KB5065474 Hotpatch for Windows 11 LTSC 2024: OS Build 26100.6508 & PSDirect Fix

Microsoft released a September 9, 2025 hotpatch—KB5065474—for Windows 11 Enterprise LTSC 2024 that advances hotpatch coverage to a new OS build (26100.6508), addresses a notable UAC/MSI compatibility issue, and includes a known‑issue advisory that affects PowerShell Direct (PSDirect) connectivity between mixed‑patched hosts and guests. (support.microsoft.com) (techcommunity.microsoft.com)

Background / Overview​

Hotpatching is Microsoft’s “reboot‑less” servicing model for eligible Windows 11 Enterprise (24H2 / LTSC 2024) devices that allows many security fixes to be applied immediately without a system restart. The model pairs quarterly baseline (restart‑required) updates with intervening hotpatch months that deliver security‑only changes in a way that patches running code in memory. That reduces downtime for mission‑critical endpoints while still delivering security parity with the standard cumulative updates. (techcommunity.microsoft.com) (techcommunity.microsoft.com)
KB5065474 is the September 9, 2025 hotpatch for Windows 11 Enterprise LTSC 2024 and registers as OS Build 26100.6508 after installation. The Microsoft KB page lists the release date, targeted platform, build number, a short description of the fixes, the file/SSU packaging details, and a prominent note about an impending Secure Boot certificate expiration program that organizations must prepare for. (support.microsoft.com)
This article summarizes what KB5065474 delivers, how it should be deployed in enterprise environments, the practical prerequisites for hotpatch eligibility (including Arm64 caveats), the known issue affecting PSDirect and its workaround, and a critical analysis of operational risks and mitigations IT teams should adopt before broad rollout.

---

What KB5065474 actually changes​

Improvements and fixes (high level)​

• The public KB describes the hotpatch as delivering quality and security improvements to internal OS functionality and calls out a specific app‑compatibility issue: unexpected User Account Control (UAC) prompts for non‑admin users when MSI installers run certain custom actions (such as repair operations). This fix reduces unnecessary UAC prompts for MSI repair scenarios and allows administrators to add affected installers to an allowlist to suppress prompts where appropriate. (support.microsoft.com)
• The package is shipped by Microsoft as a hotpatch bundle that includes the latest Servicing Stack Update (SSU) for the platform; Microsoft combines the SSU with the hotpatch to reduce installation failures and simplify administration. The KB references a specific SSU package in its file information. (support.microsoft.com)
• The KB explicitly warns about a Secure Boot certificate expiration program that begins in June 2026 and recommends administrators review and prepare certificate updates in advance since they could affect pre‑boot trust and updateability. (support.microsoft.com) (techcommunity.microsoft.com)

These are intentionally concise public notes; Microsoft typically omits granular CVE detail in “hotpatch” KB bullets and points administrators to the Security Update Guide or other CVE mapping resources if specific CVE linkage is required for compliance reporting. Treat the KB’s “miscellaneous security improvements” wording as functionally accurate but opaque—administrators who need CVE IDs for audit or prioritization should consult the Security Update Guide or open a support case. (support.microsoft.com)

Known issue: PSDirect connectivity (important)​

KB5065474 documents a real operational edge case: when a patched VM (guest) and an unpatched host (or vice‑versa) attempt to use PowerShell Direct (PSDirect), the fallback handshake sometimes fails to clean up the socket. The symptom may appear as intermittent PSDirect connection failures and Security Event log entries such as Event ID 4625. Microsoft points to KB5066360 as the update that remedies the PSDirect fallback problem and recommends updating both host and guest to resolve the issue. This is important for environments that manage tree‑topology VMs (for example, nested admin or automation scripts relying on PSDirect). (support.microsoft.com)

---

Hotpatch prerequisites and Arm64 specifics​

Before relying on KB5065474 as a non‑disruptive, no‑restart fix, confirm these prerequisites for devices to be eligible for hotpatch delivery:

