KB5066360: Windows 11 LTSC 2024 PowerShell hotpatch for PSDirect fix

Microsoft has published KB5066360, a hotpatch that updates Windows PowerShell on Windows 11 Enterprise LTSC 2024 to OS Build 26100.6569, addressing a specific PSDirect connectivity failure that could, under narrow conditions, allow unauthorized non-administrator access between host and guest virtual machines; the package is a hotpatch (no immediate reboot required for eligible devices) and was released on September 9, 2025. (support.microsoft.com)

Background​

Windows hotpatching is Microsoft’s mechanism to deliver narrow, security-focused fixes that take effect immediately without forcing the usual restart associated with cumulative updates. The model is intended for managed enterprise environments that prioritize uptime, and it depends on device eligibility (baseline alignment, licensing, VBS enabled, Intune enrollment and, for Arm64, CHPE disabled). These prerequisites and the quarterly cadence for baselines versus hotpatch months form the operational context for KB5066360. (learn.microsoft.com, techcommunity.microsoft.com)
Microsoft’s public KB for KB5066360 identifies two central themes: a targeted fix for PSDirect connections failing in hotpatch devices and a reminder about the broader Secure Boot certificate expiration program that organizations must plan for well before June 2026. The KB packages the PowerShell fixes with the servicing stack update where applicable and lists the files and file versions installed by the update. (support.microsoft.com)

---

What KB5066360 Actually Delivers​

High-level summary​

• Applies to: Windows 11 Enterprise LTSC 2024. (support.microsoft.com)
• Release date: September 9, 2025. (support.microsoft.com)
• Target OS Build after install: 26100.6569. (support.microsoft.com)
• Nature of update: Hotpatch — security-only fix that installs without an immediate restart on eligible devices and includes the servicing stack update where Windows Update is used. (support.microsoft.com, learn.microsoft.com)

Specific fix(es)​

The KB lists a single, targeted fix described as: “Fix for PSDirect connections failing in Hotpatch devices.” The entry explains that the patch resolves an issue introduced by the September 2025 hotpatch/security updates where a vulnerability in the interaction between the host OS and a guest VM could allow unauthorized, non-administrator access during a brief window. The update also improves reliability for older sessions that may shut down unexpectedly. Microsoft recommends applying the update to hosts whose guests have received the September 2025 security update. (support.microsoft.com)

Packaging and distribution notes​

• The hotpatch is offered via Windows Update (automatic for eligible, managed devices). The Microsoft Update Catalog and WSUS are not listed as distribution sources for this hotpatch package in the KB — the KB explicitly shows Windows Update as the delivery channel for the hotpatch version. (support.microsoft.com)
• The KB includes file information showing updated PowerShell assemblies (System.Management.Automation.dll, Microsoft.PowerShell.ConsoleHost.dll and related resource DLLs) all versioned at 10.0.26100.6569 and timestamped 22‑Aug‑2025 in the KB file listing. This is useful for inventory and verification. (support.microsoft.com)

---

Why this matters: technical and operational context​

PowerShell is a central automation and administration runtime on Windows and is also a common attacker target. Fixes that affect PowerShell remoting surfaces (including PowerShell Direct — “PSDirect”) are therefore operationally important. This hotpatch matters for three reasons:

• Immediate mitigation for a host‑to‑guest exposure window. Hotpatching is designed to reduce the time between disclosure and protection because the fix becomes active without waiting on a restart window. For a VM-host interaction bug that could be exploited briefly during session handling or handshake windows, that immediacy cuts the exposure window dramatically. (support.microsoft.com, techcommunity.microsoft.com)
• Low immediate disruption for mission‑critical endpoints. LTSC customers and devices used in critical workflows often avoid frequent reboots; hotpatches let operations teams maintain that uptime while still receiving security remediation. Independent reporting and Microsoft documentation agree that hotpatches are a targeted, no‑restart means to ship security-only fixes for eligible enterprise estates. (bleepingcomputer.com, learn.microsoft.com)
• Audit and inventory implications. Hotpatches change how patch state is represented (distinct KB numbers and reported build values). Asset management, CMDBs, and compliance tooling must recognize hotpatched build values (26100.6569 in this case) to avoid falsely flagging systems as unpatched. Operational playbooks must be updated to capture hotpatched states.

