Navigation section

Windows 11 24H2 OOB KB5068221: App V Office fix and SMBv1 NetBIOS workaround

  • Thread Author
Microsoft pushed an unscheduled, out‑of‑band cumulative update to Windows 11 version 24H2 to address a high‑impact compatibility regression affecting virtualized Office deployments — but the patch also reiterates a known SMBv1 connectivity caveat administrators must account for before broad rollout.

Data center rack with Windows 11 24H2 display, surrounded by blue gear icons.Background​

Microsoft released KB5068221 (OS Build 26100.6588) on September 22, 2025 as an out‑of‑band (OOB) update for Windows 11, version 24H2. The package is cumulative: it includes the fixes and security content from the September 9, 2025 security rollup (KB5065426) and layers a targeted compatibility fix for Microsoft Application Virtualization (App‑V) environments on top of those changes. The public Knowledge Base article lists the OS build, the primary fix, updated AI component versions, and the servicing stack pairing included with the package.
This is not a routine Patch Tuesday release. Microsoft used an OOB delivery because the regression — a double handle closure in App‑V subsystem components — produced immediate operational impact for organizations that publish Microsoft Office via App‑V. Out‑of‑band updates are the vendor’s standard mechanism to get urgent fixes to customers faster than the regular monthly cadence.

What KB5068221 fixes — the App‑V Office regression​

The technical problem​

The core quality fix in KB5068221 addresses a double handle closure inside the AppVEntSubsystems32 and AppVEntSubsystems64 components. That condition could cause Office applications to fail when delivered using Microsoft Application Virtualization (App‑V). App‑V is still used in a variety of enterprise environments to stream and centrally manage applications without installing them directly into endpoint images, so an Office crash or failure under App‑V is a material disruption for many IT operations teams. Microsoft explicitly calls out this virtualization and platform compatibility fix in the KB text.

Why organizations should care​

  • App‑V remains a core delivery option in many corporate VDI and thin‑client deployments. When Office is published via App‑V, end users expect the same stability and feature set as locally installed clients.
  • A double handle closure indicates a resource lifecycle bug — it may surface intermittently under load, making the issue difficult to triage in production without a vendor fix.
  • The OOB release means Microsoft judged the regression significant enough to risk shipping a discrete cumulative between regular monthly updates.
For any enterprise still deploying Office via App‑V, KB5068221 is a targeted compatibility fix that should move up testing and pilot priorities. Validate Office workloads in a controlled ring and watch for any unintended side effects from the cumulative nature of the package.

What else is in the package: AI components and Servicing Stack​

AI component refresh​

KB5068221 also refreshes several modular AI components that are part of Windows’ Copilot and related features. Microsoft lists the following component versions in the KB:
  • Image Search — 1.2508.906.0
  • Content Extraction — 1.2508.906.0
  • Semantic Analysis — 1.2508.906.0
  • Settings Model — 1.2508.906.0
These component updates are packaged with the cumulative but apply only when the machine meets the Copilot+ platform hardware and configuration requirements. In other words, on standard consumer or server SKUs lacking Copilot+ hardware, the AI component payloads won’t activate. The KB gives administrators component version numbers to verify post‑install if Copilot+ features are in use.

Servicing Stack Update (SSU) pairing​

The cumulative is bundled with a servicing stack update KB5064531 (servicing stack version 26100.5074). Microsoft continues to bundle SSUs with LCUs to ensure update plumbing is current and to reduce installation failures. Administrators should be aware that the combined package means the SSU portion cannot be uninstalled by ordinary means; rollback of the LCU portion requires DISM with the exact package name. The KB walks through uninstall guidance and the DISM approach. Treat rollback as non‑trivial and document recovery playbooks accordingly.

The known issue: SMBv1 over NetBIOS (NetBT) connectivity​

Symptom and scope​

KB5068221 explicitly documents a known connectivity problem that can surface after installing the September 9 security update or later (including KB5068221). Systems using the legacy SMBv1 protocol over NetBIOS over TCP/IP (NetBT) may fail to connect to file shares if either the SMB client or the SMB server has applied the September 2025 update set. Modern SMB (SMBv2 and SMBv3) is not impacted. The KB notes that SMBv1 is deprecated and is not installed by default on recent Windows releases.
Independent reporting corroborates Microsoft’s advisory. Security and Windows news outlets confirmed that September updates caused SMBv1 shares over NetBT to fail in multiple Windows client and server releases; BleepingComputer and Windows Report captured the vendor advisory and described the affected platforms and workaround. These third‑party reports align with Microsoft’s KB.

