LIVE · cybersecurity feed
windows 11

Microsoft testing new Cloud Rebuild Windows 11 recovery feature

zeroday.news·1d ago
ShareXLinkedInWhatsAppFacebook

Microsoft is currently testing a new recovery feature for Windows 11 called Cloud Rebuild. This functionality is available in the latest Insider Preview builds for users in the Experimental channel. Cloud Rebuild is designed to remotely initiate a complete reinstallation of the operating system from the cloud, targeting devices that are experiencing persistent issues or have become inoperable.

The feature was initially introduced at the Ignite developer conference in November 2025. According to Stephen Lines, Windows Insider Communications Lead, Cloud Rebuild offers a recovery option that restores a Windows 11 PC to a clean, known-good state by performing a full operating system reinstall, even if Windows itself cannot boot.

Unlike the existing "Reset this PC" option, Cloud Rebuild retrieves both the target Windows image and necessary device drivers directly from Windows Update. This process aims to ensure the device is fully functional upon recovery without requiring external media like USB drives, custom images, or relying on the health of the currently installed operating system.

To test Cloud Rebuild, Windows Insiders need to install Windows 11 Insider Experimental Preview Build 26300.8772. The recovery process is initiated by navigating to the Windows Recovery Environment (WinRE), selecting "Troubleshoot Recovery," and then choosing "Cloud rebuild." Users will then be prompted to review the target Windows build, edition, and language, and confirm a data-loss warning before the rebuild process commences.

Cloud Rebuild is part of Microsoft's broader Windows Resiliency Initiative, which aims to provide tools for quickly restoring devices when they fail to start or operate correctly. This initiative also includes other recovery features. For instance, Point-in-Time Restore (PITR), announced at the same Ignite conference, allows administrators and users to roll back a Windows 11 system to an earlier, stable snapshot. PITR began its rollout in June with the release of the KB5095093 preview cumulative update for Windows 11 versions 24H2 and 25H2.

Additionally, Microsoft has been testing an updated version of Quick Machine Recovery (QMR), a tool intended to assist administrators in resolving Windows boot failures remotely, without needing physical access to the device. When Windows 11 fails to start due to a recent driver or configuration change, QMR automatically launches within the Windows Recovery Environment. It sends crash data to Microsoft, enabling the company to remotely remove problematic drivers or updates and adjust settings to fix boot issues.

In parallel, Microsoft has also been testing a feature that suggests running a memory scan after a Blue Screen of Death (BSOD) event to enhance system reliability. These ongoing developments underscore Microsoft's focus on improving the robustness and recoverability of the Windows 11 operating system.

windows 11microsoftrecoveryinsider preview
ShareXLinkedInWhatsAppFacebook
← Back to latest

More News

view all →
zeroday.news · 4h ago·high

Accenture Confirms Security Incident After Hacker Claims 35GB Source-Code Theft

Accenture has acknowledged a security incident after a threat actor advertised what they claim is stolen internal data. The attacker, using the alias "888", says they took more than 35GB of source code and cloud credentials from the consulting giant and are offering it for sale. Accenture says it has addressed the source of the issue and that its operations were not disrupted.

zeroday.news · 7h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 7h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 8h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 8h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 8h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.