Microsoft temporarily removed that reporting functionality starting with KB5070884 to mitigate the Remote Code Execution Vulnerability tracked as CVE-2025-59287. The page does not provide a timeline for when the feature will be restored or offer an alternative workaround beyond acknowledging the deliberate removal.