Microsoft’s workaround​

Microsoft’s official temporary workaround is straightforward: allow network traffic on TCP port 445. Opening TCP/445 forces the SMB stack to negotiate SMB directly over TCP (the native transport for SMBv2/3), which bypasses NetBIOS/NetBT transport and restores connectivity. This workaround is tactical and intended for transitional use while Microsoft prepares a permanent resolution.

Operational and security considerations​

  • SMBv1 is insecure and deprecated. The long‑term remediation is migration off SMBv1 to SMBv2/SMBv3 with modern authentication and signing enabled.
  • Some legacy appliances, networked printers, or embedded devices still shipping SMBv1 only will need staged upgrades or replacement planning.
  • Opening TCP/445 across network boundaries has security implications. If administrators permit TCP/445 to restore connectivity, they must ensure the traffic is confined to trusted internal networks and that access controls and monitoring are in place.
  • Where TCP/445 cannot be opened due to policy, organizations face a tradeoff: maintain compatibility risk with NetBT/SMBv1 or accelerate legacy device replacement.
The KB and independent reporting underscore the same practical takeaway: accelerate migration away from SMBv1, and use the temporary TCP/445 workaround only in controlled network scopes.

Deployment guidance: test, pilot, stage​

The combined nature of KB5068221 — LCU + SSU + AI component payloads — makes careful rollout essential. Follow these recommended steps:
  • Inventory and prioritize
  • Identify all Windows 11 24H2 endpoints and servers that will receive the update. Flag App‑V hosts, VDI farms, and any systems that still rely on SMBv1/NetBT shares.
  • Check for Copilot+ hardware if AI component validation matters for your environment.
  • Pilot in a representative ring
  • Include App‑V publishing servers and client images used for virtualized Office.
  • Validate Office functional tests, add‑ins, macros, and interop with App‑V packages.
  • Test file share connectivity with legacy SMBv1 devices to surface the NetBT symptom.
  • Staging and network controls
  • If SMBv1 over NetBT is in use, either schedule the TCP/445 workaround in a controlled maintenance window or plan an accelerated migration path.
  • Lock down TCP/445 exposure to internal subnets only. Monitor with IDS/IPS and endpoint detection.
  • Installation options
  • Because KB5068221 is an OOB update, it may not be auto‑installed in all environments. Administrators can obtain the MSU packages from the Microsoft Update Catalog and deploy via WSUS, Microsoft Endpoint Configuration Manager, or offline DISM scripting.
  • If rollback is necessary, be prepared to use DISM /Remove‑Package for the LCU; the SSU stays in place. Record the installed package names with DISM /online /get-packages before making changes.
  • Post‑install verification
  • Verify OS build reports 26100.6588 on updated devices.
  • Confirm App‑V Office workflows behave as expected.
  • Validate SMB connectivity paths and ensure the TCP/445 workaround does not expose services to untrusted networks.
These steps reflect the guidance Microsoft provides for combined SSU + LCU packages and the practical realities of enterprise change control.

Risk analysis: strengths and potential downsides​

Strengths and positives​

  • Rapid mitigation: Microsoft identified a targeted regression and issued a focused OOB update, restoring functionality for App‑V Office customers without waiting for the next monthly cycle.
  • Cumulative packaging: Bundling the September security content with the App‑V fix reduces the number of sequential updates required and ensures the latest security posture is applied when the fix is deployed.
  • Servicing stack hardening: Including an SSU reduces installation failures and improves future update resilience, especially in complex enterprise deployment pipelines.

Potential downsides and risks​

  • Combined SSU + LCU complexity: The SSU cannot be rollbacked by simple uninstall; administrators must use DISM and have tested rollback playbooks. That non‑reversible aspect raises the operational stakes for pilot testing.
  • SMBv1 compatibility regression: The known SMBv1 over NetBT issue can cause immediate disruption in networks still relying on NetBIOS transport. The workaround (allowing TCP/445) is a stopgap and introduces security tradeoffs that must be mitigated.
  • Out‑of‑band churn: OOB releases, while necessary, increase change velocity. IT teams must avoid “update fatigue” and ensure that urgent fixes are clearly triaged and communicated to operations and helpdesk teams.
  • Legacy device pressure: Organizations with embedded systems or appliances that only speak SMBv1/NetBT face accelerated replacement timelines or complicated segmentation strategies.
In short, the OOB update solves a pressing App‑V problem but magnifies existing architectural debt around legacy networking and rollback complexity. Planning and communication are critical to avoid a fix‑for‑one‑problem‑creating‑many‑others scenario.

