Microsoft released the September 9, 2025 cumulative update for Windows 11, version 24H2 — KB5065426 (OS Build 26100.6584) — a combined security and quality rollup that both closes recent high‑priority vulnerabilities and addresses a string of functional regressions introduced earlier in the 26100-series servicing cycle. The package includes the latest servicing‑stack improvements, targeted reliability fixes for File Installer and streaming workflows, updated AI component binaries for Copilot‑related features, and one narrowly scoped known issue affecting PowerShell Direct (PSDirect) on hotpatched hosts and guests. The official Microsoft release notes list the fixes, installation paths, and the known PSDirect interaction; the company also documents this release as a combined SSU+LCU that requires careful rollback planning. (support.microsoft.com)
Windows 11’s 26100 build series (24H2 servicing) has followed a pattern in 2025 of delivering underlying platform code in preview or release‑preview flights, then enabling higher‑impact features and UI changes gradually across devices through server‑side gating. That pattern produced a busy late‑summer cycle: the August security rollup (KB5063878 / Build 26100.4946) introduced both high‑severity security fixes and, unintentionally, some regressions that affected certain workflows (notably NDI/OBS streaming and installer behavior). The September 9 cumulative update, KB5065426, largely represents Microsoft’s corrective follow‑through: reinstating intended security hardening while reducing immediate customer pain from side effects of the August changes. This delivery approach — combining a servicing stack update (SSU) with the cumulative payload and relying on staged enablement for feature bits — is intentional but operationally consequential for IT teams. (support.microsoft.com)
The package also ships updated AI component binaries used on Copilot+‑certified devices; these are included in the LCU but only apply to Copilot‑eligible devices when the vendor/feature flags permit. Finally, because Microsoft bundles an SSU with the LCU in many of these 24H2 packages, administrators must remember that the servicing stack changes are effectively permanent and complicate traditional "uninstall the KB" rollbacks. (support.microsoft.com)
Practical install commands the KB documents:
For most home users and small businesses, installing the September cumulative update through Windows Update is recommended: it returns important fixes and improves overall system hygiene. For enterprises and teams with specialized workloads (virtualization automation, streaming, MSI‑heavy installers), the prudent approach remains a measured pilot → broad pilot → production rollout, paired with tested recovery images and validation checklists for the specific workflows called out above.
KB5065426’s official release notes and installation instructions provide the authoritative, step‑by‑step guidance; independent coverage and vendor guidance (for NDI/OBS and installer behaviors) supply the practical mitigations administrators used while Microsoft developed this cumulative fix. Taken together, those sources give a clear operational path to patching while managing the trade‑offs between security, usability, and recoverability. (support.microsoft.com, bleepingcomputer.com, docs.ndi.video)
Conclusion: KB5065426 is an important maintenance release that addresses both security and regression concerns introduced earlier in the 26100 servicing stream. Apply it after piloting, align host and guest update schedules where hotpatching is used, and use the vendor mitigations documented for streaming and installer issues if immediate remediation is necessary. The update’s combined SSU+LCU packaging and the staged feature enablement model are here to stay — plan policies, testing, and communications accordingly. (support.microsoft.com)
Source: Microsoft Support September 9, 2025—KB5065426 (OS Build 26100.6584) - Microsoft Support
Background / Overview
