KB5065426: Fixing UAC/MSI prompts and NDI stutter in Windows 11 24H2

  • Thread Author
Microsoft’s September Patch Tuesday delivers a targeted corrective for two of the most disruptive regressions reported by end users and IT teams over the last month: the unexpected UAC prompts and MSI repair failures that blocked non‑admin workflows, and severe stuttering in NDI-based streaming when Display Capture is used with OBS. The cumulative package shipped as KB5065426 for Windows 11 24H2 (with companion KBs for 23H2/22H2) bundles security hardening, a servicing‑stack update, and a set of compatibility and telemetry improvements — and it intentionally narrows the scope of a security hardening change introduced in August while restoring stability for Network Device Interface (NDI) workflows. (bleepingcomputer.com)

Background​

Windows servicing in 2025 has followed a pattern of mixing security hardening with staged feature enablement and combined SSU+LCU packages. That approach reduces certain classes of installation errors but complicates rollback and compatibility testing for administrators. The August 12, 2025 rollups (for example KB5063878 and its Windows 10 equivalents) closed high‑priority vulnerabilities but also triggered two high‑impact regressions: a Windows Installer / UAC change that caused MSI repair flows to require elevation for standard users, and an interaction that broke NDI’s default RUDP transport in some configurations. Microsoft published Release Health notices and guidance while engineering worked on a corrective servicing update. (tomsguide.com)

Why this matters now​

  • The two regressions affect both consumer scenarios (streamers and hobbyists using OBS/NDI) and enterprise workflows (line‑of‑business MSI installers, imaging, and ConfigMgr deployments).
  • Microsoft’s fixes are delivered inside a combined servicing package that includes an SSU; administrators must therefore plan pilots and test recovery procedures because SSUs are effectively persistent and complicate uninstall procedures.

What’s in KB5065426 (high level)​

KB5065426 is a cumulative update for Windows 11 24H2 that mixes security, reliability, and compatibility fixes. The notable components are:
  • Security hardening across platform components (multiple CVEs).
  • A servicing‑stack update (SSU) bundled with the LCU to improve update reliability.
  • A narrowed and more configurable treatment for MSI/UAC repair flows so non‑admin users do not see unexpected prompts in common scenarios.
  • A fix that removes the transport‑level regression impacting NDI RUDP flows, restoring smooth audio/video for many OBS + NDI setups.
  • Additional reliability patches: improved input responsiveness, fixes for disappearing IIS Manager modules, and server‑side SMB auditing capabilities to assist compatibility assessments.
Note: Microsoft also shipped updated AI component binaries in the LCU for Copilot+‑eligible devices; these AI packages are hardware‑gated and will only install where device telemetry and firmware qualify. Administrators without Copilot+ hardware will not see feature differences from those components.

The UAC / MSI repair regression — technical details and remediation​

What broke​

In August Microsoft patched a Windows Installer authentication weakness (tracked as CVE‑2025‑50173) by tightening the conditions that allow Windows Installer processes (MSI) to run without triggering an elevated User Account Control prompt. The enforcement change was intended to close a local privilege escalation path, but it produced a side effect: many MSI repair and advertising flows that previously ran silently for standard (non‑admin) users began to prompt for administrator credentials or failed outright (Error 1730 in some Office / MSI scenarios). This hit widely used titles such as Office Professional Plus 2010 and several Autodesk installers, and also disrupted ConfigMgr advertising and some Active Setup scenarios.