Practical checklist for IT teams (quick actions)​

  • Confirm whether App‑V hosts or published Office packages are part of your environment. If yes, schedule pilot testing of KB5068221 immediately.
  • Inventory devices still using SMBv1 and evaluate whether they rely on NetBIOS/NetBT transport. If so, either:
  • Allow TCP/445 only on trusted internal links as a temporary workaround, or
  • Prioritize migration to SMBv2/SMBv3 or device replacement.
  • Download the MSU package from Microsoft Update Catalog for offline or managed deployment and pre‑stage content in WSUS or MECM.
  • Test rollback with DISM /Remove‑Package in an isolated image to validate recovery procedures; document exact package names.
  • If Copilot+ hardware and AI features are in scope, record AI component version numbers post‑install for telemetry correlation (Image Search, Content Extraction, Semantic Analysis, Settings Model — all listed as 1.2508.906.0 in the KB).

Verification and cross‑checks​

Key technical claims in this article were verified against Microsoft’s public KB for KB5068221 and cross‑checked with independent reporting. Microsoft’s KB confirms the OS build (26100.6588), the App‑V double handle closure fix, AI component versions, and the SSU pairing. Third‑party coverage from reputable Windows news outlets independently reported the SMBv1/NetBT connectivity problem and the workaround (allow TCP/445), matching Microsoft’s advisory. Where the KB is definitive — e.g., version numbers, build IDs, and the official workaround — that vendor documentation is treated as authoritative; independent articles corroborate operational impacts and community reaction.
Note: any field reports that deviate from Microsoft’s KB (for example, differing file versions observed in telemetry or additional side effects reported on specific hardware) should be treated as environment‑specific and escalated to Microsoft product support with logs and repro steps. Community threads and forum posts can be useful for anecdotal troubleshooting, but they do not replace vendor confirmation.

Conclusion — priorities for the next 30–90 days​

KB5068221 demonstrates the tradeoffs of modern Windows servicing: rapid fixes close operational gaps quickly, but cumulative packaging and legacy transport assumptions raise deployment and security tradeoffs. For the immediate window, prioritize these actions:
  • Urgent: pilot KB5068221 in rings that include App‑V hosts and Office virtualization workloads. Validate functionality and monitor helpdesk queues for any new regressions.
  • Short term: inventory SMBv1 dependencies and either enable the TCP/445 workaround in trusted segments or accelerate migration/replacement plans for legacy devices.
  • Medium term: review update recovery playbooks and test DISM‑based rollbacks. Confirm that SSU changes are documented in change logs and asset inventories.
Deploy carefully, test thoroughly, and use the OOB update to restore service for affected customers while using the incident as an opportunity to eliminate legacy protocols and strengthen update governance. The OOB fix solves a clear problem — now the work shifts to controlled rollout, legacy migration, and hardening to avoid similar friction on future update cycles.
Source: Research Snipers Microsoft Releases Emergency Windows 11 Update to Fix Office Virtualization Issues – Research Snipers
 

Click to expand...
Microsoft quietly shipped an out‑of‑band cumulative update for Windows 11 version 24H2 on September 22, 2025 — KB5068221 (OS Build 26100.6588) — to resolve a targeted compatibility failure that caused Microsoft Office to misbehave when delivered via Microsoft Application Virtualization (App‑V), while also bringing along AI component refreshes and a servicing‑stack update; however, the patch re‑emphasizes a known SMBv1/NetBIOS connectivity regression introduced earlier in September and reopens operational trade‑offs for organizations that still rely on legacy file‑sharing mechanisms.

A data center with rows of server racks and floating holographic screens.Background​

Microsoft classifies KB5068221 as an out‑of‑band (OOB) cumulative update for Windows 11, version 24H2 that bundles the security fixes and quality improvements from the September 9, 2025 Patch Tuesday rollup (KB5065426) and adds a narrowly scoped compatibility repair for App‑V published Office packages. The package raises the OS build to 26100.6588 and ships a servicing stack update (SSU) — KB5064531 — to harden the update engine.
Out‑of‑band updates are rare but purposeful: Microsoft uses them when a regression or compatibility issue is severe enough that waiting for the next monthly cycle would cause material disruption. In this case, telemetry and customer reports signaled breakage for enterprises that deliver Office via App‑V, prompting Microsoft to deliver a targeted cumulative that also carries forward the September security fixes.