Windows 11’s 26100 build series (24H2 servicing) has followed a pattern in 2025 of delivering underlying platform code in preview or release‑preview flights, then enabling higher‑impact features and UI changes gradually across devices through server‑side gating. That pattern produced a busy late‑summer cycle: the August security rollup (KB5063878 / Build 26100.4946) introduced both high‑severity security fixes and, unintentionally, some regressions that affected certain workflows (notably NDI/OBS streaming and installer behavior). The September 9 cumulative update, KB5065426, largely represents Microsoft’s corrective follow‑through: reinstating intended security hardening while reducing immediate customer pain from side effects of the August changes. This delivery approach — combining a servicing stack update (SSU) with the cumulative payload and relying on staged enablement for feature bits — is intentional but operationally consequential for IT teams. (support.microsoft.com)The package also ships updated AI component binaries used on Copilot+‑certified devices; these are included in the LCU but only apply to Copilot‑eligible devices when the vendor/feature flags permit. Finally, because Microsoft bundles an SSU with the LCU in many of these 24H2 packages, administrators must remember that the servicing stack changes are effectively permanent and complicate traditional "uninstall the KB" rollbacks. (support.microsoft.com)
What’s in KB5065426 (OS Build 26100.6584)
Highlights — the short list
- Security updates addressing multiple CVEs and hardening installer behavior. (support.microsoft.com)
- Fix for unexpected UAC prompts and MSI repair failures that affected non‑admin users after August updates. (support.microsoft.com)
- Fixes and mitigations for NDI/OBS streaming audio/video stutter tied to the August rollup. (support.microsoft.com, bleepingcomputer.com)
- Updated AI components (Image Search, Content Extraction, Semantic Analysis, Settings Model) to version 1.2508.906.0 for compatible Copilot+ devices. (support.microsoft.com)
- Bundled servicing stack update (SSU KB5064531) to improve update reliability. (support.microsoft.com)
Security and installer hardening
A major theme of the August/September servicing sequence was closing an installer authentication weakness (CVE‑2025‑50173). Microsoft’s fix enforces stricter User Account Control (UAC) flows in certain MSI repair and install scenarios to prevent local privilege escalation. The August rollup’s enforcement produced an obvious side effect: standard (non‑admin) users began to see UAC prompts or failed MSI repairs (Error 1730) when apps invoked repair operations without a visible UI. KB5065426 explicitly addresses the resulting operational friction by refining how the system treats specific MSI custom actions and by enabling IT admins to allowlist particular apps/flows via a Known Issue Rollback (KIR) or forthcoming targeted policy controls. Microsoft’s guidance and public advisories on the UAC regression have also been widely covered by independent outlets, confirming both the root cause and Microsoft’s planned mitigations. (support.microsoft.com, bleepingcomputer.com, theregister.com)NDI/OBS streaming regression and remediation
The August security update inadvertently changed transport behavior that impacted NDI (Network Device Interface) workflows — especially when Display Capture was in use — producing severe stuttering and choppy audio/video for multi‑PC streaming setups. The NDI vendor guidance and Microsoft’s Release Health notes converge on a short‑term mitigation: change NDI’s Receive Mode away from RUDP (Reliable UDP) to Single TCP or plain UDP (Legacy). KB5065426 includes the corrective work claimed to reduce or eliminate that regression on affected systems; independent reporting and vendor knowledgebase articles describe the problem and the mitigation steps that streaming professionals used while Microsoft worked on the LCU fix. (support.microsoft.com, bleepingcomputer.com, docs.ndi.video)File server and SMB auditing features
KB5065426 enables additional auditing for SMB client compatibility with SMB Server signing as well as SMB Server EPA (Extended Protection for Authentication), helping administrators assess compatibility before enforcing hardening measures. This is useful for organizations planning to tighten SMB signing or authentication policies without accidentally breaking legacy clients. (support.microsoft.com)Input and IIS manager fixes
The update resolves a couple of user‑facing reliability issues: input method scenarios that could make certain apps stop responding to input, and a prior bug where some IIS Manager modules disappeared from the UI. These are smaller fixes but solve real productivity blockers for affected users and server operators. (support.microsoft.com)AI components
KB5065426 ships updated AI binaries (Image Search, Content Extraction, Semantic Analysis, Settings Model) at 1.2508.906.0. Microsoft notes these component updates are relevant to Copilot+ devices and will not apply to systems that don’t meet hardware/telemetry eligibility. In practice this means daily users who do not have Copilot+ hardware will not see functional changes from those component updates, but Copilot‑eligible devices will receive incremental quality improvements. (support.microsoft.com)Servicing stack update (SSU) and package composition
