Windows 11 and Server 2026 Updates Get Bigger With New CLFS Security Changes

Microsoft continues to roll out security hardening measures in Windows through its monthly Patch Tuesday releases, and the November 2025 update introduces a significant change for the Common Log File System (CLFS).

In Windows 11 25H2 and Windows Server 2025, Microsoft added hash-based message authentication codes (HMAC) to CLFS log files. As reported by Neowin, the change aims to prevent log file tampering and reduce the risk of privilege escalation attacks that have frequently targeted CLFS in the past.

How the new CLFS protection works

The update secures CLFS logs by attaching authentication codes that verify both integrity and authenticity whenever the system accesses a log file. Windows generates these codes using the file’s data and a system-unique cryptographic key stored in the registry.

CLFS serves as a high-performance logging subsystem used by both user-mode and kernel-mode applications. It supports reliable transactions, event logging, system tracking, and crash recovery. Because attackers have repeatedly exploited CLFS vulnerabilities to gain elevated privileges, Microsoft positions this HMAC-based validation as a long-term security hardening step.

Learning mode, enforcement, and performance impact

To ease deployment, Microsoft enables a 90-day learning mode after the update installs. During this period, Windows automatically adds authentication codes to existing CLFS log files when applications open them. After the learning window ends, the system switches to enforcement mode and requires all CLFS log files to include valid authentication codes.

Administrators must ensure systems access all required CLFS logs during the learning phase. Any log file that remains unopened must be authenticated manually using the fsutil clfs authenticate command.

The new protection increases disk usage because authentication data scales with container file size, which also contributes to a larger update package. Microsoft also confirms higher I/O activity for CLFS operations, with log creation and access taking longer. On average, writing a record to a CLFS log file now takes roughly twice as long as before.

Broader security changes across Microsoft’s ecosystem

Beyond CLFS, Microsoft has stepped up security efforts across other products and services. The company has ended support for the Legacy Deployment Toolkit and issued a warning against Local Exchange Online mailbox moves, pointing to potential reliability concerns.

At the same time, a recent update for Microsoft Edge fixes a major security vulnerability, underscoring Microsoft’s broader push to reduce attack surfaces across Windows, cloud services, and core applications.