Microsoft released a hotpatch—KB5065474—on September 9, 2025, for Windows 11 Enterprise LTSC 2024 that updates eligible devices to OS Build 26100.6508 and delivers targeted security and quality fixes while calling attention to an important Secure Boot certificate expiration window and a specific PowerShell Direct interoperability issue. (support.microsoft.com)
Hotpatching is Microsoft’s low-disruption servicing mechanism designed to deliver security-only fixes that can take effect immediately without forcing the normal restart cycle required by full cumulative updates. The model pairs quarterly baseline months (restart-required LCUs + SSU) with intervening hotpatch months that reduce forced reboots for compliant, managed endpoints. The hotpatch approach is now part of Windows 11 Enterprise LTSC 2024 servicing and is intended for environments that must minimize downtime while remaining secure. (techcommunity.microsoft.com)
Hotpatches are intentionally narrow in scope—focused on security and internal OS hardening—and are not substitutes for baseline cumulative updates, feature rollups, firmware fixes, or driver replacements that inherently require on-disk binary replacement and a restart. Administrators must therefore maintain regular baseline maintenance while leveraging hotpatches for interim, urgent mitigations. (techcommunity.microsoft.com)
Microsoft’s public wording remains intentionally concise—hotpatch KBs typically present high-level descriptions rather than enumerated CVE mappings—so administrators requiring precise vulnerability identifiers should cross-check the Security Update Guide or contact Microsoft for CVE mappings where audit or compliance requirements demand explicit CVE tracking. (support.microsoft.com)
This is an important operational detail for environments that use PSDirect for host-to-guest management in virtualized deployments—particularly on Hyper-V hosts or in lab environments where patches are applied out-of-band or unevenly.
Key prerequisites (Arm64 notes are especially important):
KB5065474 is a pragmatic hotpatch release: it closes targeted security gaps and improves app compatibility for non-admin MSI repair flows while highlighting two operational imperatives—PSDirect host/guest parity for virtualized management and the broader Secure Boot certificate timeline. For organizations that carefully validate prerequisites, stage pilots, and coordinate firmware/OEM work, hotpatching continues to deliver tangible uptime improvements without sacrificing security, but it requires disciplined change control and clear telemetry to spot the rare but consequential regressions that can arise when in-memory fixes interact with complex third‑party stacks. (support.microsoft.com, techcommunity.microsoft.com)
Source: Microsoft Support September 9, 2025—KB5065474: Hotpatch for Windows 11 Enterprise LTSC 2024 (OS Build 26100.6508) - Microsoft Support
Hotpatching is Microsoft’s low-disruption servicing mechanism designed to deliver security-only fixes that can take effect immediately without forcing the normal restart cycle required by full cumulative updates. The model pairs quarterly baseline months (restart-required LCUs + SSU) with intervening hotpatch months that reduce forced reboots for compliant, managed endpoints. The hotpatch approach is now part of Windows 11 Enterprise LTSC 2024 servicing and is intended for environments that must minimize downtime while remaining secure. (techcommunity.microsoft.com)Hotpatches are intentionally narrow in scope—focused on security and internal OS hardening—and are not substitutes for baseline cumulative updates, feature rollups, firmware fixes, or driver replacements that inherently require on-disk binary replacement and a restart. Administrators must therefore maintain regular baseline maintenance while leveraging hotpatches for interim, urgent mitigations. (techcommunity.microsoft.com)
What KB5065474 Is (Quick Summary)
- Applies to: Windows 11 Enterprise LTSC 2024.