• Device edition and baseline: Windows 11 Enterprise LTSC 2024 (version 24H2 lineage), with the current quarterly baseline installed and running Build 26100.4929 or later historically; check the KB’s exact baseline requirement for your deployment. (support.microsoft.com)
• Management and licensing: Devices must be managed via Microsoft Intune (or Windows Autopatch for orchestration) with a Windows quality update policy that enables Hotpatch delivery. Eligible SKUs include Windows 11 Enterprise E3/E5, Microsoft 365 F3, Windows 11 Education A3/A5, Microsoft 365 Business Premium, Windows 365 Enterprise, etc. Confirm license entitlement before enabling hotpatching. (support.microsoft.com)
• Virtualization‑based Security (VBS): VBS must be enabled on endpoints to be eligible in many scenarios. VBS and some virtualization settings can affect eligibility in virtualized environments—validate configuration for managed VMs. (support.microsoft.com)
• Arm64 requirement — CHPE must be disabled: For Arm64 devices (64‑bit ARM such as some Surface/Cloud PC devices), Microsoft requires disabling the Compiled Hybrid PE (CHPE) compatibility layer to be eligible for hotpatches. That is a one‑time change that requires a restart when applied and can affect x86 emulation performance. Admins can set the DisableCHPE CSP via Intune or use the HotPatchRestrictions registry key to opt‑in; follow Microsoft guidance and test thoroughly before wide deployment. (support.microsoft.com) (techcommunity.microsoft.com)

These prerequisites and administrative controls are repeated across Microsoft’s hotpatch release notes and IT guidance; they are necessary gating items that must be validated in your inventory and enrollment tooling prior to expecting KB5065474 to flow to endpoints as a hotpatch. (support.microsoft.com)

---

How KB5065474 is distributed and installed​

• Distribution channels: For eligible, managed devices KB5065474 is available through Windows Update (automatic) and Microsoft Update. The KB page notes that the SSU is included when installing via Windows Update, while catalog/WSUS listings may show different packaging. This means the simplest path for many organizations is to allow Windows Update (or Microsoft Update) to deliver the combined hotpatch + SSU to Intune‑managed devices, provided enrollment, policies, and prerequisites are in place. (support.microsoft.com)
• SSU bundling: Because servicing stack issues cause many update failures, bundling the SSU with the hotpatch reduces the chance of install timeouts or partial installs. The KB lists the SSU package name/version used with the hotpatch for traceability. (support.microsoft.com)
• Visibility: Hotpatches appear in system reporting with their own KB identifiers and may report a different OS build than devices that receive the standard restart‑required cumulative update. Update and asset management tools (SCCM, Intune reporting, CMDB, SIEM integrations) must be configured to recognize the hotpatched build numbers (for example, OS Build 26100.6508) so compliance scanners do not mistakenly flag patched endpoints as unpatched.

---

Recommended deployment plan (practical checklist)​

• Inventory and eligibility verification
• Confirm each target device is Windows 11 Enterprise LTSC 2024 and record current OS builds across your estate. Ensure they are on the baseline required for hotpatch eligibility. (support.microsoft.com)
• Licensing and management validation
• Confirm your tenant and devices have eligible licenses and that Intune/Autopatch is set up for the targeted device groups. (support.microsoft.com)
• Prepare Arm64 devices (if any)
• Evaluate the CHPE disablement impact for x86 emulation workloads; test with critical apps and install the DisableCHPE CSP or set the HotPatchRestrictions registry key and schedule a one‑time restart. Document the change. (support.microsoft.com)
• Pilot
• Create a small, representative pilot ring (including devices with EDR, specialty drivers, and virtualization hosts/guests) and enable a hotpatch‑enabled Windows quality update policy in Intune for that ring. Monitor update health for 7–14 days.
• Verify PSDirect host/guest parity
• If you rely on PowerShell Direct for VM management, update both host and guest pilot VMs to avoid PSDirect fallbacks; KB5065474 calls this out explicitly with a workaround reference to KB5066360. (support.microsoft.com)
• Staged rollout
• Expand rollout in rings (pilot → early adopters → broad deployment), monitor telemetry and event logs, and remain ready to pause or exclude device groups if unexpected regressions appear.
• Update runbooks and compliance dashboards
• Ensure your patch‑management reports, SIEM rules, and CMDB ingest the hotpatch KB and the updated OS build numbers; otherwise audits may show false negatives.