The cumulative package contains a servicing‑stack update (KB5064531 aligned to 26100.5074). Microsoft bundles SSU + LCU to reduce sequencing errors during deployment, but SSUs are effectively non‑removable once installed — an important operational caveat. The KB provides DISM guidance for installing and for the careful, DISM‑based removal of only the LCU portion if required; however, removing the SSU is not supported via the typical wusa.exe uninstall switch. Plan for that permanence in any rollback strategy. (support.microsoft.com)Known issues (what remains unresolved)
KB5065426 lists one notable known issue at publication:- PSDirect connections failing on hotpatched devices: an edge case where host and guest VMs are not both fully updated (mix of hotpatched vs. non‑hotpatched) can cause PowerShell Direct (PSDirect) connection failures due to a fallback handshake/socket cleanup bug. Microsoft points administrators toward a follow‑up update (KB5066360) that corrects the issue and recommends updating both host and guest VMs to the same patch level. Until both sides are updated, intermittent connection failures and Event ID 4625 entries may be observed. (support.microsoft.com)
Installation and deployment notes for IT
How the update is delivered
KB5065426 is available through standard distribution channels: Windows Update, Windows Update for Business, WSUS (synchronized when Products & Classifications are set to Windows 11 / Security Updates), and the Microsoft Update Catalog. Microsoft provides both a combined package and standalone MSU files; when using the Catalog you can either place the MSUs in one folder and install them together with DISM or install each MSU in order. The KB page includes explicit commands for DISM and PowerShell to add the package onto a running system or into an offline image. (support.microsoft.com)Practical install commands the KB documents:
- DISM (live system): DISM /Online /Add-Package /PackagePath:c:\packages\Windows11.0-KB5065426-x64.msu
- PowerShell (live system): Add‑WindowsPackage -Online -PackagePath "c:\packages\Windows11.0-KB5065426-x64.msu"
- Offline image: DISM /Image:mountdir /Add-Package /PackagePath:Windows11.0-KB5065426-x64.msu
Rollback caveats
Because the update contains a servicing stack update (SSU), the usual wusa /uninstall approach will not remove the SSU. Microsoft explicitly documents DISM‑based removal for the LCU only and warns administrators that the SSU is persistent. In short:- You cannot remove the SSU via wusa.exe (/uninstall) after installation.
- You can remove the LCU portion with DISM /Remove‑Package if you determine that is necessary, but thoroughly test that process in a lab before using it in production. (support.microsoft.com)
Critical analysis — strengths, risks, and operational guidance
Strengths: targeted fixes and responsible sequencing
- Security first: KB5065426 preserves the hardening that closed CVE‑class installer and kernel issues while addressing the most painful regressions created by those hardenings. This balances security with usability — a trade‑off Microsoft has taken to heart after field feedback. (support.microsoft.com)
- Vendor and community alignment: The combined effort — Microsoft publishing the KB, stream vendors documenting mitigations (NDI docs), and independent outlets verifying regressions — produced practical mitigations for users while the official fix matured. That cooperative pattern is a positive sign for fast remediation. (docs.ndi.video, bleepingcomputer.com)
- Servicing stack refresh: Including an SSU reduces future sequencing failures and makes subsequent monthly updates more reliable for well‑managed fleets. (support.microsoft.com)
Risks and trade‑offs: what to watch
- Rollback complexity: Bundled SSU+LCU packages make rollbacks more intrusive; administrators who are unprepared may find it hard to revert changes without reimaging or resorting to complex DISM workflows. Treat these updates as effectively persistent and validate recovery images before broad deployment. (support.microsoft.com)
- Staged enablement and non‑determinism: Microsoft’s staged, server‑side gating means identical machines on the same build may not show the same features (especially Copilot/AI experiences or theming adjustments). For organizations that depend on deterministic UI behavior or automation that relies on consistent dialog chrome, this can complicate testing and support. Plan for extra validation windows.