- Release date: September 9, 2025. (support.microsoft.com)
- Version after install: OS Build 26100.6508. (support.microsoft.com)
- Delivery model: Hotpatch (no restart required on eligible devices for the remainder of the servicing quarter). (support.microsoft.com, techcommunity.microsoft.com)
- Packaging: Microsoft bundles the latest Servicing Stack Update (SSU) with the hotpatch to improve installation reliability. (support.microsoft.com)
- Public notes: The KB describes quality/security improvements, including a concrete app-compatibility/UAC fix and a documented known issue affecting PowerShell Direct (PSDirect) when host and guest are unevenly patched. (support.microsoft.com)
Release highlights and technical details
Improvements and fixes included
The KB text summarizes the package as delivering quality improvements and calls out a specific app-compatibility correction: an issue that could cause unexpected User Account Control (UAC) prompts for non-admin users during certain MSI repair or custom actions has been addressed. This fix targets scenarios where MSI installers trigger elevated operations (for example, some Office or Autodesk installer repai r flows) and reduces unnecessary UAC prompts that can block non-admin workflows. (support.microsoft.com)Microsoft’s public wording remains intentionally concise—hotpatch KBs typically present high-level descriptions rather than enumerated CVE mappings—so administrators requiring precise vulnerability identifiers should cross-check the Security Update Guide or contact Microsoft for CVE mappings where audit or compliance requirements demand explicit CVE tracking. (support.microsoft.com)
Known issue: PowerShell Direct (PSDirect) interoperability
KB5065474 documents an edge-case interoperability problem: PSDirect connections may fail when a hotpatched guest VM and an unpatched host (or vice versa) attempt to communicate. The expected fallback handshake is sometimes failing intermittently, producing socket cleanup/rejection issues and potentially logging Event ID 4625 in the Security log. Microsoft points administrators to KB5066360 for the corrective host/guest updates and recommends applying those updates to both host and guest to remediate PSDirect failures. (support.microsoft.com)This is an important operational detail for environments that use PSDirect for host-to-guest management in virtualized deployments—particularly on Hyper-V hosts or in lab environments where patches are applied out-of-band or unevenly.
Servicing Stack Update (SSU) inclusion
Microsoft bundles the SSU with the hotpatch when delivered via Windows Update to reduce installation flakiness and servicing stack-related failures. The KB lists the SSU file information and recommends using Windows Update for automatic installation; the Microsoft Update Catalog and WSUS remain options for managed deployments. Administrators should verify SSU versions when reporting update failures or troubleshooting install health. (support.microsoft.com)Secure Boot certificate expiration: operational imperative
KB5065474 re-emphasizes a cross-cutting platform risk: Secure Boot certificates used by many Windows devices are scheduled to begin expiring in June 2026. Microsoft warns that failure to coordinate and update certificates (platform OEM coordination, firmware updates, and CA certificates) could affect pre-boot trust and the ability to update or boot securely. Administrators are urged to review Microsoft’s guidance now and take proactive remediation steps to avoid mid‑2026 disruption. This advisory extends beyond the hotpatch itself and requires cross-team action (OS, firmware/OEM, and update management). (support.microsoft.com)Hotpatch prerequisites and enrollment (what you must verify)
KB5065474 reiterates Microsoft’s eligibility and configuration requirements for hotpatch delivery—these are critical because only properly prepared devices will receive the no-restart hotpatch versions.Key prerequisites (Arm64 notes are especially important):
- OS baseline and build: Devices must be running Windows 11 Enterprise, version 24H2, on the required baseline build and meet the minimum build eligibility (historical requirements were Build 26100.2033 or later; KB prerequisites reference build minimums like 26100.4929 or later for recent hotpatch cycles). Verify via winver or inventory tools. (support.microsoft.com, techcommunity.microsoft.com)
- Licensing: Eligible enterprise or education subscriptions (Windows 11 Enterprise E3/E5, Microsoft 365 F3, Windows 11 Education A3/A5, Microsoft 365 Business Premium, Windows 365 Enterprise, etc.) are required for hotpatch enrollment. (techcommunity.microsoft.com, support.microsoft.com)
- Management: Devices must be enrolled in Microsoft Intune (or Windows Autopatch) with a Windows quality update policy that enables hotpatching. Intune is used to toggle the hotpatch behavior (e.g., setting “When available, apply without restarting the device” to Allow). (learn.microsoft.com, techcommunity.microsoft.com)
- Virtualization‑based Security (VBS): VBS must be enabled where required; VBS is a foundational security prerequisite for hotpatching and affects firmware/hardware requirements (TPM, virtualization support). (techcommunity.microsoft.com)
- Arm64-specific: Compiled Hybrid PE (CHPE) must be disabled for Arm64 devices to accept hotpatches. This can be done via:
- Setting the registry key:
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\HotPatchRestrictions = 1
- Or applying the DisableCHPE CSP via Intune (Device/Vendor/MSFT/Policy/Config/Hotpatch/DisableCHPE = 1) and restarting once. After the one-time restart, devices remain eligible for hotpatches. Administrators must test CHPE disablement for application compatibility and potential performance impact (x86 emulation workloads can be affected). (learn.microsoft.com)
How to get and install KB5065474
- Windows Update: Automatic download and install for eligible, managed devices (recommended for the included SSU).