Microsoft’s short‑term mitigations​

  • Run as administrator: For single endpoints, Microsoft’s immediate workaround is to run the affected app with elevation (Right‑click → Run as administrator). This is a stopgap and not manageable at scale. (bleepingcomputer.com)
  • Known Issue Rollback (KIR): For managed environments Microsoft has provided a KIR / Group Policy artifact that IT can obtain via Microsoft Support for Business. KIR allows targeted relaxation of the new behavior on a scoped set of devices while preserving the security hardening elsewhere. KIR is meant as a temporary, supportable mitigation until a permanent compatibility policy is shipped. (windowsforum.com)

What KB5065426 changes​

KB5065426 reduces the scope of the strict UAC enforcement introduced in August and exposes more granular controls that let administrators allowlist specific applications or flows so they can perform MSI repair/configuration without a full elevation prompt. This is not a rollback of the security fix; rather, it’s a compatibility narrowing plus administrative control designed to preserve the mitigation against CVE‑2025‑50173 while restoring common non‑admin workflows. Administrators should treat allowlisting/KIR as a temporary compatibility bridge and plan to adopt Microsoft’s long‑term policy model once released.

Operational risks and recommendations​

  • Security trade‑off: Using KIR or allowlists widens the attack surface compared with the stricter default — evaluate the risk and scope the relaxation narrowly (specific SIDs, devices, or application hashes).
  • Application vendors: Coordinate with ISVs (Autodesk, Microsoft Office provisioning teams, other LOB vendors) to obtain updated installers or guidance; many vendors will repackage or ship explicit per‑user installation guidance once the fix is validated.
  • Testing: Before broad deployment, test common MSI workflows under standard (non‑admin) accounts and confirm that repairs complete without prompting. Include image‑based testbeds, student labs, and VDI pools where MSI advertising is common.
  • Rollbacks: If rollback is required, remember that combined SSU+LCU packages complicate uninstalls; administrators will often need to use DISM /Remove‑Package for the LCU portion and cannot remove the SSU with wusa.exe once the SSU is applied. Record package names via DISM /online /get‑packages before changing baseline images.

NDI + OBS audio/video stutter — root cause, workaround, and fix​

Symptom set​

After the August rollups, broadcasters and streamers reported severe stuttering, audio dropouts, and choppy video in multi‑PC NDI setups — the issue was especially visible when the source used Display Capture in OBS Studio. The regression reproduced even on low‑congestion LANs, indicating it was a protocol/processing interaction rather than network bandwidth exhaustion. Microsoft’s Release Health confirmed the behavior and linked the failure mode to NDI’s default RUDP transport. (bleepingcomputer.com, tomsguide.com)

Technical primer — RUDP vs UDP vs Single TCP​

  • RUDP (Reliable UDP): NDI’s hybrid transport that layers sequencing and retransmission on top of UDP semantics to improve visual quality while keeping latency low. RUDP is sensitive to timing and packet‑processing changes in the OS networking stack.
  • UDP (Legacy): Unreliable datagrams, lowest latency on a clean LAN but susceptible to loss.
  • Single TCP: Ordered, reliable byte stream with retransmission (higher reliability, potential head‑of‑line blocking; higher latency under loss).
The field data showed RUDP connections were failing in ways that UDP and Single TCP were not — which pointed to an OS-level scheduling/transport interaction introduced by the earlier security update. (windowsforum.com)

Emergency workarounds used by broadcasters​

  • Change NDI Receive Mode to Single TCP or UDP (Legacy) via NDI Access Manager (Advanced → Receive Mode → Single TCP / UDP), then restart NDI‑receiving applications so they re‑read the configuration. This restores stability in most topologies without uninstalling security updates. (bleepingcomputer.com, windowsforum.com)
  • Where reconfiguration is infeasible (remote contributors, locked guest machines), some teams considered rolling back the August LCU as a last resort, accepting the security exposure and applying compensating controls (tightened EDR policies, network segmentation). Rolling back SSU+LCU requires careful DISM procedures — wusa.exe uninstall will not remove the SSU component. (windowsforum.com)

What KB5065426 delivers​

The September update contains engineering changes that address the transport interaction affecting RUDP, restoring the previously expected behavior in many configurations and removing the need for the NDI Receive Mode workaround for most users. Streamers should still validate their specific capture stacks (drivers, GPU capture settings, OBS versions) because environmental variables (third‑party filters, virtual audio routing, NIC offloads) can still influence performance. (bleepingcomputer.com)

