KB5065474 Windows 11 Enterprise Hotpatch: OS Build 26100.6508, PSDirect & Secure Boot Advisory

Microsoft released a targeted hotpatch—KB5065474—on September 9, 2025, for Windows 11 Enterprise (24H2 / LTSC 2024) that advances eligible devices to OS Build 26100.6508, delivers a focused app-compatibility / UAC repair, and includes two operational advisories administrators must treat as high priority: a documented PowerShell Direct (PSDirect) interoperability edge case and a reminder about an impending Secure Boot certificate expiry window.

Background / Overview​

Hotpatching is Microsoft’s low-disruption servicing model designed to deliver narrowly scoped security and quality fixes to eligible enterprise endpoints without forcing the typical restart cycle of full cumulative updates. The hotpatch workflow pairs periodic restart-required baseline months (LCU + SSU) with intervening hotpatch months so critical mitigations can be applied to running code in memory when downtime must be minimized. KB5065474 is part of that cadence and is intended for environments that prioritize uptime—financial trading floors, healthcare devices, industrial controllers, and other mission-critical systems—while still reducing exposure to emergent threats.
Microsoft packages this hotpatch together with a current Servicing Stack Update (SSU) to improve installation reliability and reduce the risk of servicing failures. Eligible systems that successfully receive the hotpatch will report the updated build string 26100.6508. Administrators must verify hotpatch eligibility before relying on the no-reboot behavior, as not all SKUs and configurations are supported.

---

What KB5065474 actually contains​

High-level summary​

• Applies to: Windows 11 Enterprise (24H2 / LTSC 2024).
• Release date: September 9, 2025.
• Reported build after install: OS Build 26100.6508.
• Delivery model: Hotpatch (no restart required on eligible devices for the remainder of the servicing quarter, subject to eligibility).
• Packaging: hotpatch is bundled with an SSU in Windows Update channels to reduce installation failures.

Notable fixes and public description​

The public KB characterizes the package as delivering quality and security hardening, but calls out one concrete functional fix:

• A fix for an MSI / User Account Control (UAC) interaction that could cause unexpected elevation prompts for non-administrative users during certain installer repair flows or custom actions. This resolves real-world compatibility friction where maintenance/repair logic in some installers (for example, select Office or third-party enterprise installers) triggered elevation unnecessarily and blocked non-admin workflows.

Microsoft’s public hotpatch entries are intentionally succinct and typically do not enumerate underlying CVE identifiers within the KB text itself. Administrators who require CVE mapping for compliance or detailed exploit analysis should consult the Security Update Guide or open a support case to obtain explicit CVE linkages. Treat the KB wording “quality/security improvements” as accurate but opaque for CVE-centric auditing.

---

Technical detail: Hotpatch behavior and build reporting​

Hotpatches operate by patching in-memory code paths and small OS components; they are not replacements for baseline cumulative updates, firmware/driver updates, or feature rollups that require on-disk binary replacement and a restart. The reported build change—26100.6508—is the artifact administrators and inventory tooling need to detect and validate. Because hotpatch build strings can differ from baseline cumulative KB numbers referenced by many compliance scanners, asset-management systems must be updated to recognize these values to avoid false-positive noncompliance flags.
Key operational notes:

• The SSU bundled with the hotpatch improves reliability and reduces the chance of incomplete servicing operations, but the SSU itself may sometimes require administrative coordination depending on organizational patching policies.
• Verify that the device’s baseline build and servicing configuration meet Microsoft’s hotpatch eligibility criteria before assuming the no-reboot guarantee. Devices that do not meet prerequisites will fall back to standard update behavior and may require a restart.

---

Known issue: PowerShell Direct (PSDirect) interoperability​

What Microsoft documents​

KB5065474 documents a real interoperability edge case affecting PowerShell Direct (PSDirect): when a host and guest VM are on different hotpatch states—one patched and the other unpatched—the legacy handshake fallback used by PSDirect can sometimes fail to clean up sockets correctly, producing intermittent connection failures and authentication-related events such as Event ID 4625 in the Security log. The observable symptom is an inability for host-to-guest PSDirect sessions to establish or to maintain clean tear-downs in mixed-patch environments.
Microsoft points administrators to a corrective hotpatch—KB5066360—which Microsoft published to remedy the PSDirect handshake regression on hosts and guests, and recommends applying the appropriate host and guest updates to restore reliable PSDirect operation. The vendor guidance emphasizes coordinated host/guest patch parity as the pragmatic mitigation.