- Microsoft Update Catalog: Manual download option for targeted installs or catalogs.
- WSUS: Not included by default for some hotpatch packages—validate availability in your WSUS configuration and distribution points.
- Note: If previous updates are present, devices will only download the delta in this package (the hotpatch model reduces payload size where possible). (support.microsoft.com)
Deployment checklist (practical, step‑by‑step)
- Inventory & baseline verification
- Confirm device OS version and build (Win + R → winver or SCCM/Intune inventory).
- Confirm devices are on the baseline required by Microsoft for hotpatch eligibility. (techcommunity.microsoft.com)
- Licensing & management
- Verify eligible licensing for hotpatch features.
- Ensure devices are enrolled in Microsoft Intune or Windows Autopatch. (techcommunity.microsoft.com)
- Security prerequisites
- Enable VBS at scale where required (use Intune CSPs or recommended scripts). (techcommunity.microsoft.com)
- Arm64 preparation (if applicable)
- Plan and test CHPE disablement on representative Arm64 hardware.
- Apply the DisableCHPE CSP via Intune or set the HotPatchRestrictions registry key and reboot once. Document the change. (learn.microsoft.com)
- Pilot & telemetry
- Create a small pilot ring (7–14 days suggested) covering representative hardware & software (EDR vendors, drivers, virtualization platforms).
- Monitor update health, EDR/driver telemetry, and event logs for anomalies.
- Staged rollout
- Incrementally expand to early adopters and then broad deployment.
- Maintain rollback/runbooks and pre-approved timelines for baseline restarts if problems require falling back to LCUs.
- Post-deployment verification & compliance
- Confirm OS Build displays 26100.6508 for devices that applied KB5065474.
- Update CMDB/SCCM/Intune reports, vulnerability scanners, and SIEM mappings to recognize hotpatched build numbers and KB identifiers. (support.microsoft.com)
Benefits and operational advantages
- Reduced downtime: Hotpatch months allow security fixes to be applied without forcing immediate reboots, lowering productivity impact on mission-critical endpoints. (techcommunity.microsoft.com)
- Faster protection: Hotpatch fixes take effect immediately in memory, narrowing the window between publication and effective mitigation—valuable for zero-day risk reduction. (techcommunity.microsoft.com)
- Smaller payloads: Hotpatch packages are scoped to security changes, reducing network and storage overhead compared with full LCUs.
- Bundled SSU reduces flakiness: Including the servicing stack update with the hotpatch improves the likelihood of successful installs. (support.microsoft.com)
Risks, limitations, and mitigations
Hotpatching is powerful, but not without trade-offs. The following are the major considerations and mitigations:- Compatibility with kernel-mode drivers and security/EDR agents
- Risk: Hotpatches modify in-memory code paths and can interact unpredictably with drivers or agents that hook OS internals.
- Mitigation: Include EDR/security vendor stacks in pilot testing, coordinate with vendors for compatibility statements, and stage rollouts.
- Edge-case interoperability (PSDirect)
- Risk: The documented PSDirect host/guest fallback issue can impact VM management workflows.
- Mitigation: Apply the companion update (KB5066360) to host and guest VMs, or coordinate patching to avoid mismatched host/guest states. Ensure support/maintenance windows cover both ends of virtual stacks. (support.microsoft.com)
- Debug & detection complexity
- Risk: Because hotpatches keep systems online, some classes of failures may be subtler and require robust logging and telemetry to detect.