---

Monitoring and verification after install​

• Confirm OS Build: On a test device, run winver or check System > About and confirm the OS Build shows 26100.6508 for devices that received KB5065474. The KB explicitly cites that build identifier in its header and file information. (support.microsoft.com)
• Check event logs and telemetry: Watch for security event 4625 (PSDirect symptom), and examine update failure codes in WindowsUpdateClient and the servicing stack logs. If PSDirect errors appear, update both host/guest and apply KB5066360 as directed. (support.microsoft.com)
• Validate third‑party vendor compatibility: Confirm EDR, backup agents, and kernel driver vendors have declared compatibility with hotpatching—or include those vendors in your pilot test matrix. Hotpatches can interact with kernel‑hooking products in subtle ways; pack the vendors into your validation plan.

---

Strengths and operational benefits​

• Immediate protection with reduced downtime: Hotpatches like KB5065474 take effect on install without requiring an immediate restart, shrinking the vulnerable window and increasing endpoint availability—valuable for healthcare, industrial control, and other high‑availability environments. (techcommunity.microsoft.com)
• Smaller payloads, faster installs: Hotpatch packages tend to be narrower than full cumulative LCUs, which lowers network and deployment overhead for large fleets. (techcommunity.microsoft.com)
• Better servicing reliability via SSU bundling: Including the SSU with the hotpatch reduces a common class of update failures and helps downstream quality of life for patch operations. (support.microsoft.com)

These benefits make hotpatch a pragmatic option for enterprises that demand high uptime while still requiring current security posture.

---

Risks, limitations and what to watch for​

• Opaque fix descriptions: Microsoft’s wording in many hotpatch KBs is intentionally terse (“miscellaneous security improvements”). If compliance or audit regimes need CVE identifiers or precise exploitability data, administrators should cross‑check the Security Update Guide and escalate to Microsoft if necessary. Lack of CVE mapping in the KB is not unusual but it is a real operational gap for regulated organizations. (support.microsoft.com)
• PSDirect interoperability: The documented PSDirect fallback failure between patched and unpatched hosts/guests creates a real operational seam for virtualized environments—ensure you coordinate host/guest patch parity during your rollout windows. KB5066360 fixes the symptom referenced by Microsoft; plan to update both sides. (support.microsoft.com)
• CHPE disablement impact on Arm64: Disabling CHPE can affect x86 emulation performance or compatibility for certain apps. While Microsoft treats the disablement as a one‑time change, organizations with significant Arm64 fleets must test thoroughly before making it standard across devices. (support.microsoft.com)
• Third‑party drivers and EDR agents: Because hotpatches modify in‑memory code paths, interactions with kernel drivers and security hooks can be subtle and may lead to functional regressions. Include EDR and driver vendors in pilot testing and maintain rollback/runbook procedures. Community reports and vendor advisories repeatedly emphasize that pilot testing remains essential.
• Inventory and audit visibility: Hotpatches change how patch state is represented (different KB identifiers and build numbers). Failing to update compliance tooling can create false negatives in vulnerability scans and audits. Ensure SCCM/Intune/CMDB ingestion pipelines understand hotpatch builds.
• Secure Boot certificate timeline: Microsoft announced that some Secure Boot certificates begin to expire in June 2026. Organizations must coordinate OS updates, OEM firmware, and Secure Boot certificate rollout plans now—delaying this multi‑stakeholder task risks pre‑boot updateability and trust issues in 2026. KB5065474 explicitly calls attention to this timeline. (support.microsoft.com) (techcommunity.microsoft.com)