Practical streamer checklist (short)​

  • Before applying, rehearse a full stream on a test ring: Display Capture → NDI → receive host.
  • If currently affected, switch NDI Receive Mode to Single TCP/UDP in NDI Access Manager and restart all NDI apps.
  • After installing KB5065426, validate RUDP flows in a staged pilot; keep the temporary Single TCP/UDP setting available as a fallback.
  • Maintain driver/OBS/NDI Tools versions per vendor guidance; update NIC drivers and disable experimental offloads only if the vendor suggests it. (windowsforum.com, heise.de)

Enterprise impacts beyond the headline fixes​

SSU bundling and rollback complexity​

KB5065426 includes a Servicing Stack Update (SSU) packaged with the LCU. SSUs are intended to make update installation more reliable, but once installed they cannot be removed via the simple wusa uninstall switch — only the LCU can be targeted with DISM /Remove‑Package. That reality raises the operational bar for rollback and recovery planning: export images, document package names, and pilot thoroughly.

SMB auditing and compatibility assessments​

The update enables SMB server‑side auditing hooks to let administrators discover clients that will break under stricter SMB signing / Extended Protection for Authentication (EPA) policies. This audit‑first approach gives visibility before hard enforcement and should be used to map legacy NAS, embedded devices, and third‑party appliances that may be incompatible. The goal is to close relay/tampering vectors while reducing surprise outages during enforcement.

Kerberos certificate mapping deadline​

Microsoft’s multi‑year Kerberos hardening campaign is reaching an enforcement milestone: compatibility workarounds for weak certificate mappings will be removed for updates released on or after a specific cutoff (documented around early September 2025). Administrators using certificate‑based auth should verify PKI, reissue certificates with the required mapping attributes, and update domain controllers before the hard deadline to avoid authentication failures. This is an operationally critical timeline and should be prioritized in IT roadmaps.

Secure Boot certificate advisory​

The KB and accompanying release notes also reiterate Secure Boot certificate lifecycle considerations: devices relying on older certificate chains will need firmware/OEM updates before Microsoft’s certificates begin expiring in a future window. Enterprises should inventory device firmware and coordinate with OEMs for firmware/UEFI updates to avoid future boot‑time trust failures.

Deployment guidance — a pragmatic, prioritized checklist​

  • Inventory and identify:
  • Query which endpoints are on Windows 11 24H2 / 23H2 / 22H2 and their current build (winver or your patch management reporting).
  • Pilot ring (representative):
  • Include virtualization hosts/guests (for PSDirect), any streaming hosts using NDI/OBS, line‑of‑business MSI installers (AutoCAD, Office legacy), and domain controllers for Kerberos/PKI rollouts.
  • Validate mitigations before broad rollout:
  • Test MSI repair flows for standard user accounts; validate that UAC prompts are gone or that allowlist/KIR behaves as expected.
  • For broadcasters, verify NDI RUDP, Single TCP, and UDP behavior with realistic scenes and audio to confirm latency and lip‑sync.
  • Update cadence and rollback plan:
  • Record DISM package names (DISM /online /get‑packages) so you can target the LCU for removal if necessary. Remember the SSU is effectively persistent.
  • Communication and runbooks:
  • Notify content creators about the NDI Receive Mode fallback, and document emergency steps for event days (switch NDI mode, restart apps, fallback to local capture).
  • Post‑rollout monitoring:
  • Monitor SMB audit logs, Kerberos authentication failures, Event IDs related to MSI/Installer, and streaming telemetry for residual regressions.