- Mitigation: Expand logging, maintain a robust telemetry pipeline, and create alerting rules for unusual event IDs and kernel/driver errors.
- Secure Boot certificate expiry coordination
- Risk: Lack of preparation for the certificate expiration program could cause pre-boot trust or updateability issues beginning June 2026.
- Mitigation: Prioritize firmware/OEM coordination and CA updates now; include firmware validation in change windows. Treat this as a program with cross-functional stakeholders. (support.microsoft.com)
- Not a replacement for baselines
- Risk: Overreliance on “no restart” messaging could lead organizations to defer necessary baseline restarts and firmware updates.
- Mitigation: Maintain quarterly baseline cycles for cumulative, firmware, and feature updates; use hotpatches only for interim security hardening.
Example rollout timeline (recommended)
- Week 0: Inventory and licensing check; confirm Intune/autopatch readiness and VBS coverage.
- Week 1: Prepare pilot group (10–50 devices) including EDR vendors, key drivers, and both x64 and Arm64 test hardware if present.
- Week 2: Apply CHPE disablement on Arm64 pilot devices and reboot; validate application compatibility.
- Week 3: Deploy KB5065474 to pilot via Intune Windows quality update policy; monitor for 7–14 days.
- Week 5: Expand to early adopters (10–25% of fleet); maintain rolling validation and telemetry checks.
- Week 8: Broad deployment if no systemic regressions; coordinate firmware and baseline restarts in the subsequent baseline month.
Cross-reference and verification notes
Key technical claims in this analysis were verified against Microsoft’s official KB page for KB5065474 (release date, OS Build 26100.6508, included SSU, improvements and known issue text), Microsoft TechCommunity and Windows IT Pro guidance on hotpatch prerequisites and behavior, and Microsoft Intune documentation for Windows quality update policies and CHPE/HotPatchRestrictions configuration. Independent community and IT-pro commentary on hotpatch behavior and rollout best practices were also considered when forming deployment recommendations. Where Microsoft’s KB language is intentionally high-level (for example, the phrase quality improvements), administrators should consult the Security Update Guide or contact Microsoft if CVE-to-KB mapping is required for compliance or audit reporting. (support.microsoft.com, techcommunity.microsoft.com, learn.microsoft.com)Bottom line — what every Windows IT team should do this quarter
- Verify eligibility now. Confirm licensing, Intune enrollment, and baseline builds across your fleet. Hotpatches only apply to properly prepared devices. (techcommunity.microsoft.com)
- Plan an Arm64 strategy. If you operate Arm64 devices, test CHPE disablement carefully and use the DisableCHPE CSP where possible to automate the one-time configuration. Expect potential emulation/performance trade-offs for x86 workloads. (learn.microsoft.com)
- Pilot widely, not thinly. Include EDR, drivers, virtualization hosts/guests, and business-critical apps in pilot rings. The PSDirect issue demonstrates the operational friction of uneven patching—coordinate host/guest patch windows. (support.microsoft.com)
- Address Secure Boot certificate work now. The June 2026 certificate schedule is a cross-domain project—engage OEMs, firmware teams, and update managers early. (support.microsoft.com)
- Maintain baseline discipline. Hotpatches reduce restarts but do not eliminate the need for baseline maintenance. Schedule and complete baseline restarts when required.
KB5065474 is a pragmatic hotpatch release: it closes targeted security gaps and improves app compatibility for non-admin MSI repair flows while highlighting two operational imperatives—PSDirect host/guest parity for virtualized management and the broader Secure Boot certificate timeline. For organizations that carefully validate prerequisites, stage pilots, and coordinate firmware/OEM work, hotpatching continues to deliver tangible uptime improvements without sacrificing security, but it requires disciplined change control and clear telemetry to spot the rare but consequential regressions that can arise when in-memory fixes interact with complex third‑party stacks. (support.microsoft.com, techcommunity.microsoft.com)
Source: Microsoft Support September 9, 2025—KB5065474: Hotpatch for Windows 11 Enterprise LTSC 2024 (OS Build 26100.6508) - Microsoft Support