Operational impact​

Environments that rely on PSDirect for host-to-guest management—common in Hyper-V automation, lab automation, nested virtualization testbeds, or RMM scripts—may experience management interruptions if hosts and guests are updated unevenly. This can affect automation, recovery workflows, or incident response procedures that depend on PSDirect sessions. Because hotpatches allow partial, non-restart deployment, they can inadvertently increase the window of uneven patching unless processes explicitly coordinate host and guest updates.

Practical mitigations​

• Apply KB5066360 (the PSDirect corrective patch) to both hosts and guests where recommended, or coordinate host/guest updates within the same maintenance window.
• For critical systems that cannot be patched simultaneously, avoid reliance on PSDirect for automation until parity can be achieved; use network-based Remoting over secure channels as a fallback.
• Monitor Security Event logs for repeated occurrences of Event ID 4625 or other authentication anomalies correlated with PSDirect usage.

---

Secure Boot certificate expiry advisory​

KB5065474 also reiterates a cross-cutting firmware and supply-chain advisory: certain Secure Boot certificates used in device firmware begin expiring in mid-2026. Microsoft’s note is a forward-looking operational warning—firmware-level certificate expiry can affect pre-boot trust, Secure Boot validation, and, in some cases, the device’s ability to install updates or even boot correctly if firmware or OEM-supplied certificate updates are not applied. Organizations are urged to begin cross-team planning (OS, firmware/OEM, and asset management) to map devices requiring firmware updates or certificate replacements.
Why this matters: expired pre-boot certificates are a supply-chain and firmware lifecycle issue that requires OEM cooperation—these are not something Windows can patch from the OS alone. Inventorying affected devices, testing firmware updates, and coordinating vendor support for legacy or specialized hardware are essential steps to avoid disruption in mid-2026.

---

Deployment guidance: a practical checklist​

Before broad rollout of KB5065474, apply the following disciplined, staged approach.

Phase 1 — Inventory & eligibility validation​

• Confirm target OS: Windows 11 Enterprise (24H2 / LTSC 2024) and the device baseline required for hotpatching.
• Enumerate CurrentBuildNumber + UBR (or CurrentBuild + build string) across a representative sample to detect devices already matching 26100.6508 and to map current patch parity.
• Identify Hyper‑V hosts and VMs that rely on PSDirect, and map host/guest relationships for coordinated patching.

Phase 2 — Pilot (safety first)​

• Create a small pilot ring that includes: Hyper‑V hosts with their guest VMs, any Arm64 clients in the estate (where hotpatching behavior may differ), and systems with kernel drivers or specialized EDR/AV integrations. Validate both functional and security telemetry for 7–14 days.

Phase 3 — Early deployment and monitoring​

• Apply hotpatch to the pilot cohort; verify OS Build reports as 26100.6508. Confirm no regression in critical apps, MSI installation/repair flows, or management tools. Ensure PSDirect sessions succeed for host-guest pairs patched together.
• Monitor Security logs for Event ID 4625 and EDR telemetry for unusual process behavior or privilege escalation indicators during the pilot.

Phase 4 — Broader rollout​

• Expand to early-adopter groups with close telemetry. Stagger ring sizes to avoid coincident mass rollouts that could stress support teams. Use configuration management (SCCM / Intune) to orchestrate staged rollout and to enforce host/guest patch parity for virtualization hosts.

Phase 5 — Post-deployment validation & controls​

• Update compliance and inventory tooling to recognize 26100.6508 as a hotpatched build. Automate checks that map KB and build numbers to installed states to avoid false positives in reporting.

---

Recommended detection and hardening actions​

• Instrument EDR/Windows Event logs to surface anomalous privilege escalation patterns (Event IDs 4688, 4672) and PSDirect-related authentication failures (Event ID 4625).
• Harden local accounts, reduce the number of local administrators, and apply principle-of-least-privilege controls while the rollout proceeds.
• Consider temporary compensating controls: isolate management networks, limit host-to-guest integration channels where possible, and disable unneeded integrations if PSDirect parity cannot be guaranteed.

---

Critical analysis: strengths, limitations, and risk assessment​

Strengths​

• Minimal disruption: The hotpatch model lets organizations apply urgent mitigation without immediate restarts, dramatically reducing planned-downtime costs for critical systems. This is a real operational win for uptime-sensitive environments.
• Targeted fix for a real pain point: The UAC/MSI repair fix addresses an unpleasant functional regression that impaired non-admin workflows; addressing this reduces help-desk friction for large managed estates.
• Bundled SSU reduces servicing failures: Including an SSU with the hotpatch increases the chance of a clean install on complex, heterogeneous environments.