---

Tactical mitigations IT teams should implement now​

• Start a Secure Boot readiness project: Inventory devices by firmware/OEM, verify Secure Boot state, opt‑in diagnostic telemetry as appropriate to allow Microsoft to manage certificate rollout for eligible devices, and coordinate with OEMs on firmware availability. Microsoft’s Secure Boot certificate guidance is explicit—treat it as a cross‑functional program. (support.microsoft.com)
• Build hotpatch visibility into compliance dashboards: Map KB IDs and updated OS builds into your compliance rules and automatic dashboards so hotpatched endpoints report as compliant. Update SIEM and vulnerability scanners to recognize hotpatch build numbers.
• Vendor coordination and pilot matrix: Add EDR vendors, backup vendors, virtualization vendors, and critical application vendors to your pilot and validation checklist. Track vendor statements and reproduce test cases that mirror production usage, including PSDirect scenarios where applicable.
• Document rollback and recovery: Test uninstall behavior for hotpatches in a lab. Note that uninstalling a hotpatch often requires a restart and may require reapplying a baseline LCU to return the system to a standard servicing state—practice and document the steps before production rollout.

---

Quick reference: commands and checks (auditable steps)​

• Verify build after install: Use winver or Settings > System > About to confirm OS Build is 26100.6508 on machines that received KB5065474. (support.microsoft.com)
• Confirm hotpatch eligibility policy: In Intune, verify the Windows quality update policy is set to allow hotpatching (“When available, apply without restarting the device” = Allow) and confirm device assignment to the policy. (support.microsoft.com)
• For Arm64 one‑time CHPE disable: Apply the DisableCHPE CSP via Intune or set registry HotPatchRestrictions = 1 under HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, then restart once to apply the change (test first). (support.microsoft.com)

---

Final analysis: balancing uptime with assurance​

KB5065474 is emblematic of Microsoft’s approach to hotpatching: it delivers security improvements with minimal end‑user disruption while preserving the quarterly baseline rhythm for larger, restart‑required maintenance. For environments that must maximize uptime—medical devices, industrial controllers, customer‑facing kiosks, and similar LTSC‑style deployments—hotpatching provides real operational value. (techcommunity.microsoft.com)
That said, the value depends on process maturity. Organizations must invest in three things to safely benefit from hotpatches:

• Accurate inventory and compliance tooling that understands hotpatched build semantics.
• Thorough pilot testing that includes virtualization host/guest parity, EDR/driver vendors, and Arm64 performance validation if applicable.
• A program plan for the Secure Boot certificate lifetime replacement program (June 2026) that coordinates firmware, OEMs, and OS updates. (techcommunity.microsoft.com)

Finally, recognize that Microsoft’s public KB notes are intentionally concise; they are accurate operational guidance but sometimes lack CVE‑level granularity. If you have compliance requirements that depend on CVE identifiers or exploitability assessments, use the Security Update Guide and work with Microsoft Support or your vendor partners to obtain the additional evidence you need before broad deployment. (support.microsoft.com)

---

KB5065474 (OS Build 26100.6508) is a practical, low‑disruption security hotpatch for Windows 11 Enterprise LTSC 2024 that corrects real‑world app‑compatibility behavior while drawing attention to larger operational imperatives—most notably Secure Boot certificate lifecycle management and the need for host/guest patch parity in virtualized environments. Apply it with a disciplined pilot, validate vendor compatibility, and treat the Secure Boot timetable as an immediate planning requirement. (support.microsoft.com) (techcommunity.microsoft.com) (windowslatest.com)

---

Source: Microsoft Support September 9, 2025—KB5065474: Hotpatch for Windows 11 Enterprise LTSC 2024 (OS Build 26100.6508) - Microsoft Support