What Microsoft says this update fixes​

App‑V and virtualized Office: the core fix​

  • The headline change in KB5068221 is a fix for Microsoft Office applications that fail in App‑V environments due to a double handle closure in system components named AppVEntSubsystems32 or AppVEntSubsystems64.
  • The KB explicitly lists this as a virtualization/platform compatibility correction; Microsoft describes it as the primary non‑security quality fix in the OOB package.
Why this matters: many enterprises and VDI deployments still use Microsoft Application Virtualization (App‑V) to centrally deliver and manage Office and other business applications without installing them locally. When Office processes crash or exit unexpectedly in App‑V containers, productivity and helpdesk load spike — a classic justification for an emergency compatibility patch. The out‑of‑band nature of KB5068221 signals Microsoft treated the issue as high‑priority for affected customers.

AI component refresh (Copilot+ scope)​

KB5068221 also includes updates for several modular AI components used by Windows features and Copilot+ experiences. Microsoft lists updated component versions:
  • Image Search — 1.2508.906.0
  • Content Extraction — 1.2508.906.0
  • Semantic Analysis — 1.2508.906.0
  • Settings Model — 1.2508.906.0
Important caveat: these AI component packages will only apply on devices that meet the Copilot+ hardware requirements (specialized NPUs and OEM enablement). On conventional PCs and servers they will simply not be installed. The KB notes this explicitly, so administrators should not expect new AI features to appear on standard hardware.

Servicing stack update (SSU) pairing​

The cumulative is delivered together with KB5064531 (SSU 26100.5074). Bundling the SSU and the LCU (Latest Cumulative Update) is a standard Microsoft practice intended to ensure the operating system’s update plumbing can reliably download, validate, and apply the fix. Administrators should be aware that SSUs are generally not removable after installation; rollback mechanics therefore differ and typically require a DISM-based removal of the LCU only.

The known problem that persists: SMBv1 + NetBIOS over TCP/IP regression​

Symptoms and scope​

  • After the September 9, 2025 security rollup and subsequent packages that include it, Microsoft documented that connections to SMBv1 shares over NetBIOS over TCP/IP (NetBT) may fail when either the client or the server has the September updates installed.
  • The failure affects SMBv1 + NetBT negotiation and can manifest as inability to access shared files and folders, failed mapped drives, authentication prompts that don’t complete, or other file‑share faults in environments that depend on NetBIOS name resolution.
This is not an isolated community rumor — Microsoft itself lists the problem as a Known Issue in the KB entries for both the September 9 rollup and the September 22 OOB package. Independent reporting by industry outlets confirmed the issue and documented real‑world impacts across client and server SKUs.

Short‑term workaround: prefer SMB over TCP (port 445)​

Microsoft’s mitigation is pragmatic and immediate:
  • Allow network traffic on TCP port 445 between client and server, which causes SMB traffic to negotiate over native TCP rather than NetBIOS over TCP/IP (NetBT).
  • When TCP/445 is available, Windows will switch SMB sessions to TCP transport and the share access should resume.
This workaround restores functionality quickly in many environments, but it is a transitional measure — not a long‑term design goal. Administrators should treat it as a stopgap while planning to migrate away from SMBv1 and the fragile NetBIOS discovery stack.

Why this matters from a security and operations perspective​

  • SMBv1 is obsolete and insecure. It lacks modern protections (pre‑auth integrity checks, secure dialect negotiation, improved authentication hardening) and has been deprecated for years; Microsoft stopped installing it by default starting with Windows 10 version 1709. Continuing to rely on SMBv1 exposes organizations to needless attack surface.
  • NetBIOS (NetBT) is fragile and legacy. Modern networks and endpoints rely on DNS and SMBv2/SMBv3. Dependencies on NetBT often denote older NAS devices, embedded equipment, or unmanaged appliances that can be costly to replace — but they’re also a liability that needs a migration plan.

Deployment and operational guidance​

How KB5068221 is delivered​

  • KB5068221 is out‑of‑band and is not pushed to every device automatically via normal monthly Windows Update channels in many managed environments; administrators can obtain the MSU packages from the Microsoft Update Catalog and import them into patch management tooling for targeted deployment. The KB contains DISM and wusa guidance for offline and scripted installs.