Limitations and risks​

• Opaque CVE mapping in public KB text: Microsoft hotpatch KBs often omit CVE identifiers and granular vulnerability mapping. For compliance-driven organizations this is a documentation gap—additional verification from the Security Update Guide or MSRC is required. This is an important caveat for auditors.
• Host/guest parity required for PSDirect: The no-restart advantage can create uneven patch states between hosts and guests, and that unevenness is the root cause of PSDirect failures described in the KB. Without strict coordination, critical automation and incident response tools that rely on PSDirect may fail.
• Firmware and OEM dependence for Secure Boot certificates: The Secure Boot certificate expiry advisory is not remediable via OS-only updates—firmware or CA updates from OEMs are required. This introduces third-party coordination risk, especially for older hardware or specialized endpoints.

Unverifiable or ambiguous claims (flagged)​

• The KB text’s reference to “miscellaneous security improvements” is intentionally general. Any assertion that KB5065474 addresses a specific CVE should be verified against the Security Update Guide and MSRC advisory, because Microsoft’s hotpatch KB itself does not list CVE identifiers. Until cross-checked with canonical security advisory sources, treat CVE mapping as unverified.

---

Practical recommendations (for IT teams and security ops)​

• Treat KB5065474 as a complement, not a replacement, for your baseline update program—continue to apply restart-required cumulative updates on schedule. Hotpatching reduces exposure windows for specific scenarios, but does not eliminate the need for comprehensive quarterly maintenance.
• Update detection and inventory tooling to recognize OS Build 26100.6508 and the presence of the SSU to avoid false noncompliance reports. Automate compliance scans that map builds and KBs to the properly patched state.
• Coordinate Hyper‑V host and guest patching: maintain a host/guest mapping registry, and enforce same-window updates for pairs that use PSDirect. Where simultaneous updates are impossible, apply the corrective KB5066360 on both sides where Microsoft recommends it, or avoid PSDirect-dependent automation until parity is achieved.
• Start Secure Boot remediation planning now: open cross-team vendor tickets, identify devices that will need firmware or certificate updates, and prioritize legacy hardware in your inventory for vendor validation. Test firmware updates on sample devices in a controlled lab before mass deployment.
• Pilot aggressively. Use a small, representative ring that includes virtualization hosts and their guests, Arm64 endpoints, and systems with kernel-level integrations (EDR, VPN drivers, storage drivers). Validate telemetry for 7–14 days before broader rollout.

---

Example staged rollout (high-level sequence)​

• Inventory and plan: enumerate builds, map Hyper‑V host/guest pairs, and identify arm64 and special hardware.
• Pilot: test KB5065474 on a small ring including host/guest pairs patched together. Verify MSI repair flows and PSDirect.
• Early adopter: expand to a larger ring and validate automated remediation playbooks and EDR alerts.
• Broad deployment: proceed in staged waves, monitoring for PSDirect failures and security-event anomalies.
• Post-deploy validation: update CMDB, compliance scanners, and inventory rules to reflect new build reporting.

---

Final verdict​

KB5065474 is a pragmatic, low-disruption hotpatch that resolves a tangible app-compatibility problem and reduces friction for non-admin MSI repair scenarios while reinforcing two operational imperatives: keep host/guest patch parity for virtualization management and start immediate planning for Secure Boot certificate lifecycle events. The bundle’s inclusion of an SSU and the no-restart delivery model are genuine operational benefits for uptime-sensitive environments, but they require disciplined inventory, orchestration, and vendor coordination.
Administrators should adopt a conservative rollout strategy—inventory first, pilot second, coordinate host/guest pairs for PSDirect, and engage OEMs for firmware/certificate readiness. Because Microsoft’s hotpatch KBs sometimes omit CVE-level detail, compliance-minded teams must cross‑check the Security Update Guide or MSRC advisories for CVE mappings before closing ticketing items or satisfying audit requirements.
KB5065474 is worth applying where the operational model allows hotpatching: it reduces downtime and fixes a real user-impacting issue. The true measure of success will be how well organizations coordinate host/guest parity and firmware readiness—areas where process and cross-team communication are just as important as the update itself.

---

Source: Microsoft Support September 9, 2025—Hotpatch KB5065474 (OS Build 26100.6508) - Microsoft Support