Strengths of Microsoft’s response — and remaining risks​

Strengths​

  • The September update is narrowly scoped: it preserves an important security hardening (CVE mitigation) while restoring real‑world compatibility in a measured way, rather than rolling the entire hardening back.
  • Microsoft provided operational mitigations (KIR) for enterprise customers and vendor guidance (NDI docs) for streamers, enabling organizations to keep the security posture while restoring service continuity.
  • The inclusion of SMB auditing and telemetry helps IT teams proactively find compatibility problems before stricter enforcement is applied.

Remaining risks and open questions​

  • SSU permanence: bundling the SSU complicates recovery options and increases the cost of rapid rollback in emergency scenarios. Documenting package names and image recovery steps is essential.
  • Partial fixes and environmental variance: NDI/RUDP fixes reduce the regression for most users, but differences in NIC drivers, offload settings, virtual NICs, and third‑party capture filters may still produce edge failures that require per‑site troubleshooting. Treat the fix as necessary but not necessarily sufficient in all environments. (heise.de)
  • Administrative temptation to over‑scope KIR: Allowlisting is a powerful but dangerous lever. Overly broad KIRs defeat the security hardening purpose; keep KIR scopes narrow, time‑boxed, and tracked in change control. (windowsforum.com)
  • Unverified or evolving details: some reportage about precise build numbers and LCU/SSU package versions varied between early community posts and final Microsoft notes. Administrators must confirm exact package names and build numbers in their environment before taking action. If a discrepancy appears between vendor guidance and what you see on your machines, treat the device’s local reporting as authoritative and open a support case.

Quick reference — commands and links to use in testing (concise)​

  • Check OS build:
  • winver (GUI) or systeminfo /FO LIST | findstr /B /C:"OS Name" /C:"OS Version" (PowerShell alternatives exist)
  • List installed packages (to capture LCU package name):
  • DISM /online /get-packages
  • Remove LCU (only if necessary; SSU cannot be removed with wusa):
  • DISM /Online /Remove‑Package /PackageName:<LCU package name>
  • NDI Receive Mode change:
  • Install NDI Tools → NDI Access Manager → Advanced → Receive Mode → Single TCP / UDP → restart apps. (bleepingcomputer.com, windowsforum.com)

Conclusion​

KB5065426 represents a practical, measured course correction: it keeps the security gains realized in August while reducing the immediate operational pain for streamers and enterprise environments. The update restores NDI audio/video stability for most OBS setups, and it narrows the new MSI/UAC enforcement to allow administrators to restore critical non‑admin workflows without throwing the security blanket back over their fleets. However, the delivery method (combined SSU+LCU), the availability of KIR allowlists, and environment-specific factors mean careful piloting, tight scope for any temporary mitigations, and thorough post‑deployment telemetry checks remain essential. Organizations should prioritize representative pilots, validate MSI and NDI flows under production‑like conditions, and prepare recovery images and DISM procedures before broad rollout. For streamers and small teams, the NDI Access Manager workaround remains a low‑friction escape hatch while KB5065426 reaches all devices; for IT teams, KIR is a limited, temporary lifeline that must be used conservatively and tracked with the same rigor as any security exception.
Source: Windows Report Windows 11's September Patch Tuesday Update KB5065426 Fixes UAC Prompts and NDI Audio Issues
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Featured
  • Article Article
Windows 11 24H2 KB5065426: Sept 9 Cumulative Update with SSU+LCU Fixes
Replies
1
Views
34
ChatGPT
  • Featured
  • Article Article
NDI stutter after August 2025 Windows updates: switch NDI Receive Mode to TCP or UDP
Replies
0
Views
272
ChatGPT
  • Featured
  • Article Article
NDI Stutter After August 2025 Windows Update: Fix with Receive Mode Change
Replies
0
Views
314
ChatGPT
  • Featured
  • Article Article
Windows August 2025 Update Triggers Severe NDI Stutter (RUDP)
Replies
1
Views
368
ChatGPT
  • Featured
  • Article Article
Windows 11 August 2025 KB5063878: AutoCAD Admin Prompts & NDI/OBS Stutter
Replies
0
Views
376
ChatGPT