- Hotpatch interplay: If you rely on hotpatch semantics (hotpatches that avoid reboots for critical servers), be aware of the PSDirect edge case: mixing hotpatched and non‑hotpatched hosts/guests can break PowerShell Direct connectivity. Synchronize host and guest updates in virtualization clusters. (support.microsoft.com)
- Security vs usability tension: The installer hardening removed a real privilege escalation vector, but it temporarily broke common non‑admin workflows for MSI repair and advertising-based installs. The fix in KB5065426 narrows the impact, but administrators should assess whether enabling temporary KIR policies is acceptable in their risk posture. Independent reporting and Microsoft’s guidance emphasize KIR as a temporary mitigation, not a long‑term rollback of the security improvement. (bleepingcomputer.com, theregister.com)
Practical checklist — what to do now
- Validate prerequisites and inventory
- Confirm which devices in your estate run Windows 11 24H2 and their current OS Builds. Use winver or your patch management tool.
- Pilot the update
- Apply KB5065426 to a small, representative pilot ring that includes:
- A host and guest VM pair to test PSDirect.
- Any streaming/NDI hosts used by content producers.
- App compatibility test systems for line‑of‑business MSI installers (Office, Autodesk, etc.). (support.microsoft.com, bleepingcomputer.com)
- Confirm mitigations
- If you use NDI/OBS streaming: test changing NDI Receive Mode to Single TCP or UDP (Legacy) as a quick fallback and verify stream stability before and after the patch. (docs.ndi.video)
- If you use PSDirect: update hosts and guests in the same maintenance window to avoid the PSDirect socket fallback bug; plan to install the KB5066360 follow‑up when available. (support.microsoft.com)
- Prepare rollback and recovery
- Export and test system images/backups; document the DISM package names before installing so you can attempt LCU removal if absolutely necessary. Remember the SSU cannot be removed via wusa.exe. (support.microsoft.com)
- Communicate to end users
- Let users know about potential temporary behaviors: streaming producers should be informed about NDI settings, and standard users who install older apps may need to run apps as administrator until allowlisting/KIR is in place. Keep messaging aligned with your risk policy. (bleepingcomputer.com, docs.ndi.video)
Final takeaways
KB5065426 (OS Build 26100.6584) is a pragmatic, remediation‑focused release: it preserves important security hardening while reducing disruptive side effects introduced by prior monthly updates. The update demonstrates two important patterns that IT teams must internalize in 2025: (1) Microsoft increasingly ships combined SSU+LCU packages that demand careful rollback planning; and (2) many feature and AI changes are delivered via staged enablement, which reduces global blast radius but increases the need for representative testing.For most home users and small businesses, installing the September cumulative update through Windows Update is recommended: it returns important fixes and improves overall system hygiene. For enterprises and teams with specialized workloads (virtualization automation, streaming, MSI‑heavy installers), the prudent approach remains a measured pilot → broad pilot → production rollout, paired with tested recovery images and validation checklists for the specific workflows called out above.
KB5065426’s official release notes and installation instructions provide the authoritative, step‑by‑step guidance; independent coverage and vendor guidance (for NDI/OBS and installer behaviors) supply the practical mitigations administrators used while Microsoft developed this cumulative fix. Taken together, those sources give a clear operational path to patching while managing the trade‑offs between security, usability, and recoverability. (support.microsoft.com, bleepingcomputer.com, docs.ndi.video)
Conclusion: KB5065426 is an important maintenance release that addresses both security and regression concerns introduced earlier in the 26100 servicing stream. Apply it after piloting, align host and guest update schedules where hotpatching is used, and use the vendor mitigations documented for streaming and installer issues if immediate remediation is necessary. The update’s combined SSU+LCU packaging and the staged feature enablement model are here to stay — plan policies, testing, and communications accordingly. (support.microsoft.com)
Source: Microsoft Support September 9, 2025—KB5065426 (OS Build 26100.6584) - Microsoft Support