KB5078938 – Windows Server 2016

KB5078938 is the cumulative update for Windows Server 2016 and Windows Server 2016 Server Core installation. It was released on 10 March 2026 under the ‘Patch Tuesday’ release cycle.

Salient points

• KB5078938 supersedes February 2026 cumulative update KB5075999.
• KB5078938 corresponds to build 14393.8957.
• 35 Security vulnerabilities were disclosed by Microsoft for Windows Server 2016 in March 2026 security bulletin.
• No zero-day vulnerabilites have been reported for Windows Server 2016 in March 2026.
• No CRITICAL vulnerability has been reported for Windows Server 2016 in March 2026.
• The Servicing Stack Update corresponding to KB5078938 is KB5075902. For automated deployments of security updates (Windows Update and Windows Update for Business), the installation is included in the main cumulative update installation process. For manual patching, you will need to download and install the SSU KB5075902 before installing KB5078938. If you installed February security update, KB5075902 would be already deployed.

Important Reminders

• Support for cumulative updates for Windows Server 2016 will end on 12 January 2027.
• Secure booth certificates for Windows Server 2016 will expire in June 2026, Both UEFI Secure Boot DB and KEK need to be updated with the corresponding new 2023 certificate versions.

Servicing Stack Update KB5075902

KB5075902 is the Servicing Stack Update (SSU) for Windows Server 2016. For automated deployments of KB5078938, KB5075902 is automatically offered for installation as part of the installation of the main cumulative update.

For manual installations of KB5078938, you would need to download and install KB5075902 before installing KB5078938. But, if you installed KB5075999, then this SSU would have already been installed as part of February patch cycle for Windows Server 2016.

You can download the SSU KB5075902 from the Microsoft Update Catalog page:

• Download KB5075902 from the Microsoft Update Catalog site (12 MB)

Installing the Servicing Stack Update would not cause the server to reboot or restart. So, you could directly proceed with the installation of the main cumulative update for Windows Server 2016.

Zero-day Security vulnerabilities

No zero-day vulnerabilities have been reported for Windows Server 2016 or Windows Server 2016 Server Core installation in Febuary 2026.

Critical vulnerabilities

The March security bulletin for Windows Server 2016 reports 35 security vulnerabilities. None of these vulnerabilities has a CRITICAL security severity.

Download KB5078938

You may download the offline installer file for KB5078938 from the catalog site link shared below:

• Download KB5078938 from the Microsoft Update Catalog (1759.9 MB)

Upon installation of KB5078938, the server would restart.

Changelog – KB5078938

The following changes or improvements are part of KB5078938 for Windows Server 2016:

• [Internal Windows OS] This update contains miscellaneous security improvements to internal Windows OS functionality. No specific issues are documented for this release.
• [Windows System Image Manager] This update adds a warning dialog to help users confirm that the selected catalog file comes from a trusted source.
• [Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. This targeting is based primarily on client device diagnostic data; due to limited data, servers are unlikely to qualify, though not explicitly excluded. Devices receive new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.