---

Cross-checks and verifiability​

• The KB itself is the authoritative packaging and build reference for KB5066360: it lists the build, release date, affected SKU, file versions and a plain-language “Improvements and fixes” summary. That KB page is the primary source for the details above. (support.microsoft.com)
• The hotpatch model and its prerequisites (Intune management, licensing, VBS, baseline build alignment, CHPE handling on Arm64) are corroborated by Microsoft’s hotpatch documentation and TechCommunity posts describing the feature rollout to Windows client and LTSC customers. These independent Microsoft docs explain the eligibility and enrollment mechanics administrators must use to receive hotpatch updates. (learn.microsoft.com, techcommunity.microsoft.com)
• Independent press coverage of hotpatching and its availability to Windows 11 Enterprise confirms the operational picture: outlets reporting on the hotpatch program have documented both benefits and common caveats for compatibility and vendor testing, aligning with the KB’s intent and messaging. (bleepingcomputer.com)

Note on CVEs and exploit metadata: Microsoft’s KB text for KB5066360 summarizes the fix as “miscellaneous security improvements” and provides the functional description above, but it does not enumerate CVE identifiers or exploitability scores within the KB narrative. Administrators requiring CVE-level mapping for audit/tracking should consult Microsoft’s Security Update Guide or contact Microsoft support; treat the absence of explicit CVE listings in the KB as a gap to be resolved for compliance reporting. (support.microsoft.com)

---

Risk analysis — strengths and potential pitfalls​

Strengths​

• Rapid, low‑impact protection: Hotpatching reduces the time devices remain vulnerable and minimizes user disruption for eligible endpoints. This is ideal for LTSC-managed devices and high‑availability workloads. (learn.microsoft.com, bleepingcomputer.com)
• Servicing stack inclusion reduces failures: The KB’s hotpatch packaging includes servicing stack updates where Windows Update applies that SSU, which lowers the chance of future update failures during deployment. This packaging choice is a deliberate reliability improvement. (support.microsoft.com)
• Targeted fix scope: The hotpatch addresses a limited, high-risk surface (host‑to‑guest PSDirect interactions), which narrows the potential for broad regressions compared to a large cumulative update. Narrow scope also makes pilot testing easier and more reliable. (support.microsoft.com)

Potential risks and caveats​

• Eligibility and management friction: Hotpatches require specific enrollment and platform prerequisites (Intune policy, licensing, VBS, baseline build). Mixed estates with unmanaged or legacy devices will not receive the hotpatch and must instead rely on LCUs that require reboots, complicating fleet parity. Plan for mixed servicing pathways. (learn.microsoft.com)
• Third‑party agent and driver compatibility: Hotpatches alter in‑memory code paths; EDR, backup, virtualization plugins, or kernel drivers that hook into PowerShell or session subsystems can exhibit unexpected behavior. Community testing and vendor advisories from ISVs are strongly recommended before broad rollout. Historical community reports reinforce the need to test vendor agents with new servicing. (bleepingcomputer.com)
• Rollback complexity: While hotpatches can be uninstalled, rollback requires a restart and may leave devices in a different servicing state. Ensure rollback procedures are exercised in a test lab and documented, because “no restart” does not imply “no restart ever” for remediation.
• Opaque CVE mapping (audit risk): The KB describes the vulnerability functionally but does not attach explicit CVEs in the public entry. Organizations that must map fixes to CVEs for compliance or third‑party risk scoring should treat this as an outstanding action item and use the Security Update Guide or Microsoft support to obtain CVE mappings. (support.microsoft.com)
• Secure Boot certificate program cross‑dependency: The KB’s advisory reiterates Microsoft’s larger Secure Boot certificate rollover effort (expiring 2011 CA certificates beginning June 2026). That program is independent from this hotpatch but it is consequential: failure to prepare for the certificate updates can disrupt pre‑boot trust and updateability in 2026. Treat certificate readiness as a separate, high‑priority program. (support.microsoft.com, techcommunity.microsoft.com)

---

Practical deployment guidance (recommended playbook)​

The following is a conservative rollout checklist tailored for enterprise admins managing Windows 11 Enterprise LTSC 2024 estates.

Pre-deployment (inventory & prerequisites)​

• Confirm devices are Windows 11 Enterprise LTSC 2024 and on a hotpatch-eligible baseline (check baseline build prerequisites). Use inventory tools (SCCM, Intune, or Winver) to capture current builds. (learn.microsoft.com, support.microsoft.com)
• Confirm management and licensing: devices must be enrolled in Microsoft Intune (or Windows Autopatch) and the organization must hold an eligible license (E3/E5, Microsoft 365 Business Premium, Windows 365 Enterprise, etc.). (techcommunity.microsoft.com)
• Verify VBS (Virtualization‑based Security) is enabled where required; validate firmware and Hyper‑V/VMM configuration for VBS support. (techcommunity.microsoft.com)
• For Arm64 devices: perform the one‑time CHPE disablement (via DisableCHPE CSP or registry HotPatchRestrictions) and reboot once before attempting hotpatch enrollment. Document the change and test unaffected x86 emulation workloads. (support.microsoft.com)

Pilot and validation​

• Create a pilot group of representative devices in Intune and enable a Windows quality update policy with Hotpatch set to Allow. Deploy KB5066360 to the pilot group first. Monitor for process/service anomalies, driver logs, EDR alerts and application behavior for 7–14 days. (learn.microsoft.com)
• Validate PSDirect, PSRemoting, and VM guest/host interaction scenarios specifically, since this hotpatch targets PSDirect-related behavior. Include virtualization stack vendors (Hyper‑V, VMM) and backup vendors in test plans. (support.microsoft.com, techtarget.com)

Staged rollout​

• Pilot → Early Adopter ring (critical services excluded) → Broad deployment.
• Keep rollback procedures tested and ready; remember uninstallation requires a restart and may involve following the baseline cumulative update path afterward.

