Microsoft released a hotpatch—KB5065474—on September 9, 2025, for Windows 11 Enterprise LTSC 2024 that updates eligible devices to OS Build 26100.6508 and delivers targeted security and quality fixes while calling attention to an important Secure Boot certificate expiration window and a specific PowerShell Direct interoperability issue.
Hotpatching is Microsoft’s low-disruption servicing mechanism designed to deliver security-only fixes that can take effect immediately without forcing the normal restart cycle required by full cumulative updates. The model pairs quarterly baseline months (restart-required LCUs + SSU) with intervening hotpatch months that reduce forced reboots for compliant, managed endpoints. The hotpatch approach is now part of Windows 11 Enterprise LTSC 2024 servicing and is intended for environments that must minimize downtime while remaining secure. Hotpatches are intentionally narrow in scope—focused on security and internal OS hardening—and are not substitutes for baseline cumulative updates, feature rollups, firmware fixes, or driver replacements that inherently require on-disk binary replacement and a restart. Administrators must therefore maintain regular baseline maintenance while leveraging hotpatches for interim, urgent mitigations.
KB5065474 is a pragmatic hotpatch release: it closes targeted security gaps and improves app compatibility for non-admin MSI repair flows while highlighting two operational imperatives—PSDirect host/guest parity for virtualized management and the broader Secure Boot certificate timeline. For organizations that carefully validate prerequisites, stage pilots, and coordinate firmware/OEM work, hotpatching continues to deliver tangible uptime improvements without sacrificing security, but it requires disciplined change control and clear telemetry to spot the rare but consequential regressions that can arise when in-memory fixes interact with complex third‑party stacks. (support.microsoft.com, September 9, 2025—KB5065474: Hotpatch for Windows 11 Enterprise LTSC 2024 (OS Build 26100.6508) - Microsoft Support
Background
Hotpatching is Microsoft’s low-disruption servicing mechanism designed to deliver security-only fixes that can take effect immediately without forcing the normal restart cycle required by full cumulative updates. The model pairs quarterly baseline months (restart-required LCUs + SSU) with intervening hotpatch months that reduce forced reboots for compliant, managed endpoints. The hotpatch approach is now part of Windows 11 Enterprise LTSC 2024 servicing and is intended for environments that must minimize downtime while remaining secure. Hotpatches are intentionally narrow in scope—focused on security and internal OS hardening—and are not substitutes for baseline cumulative updates, feature rollups, firmware fixes, or driver replacements that inherently require on-disk binary replacement and a restart. Administrators must therefore maintain regular baseline maintenance while leveraging hotpatches for interim, urgent mitigations. What KB5065474 Is (Quick Summary)
- Applies to: Windows 11 Enterprise LTSC 2024.
- Release date: September 9, 2025.
- Version after install: OS Build 26100.6508.
- Delivery model: Hotpatch (no restart required on eligible devices for the remainder of the servicing quarter). (support.microsoft.com, support.microsoft.com, techcommunity.microsoft.com, support.microsoft.com)
- Management: Devices must be enrolled in Microsoft Intune (or Windows Autopatch) with a Windows quality update policy that enables hotpatching. Intune is used to toggle the hotpatch behavior (e.g., setting “When available, apply without restarting the device” to Allow). (techcommunity.microsoft.com)
- Virtualization‑based Security (VBS): VBS must be enabled where required; VBS is a foundational security prerequisite for hotpatching and affects firmware/hardware requirements (TPM, virtualization support).
- Arm64-specific: Compiled Hybrid PE (CHPE) must be disabled for Arm64 devices to accept hotpatches. This can be done via:
- Setting the registry key:
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\HotPatchRestrictions = 1
- Or applying the DisableCHPE CSP via Intune (Device/Vendor/MSFT/Policy/Config/Hotpatch/DisableCHPE = 1) and restarting once. After the one-time restart, devices remain eligible for hotpatches. Administrators must test CHPE disablement for application compatibility and potential performance impact (x86 emulation workloads can be affected).
Bottom line — what every Windows IT team should do this quarter
- Verify eligibility now. Confirm licensing, Intune enrollment, and baseline builds across your fleet. Hotpatches only apply to properly prepared devices.
- Plan an Arm64 strategy. If you operate Arm64 devices, test CHPE disablement carefully and use the DisableCHPE CSP where possible to automate the one-time configuration. Expect potential emulation/performance trade-offs for x86 workloads.
- Pilot widely, not thinly. Include EDR, drivers, virtualization hosts/guests, and business-critical apps in pilot rings. The PSDirect issue demonstrates the operational friction of uneven patching—coordinate host/guest patch windows.
- Address Secure Boot certificate work now. The June 2026 certificate schedule is a cross-domain project—engage OEMs, firmware teams, and update managers early.
- Maintain baseline discipline. Hotpatches reduce restarts but do not eliminate the need for baseline maintenance. Schedule and complete baseline restarts when required.
KB5065474 is a pragmatic hotpatch release: it closes targeted security gaps and improves app compatibility for non-admin MSI repair flows while highlighting two operational imperatives—PSDirect host/guest parity for virtualized management and the broader Secure Boot certificate timeline. For organizations that carefully validate prerequisites, stage pilots, and coordinate firmware/OEM work, hotpatching continues to deliver tangible uptime improvements without sacrificing security, but it requires disciplined change control and clear telemetry to spot the rare but consequential regressions that can arise when in-memory fixes interact with complex third‑party stacks. (support.microsoft.com, September 9, 2025—KB5065474: Hotpatch for Windows 11 Enterprise LTSC 2024 (OS Build 26100.6508) - Microsoft Support