Recommended rollout strategy​

  • Inventory and prioritize systems:
  • Identify App‑V hosts, VDI golden images, and endpoints where Office is delivered via application virtualization.
  • Identify servers, NAS devices, printers, or appliances that still use SMBv1 or NetBIOS name resolution.
  • Pilot ring:
  • Install KB5068221 on a small set of representative machines (App‑V hosts, VDI brokers, and a subset of copilot+ hardware if applicable).
  • Validate Office launch flows, document any crashes, and capture Event Viewer logs for post‑install comparison.
  • Staged rollout:
  • Expand deployment to broader rings if no regressions are observed.
  • Monitor update success, servicing stack behavior, and network traffic (SMB negotiation over TCP vs NetBT).
  • Maintain rollback runbooks:
  • Because the SSU cannot be uninstalled easily, document the exact DISM /Remove‑Package steps to remove the LCU if necessary. Pre‑test rollback in an isolated environment.

Checklist for App‑V operators​

  • Repackage and publish Office test images into a controlled App‑V pilot pool and validate:
  • Office application startup and plugin behavior.
  • File open/save operations and integration with shared drives (consider the SMBv1 caveat).
  • Confirm the App‑V client/service versions in use are supported by Microsoft and update App‑V servers if required.
  • Keep incident response ready: capture crash dumps, process handles, and trace logs for AppVEntSubsystems if anomalies reappear.

Technical verification and cross‑checks​

The most load‑bearing technical facts in this release are corroborated in Microsoft’s official KB article for KB5068221 (release date, OS build, App‑V fix, AI component versions, and bundled SSU). Independent reporting and community trackers confirmed the SMBv1/NetBT regression and recommended the same TCP/445 workaround Microsoft published. BleepingComputer’s coverage, Windows Report, and multiple community forums documented impact and mirrored Microsoft’s guidance. These independent confirmations reduce the risk that the KB is being misread or mis‑reported.
A few specifics stand out as verifiable and stable:
  • Release date and OS build: September 22, 2025 — OS Build 26100.6588.
  • Primary compatibility fix: double handle closure in AppVEntSubsystems32/AppVEntSubsystems64 affecting Office in App‑V.
  • Known issue: SMBv1 over NetBT may fail if the September security updates are present on either endpoint; workaround is to allow TCP/445.
Where public details are thin or operational conditions are highly environment‑dependent — for example, exact repro steps for the double handle closure or the full content of the AI component model changes — those items are documented in the KB but not exhaustively described; administrators should treat such internal component changes as vendor‑maintained telemetry and test accordingly. If field teams need binary or symbol‑level detail for debugging, opening a Microsoft Support case or requesting escalated telemetry is the correct path.

Strengths of Microsoft’s response​

  • Speed and focus: delivering a narrowly scoped OOB cumulative within days of a high‑impact regression shows Microsoft prioritized a correctability path for enterprise customers rather than waiting for the standard monthly cadence.
  • Bundled servicing‑stack hardening: including KB5064531 (SSU) reduces the chance of installation plumbing failures and improves downstream patch reliability.
  • Clear documentation and mitigation: Microsoft published the known SMBv1/NetBT issue and a pragmatic, testable workaround (allow TCP/445), and the KB includes install/rollback guidance for managed environments.

Risks, caveats, and what to watch for​

  • SSU permanence increases rollback complexity. Once the servicing stack update is applied, the only practical route to remove the LCU portion involves DISM /Remove‑Package operations against specific package names; in complex environments that can be fiddly or fail if the OS state diverged. Plan rollback rehearsals.
  • SMBv1 dependency is a brittle cross‑platform risk. Environments that rely on legacy NAS, embedded devices, or NetBIOS discovery must treat KB5068221 as a catalyst to accelerate SMBv1 retirement. Opening TCP/445 is an acceptable short‑term fix, but enabling port 445 widely without compensating network segmentation or filtering expands attack surface.
  • Hidden AI surface: the update refreshes AI components with model‑like version numbers (1.2508.906.0), but the functional impact is limited to Copilot+ devices. Administrators should treat these as telemetry‑level changes unless their fleet includes Copilot+ certified devices. Don’t assume new AI features will appear on conventional machines.
  • Incomplete public telemetry on the App‑V root cause: while Microsoft describes the immediate cause as a double handle closure, deep technical details and proof‑of‑concept diagnostics are not public. This means organizations may need to rely on Microsoft support for deeper debugging, which can add time and coordination overhead.