Post-deployment verification​

• Confirm OS build on updated devices reports 26100.6569 (winver or inventory query). Record this value in patch tracking and compliance dashboards. (support.microsoft.com)
• Update CMDB and compliance tooling so hotpatched KB and build values are mapped to a “patched” status; adjust any compliance rules that expect LCU KB numbers.

---

Suggested monitoring and telemetry​

• Track EDR/AV telemetry for unusual PowerShell activity post-deployment and correlate with hotpatch install events. Hotpatches change in‑memory behavior and some security agents may raise false positives on updated engines; use baseline telemetry to tune alerts.
• Monitor virtualization logs on both host and guest for PSDirect handshake errors or session teardown anomalies; the KB’s fix is specifically targeted at improving reliability in these interactions. (support.microsoft.com)
• Keep an eye on Windows Release Health and vendor advisories for subsequent LCU/baseline releases that may include related changes or additional fixes. Hotpatches are not a substitute for scheduled baseline maintenance windows. (learn.microsoft.com, techcommunity.microsoft.com)

---

Secure Boot certificate expiration — why the KB’s advisory matters​

KB5066360 includes an explicit advisory about the Secure Boot certificate expiration program: Microsoft warns that certificates used by Secure Boot will start expiring in June 2026 and urges administrators to prepare now to avoid disruption to secure boot and pre‑boot updateability. This is a cross-domain program requiring coordination with OEMs, firmware teams, and Windows update management; it is separate from the PowerShell hotpatch but has an outsized operational impact. The Secure Boot certificate update program was explained in detail by Microsoft’s Windows IT Pro blog and support articles; administrators should inventory devices for firmware readiness and plan DB/KEK updates as part of their 2025–2026 patch calendar. (techcommunity.microsoft.com, support.microsoft.com)

---

Bottom line and recommended actions​

• Apply KB5066360 to eligible Windows 11 Enterprise LTSC 2024 devices as part of a staged, policy-driven hotpatch rollout if your estate meets the prerequisites: Intune enrollment, licensing, baseline alignment, and VBS (and CHPE disablement for Arm64 where applicable). The hotpatch addresses a concrete PSDirect host/guest vulnerability and improves session reliability, and it is packaged to minimize installation failure risk. (support.microsoft.com, techcommunity.microsoft.com)
• If your environment includes unmanaged, third‑party‑heavy, or legacy devices that cannot meet hotpatch prerequisites, maintain disciplined baseline (LCU) update cycles and ensure you have restart windows defined; hotpatching does not eliminate the need for periodic reboots and baseline servicing. (learn.microsoft.com)
• For compliance and audit teams: request CVE mapping from Microsoft’s Security Update Guide or support if you require explicit CVE identifiers for this hotpatch; the KB’s summary is functional and does not include CVE identifiers. Treat the lack of CVE attribution in the KB as a documentation gap until confirmed otherwise. (support.microsoft.com)
• Start (or continue) Secure Boot certificate readiness planning as a discrete program. KB5066360’s advisory is a timely reminder that certificate rollover is a near-term operational imperative that should be scheduled, tested, and coordinated with OEMs and firmware teams. (techcommunity.microsoft.com)

---

Conclusion​

KB5066360 is a narrowly scoped, operationally important hotpatch for Windows PowerShell on Windows 11 Enterprise LTSC 2024 that resolves a PSDirect-related host/guest vulnerability and improves session reliability. For environments that meet Microsoft’s hotpatch prerequisites, the update is a low-disruption way to harden the PowerShell attack surface quickly. However, hotpatch adoption requires disciplined enrollment, vendor coordination, robust pilot testing, and updated asset‑management processes to record and report hotpatched states. Additionally, the KB’s Secure Boot certificate advisory reminds IT teams that a separate, high-impact firmware/certificate program (certificate expirations beginning June 2026) remains a priority and must be planned for now. Administrators should treat KB5066360 as a priority for eligible hosts, run a measured rollout with adequate vendor and EDR testing, and escalate for CVE details if required for organizational compliance. (support.microsoft.com, learn.microsoft.com, techcommunity.microsoft.com)

---

Source: Microsoft Support KB5066360—Security Update for Windows PowerShell on Windows 11 Enterprise LTSC 2024 (Hotpatch) - Microsoft Support