Practical recommendations — short and mid‑term​

  • Immediately identify App‑V hosts and pilot KB5068221 in a controlled ring. Confirm Office workflows and capture crash telemetry in the event of any regression. Use the MSU packages from the Microsoft Update Catalog for managed staged installs.
  • For SMBv1 dependencies:
  • Short term: implement the Microsoft workaround by allowing TCP/445 between affected clients and servers, but restrict that traffic to required subnets and apply strong network ACLs.
  • Mid term: create an inventory and replacement/migration plan for devices that require SMBv1. Prioritize firmware or vendor upgrades for NAS devices, printers, and embedded systems or plan for network segmentation until replacements are available.
  • Prepare rollback playbooks that account for the SSU+LCU packaging model. Test DISM-based uninstall flows in an isolated image to validate rollback steps before broad deployment.
  • If your organization uses Copilot+ hardware or pilots OS‑level AI features, record the AI component versions post‑install (1.2508.906.0) and correlate with telemetry to detect regressions or performance changes. Otherwise, ignore this as a non‑applicable component for standard devices.

Broader implications for enterprise patching discipline​

KB5068221 is a reminder of two enduring truths for enterprise Windows operations:
  • Vendor patch cycles are imperfect: regressions happen even in large, mature maintainers of operating systems, and a nimble ability to apply targeted fixes and rollbacks is a must for modern IT teams.
  • Legacy protocol dependencies hide systemic risk: SMBv1 and NetBIOS are still present in many networks; each new update that tightens or corrects legacy behaviors creates breakage vectors for organizations that have not modernized.
Treat the September updates and the out‑of‑band follow‑ups not as discrete events but as signals: it’s time to accelerate both technical debt reduction (SMBv1 retirement) and operational maturity (pilot rings, improved telemetry, and rehearse rollback strategies).

Conclusion​

KB5068221 (OS Build 26100.6588) is a focused, operator‑oriented response from Microsoft: it repairs a pressing compatibility regression affecting Office delivered through App‑V, refreshes relevant AI component packages for Copilot+ devices, and hardens the servicing stack. That speed comes with the reality that the September security cycle also created a nagging legacy‑protocol regression: SMBv1 over NetBIOS sessions can fail when one side has the September updates installed. Microsoft’s published workaround — prefer SMB over TCP by allowing TCP/445 — restores functionality quickly in many cases, but it should be treated as a temporary mitigation while organizations retire obsolete SMBv1 dependencies and rehearse tested deployment and rollback plans.
Administrators should prioritize a small‑scale pilot of KB5068221 in App‑V and VDI environments, confirm rollback methods, and accelerate SMBv1 mitigation plans. The update is a practical fix for a real enterprise pain point — and a reminder that good hygiene (updating legacy devices, maintaining update runbooks, and tight network controls) remains the strongest defense against the operational cost of regressions.
Source: Research Snipers Microsoft Releases Emergency Windows 11 Update to Fix Office Virtualization Issues – Research Snipers
 

Microsoft released an out‑of‑band cumulative update for Windows 11 version 24H2 on September 22, 2025 — KB5068221 (OS Build 26100.6588) — to fix a targeted compatibility regression that caused Microsoft Office to fail when delivered via Microsoft Application Virtualization (App‑V), while also carrying the September security rollup and a servicing‑stack update; the package reiterates a known SMBv1/NetBIOS connectivity caveat and includes a reminder about the upcoming Secure Boot certificate rotation.

A computer workstation in a server room with holographic dashboards and a Windows monitor.Background​

Microsoft occasionally issues out‑of‑band (OOB) cumulative updates when a regression or high‑impact compatibility problem requires faster distribution than the normal monthly cadence. KB5068221 is such a release: it bundles the fixes from the September 9, 2025 security rollup (KB5065426) and adds a narrowly scoped quality fix for App‑V environments, together with a servicing stack update (SSU) to improve installation reliability.
Why the urgency? Enterprises and virtual desktop infrastructures often use Microsoft Application Virtualization (App‑V) to stream and centrally manage Office and other business applications. A stability regression that causes Office to fail in App‑V sessions creates significant productivity and support impacts, which justified an immediate, targeted cumulative.

What KB5068221 actually contains​

High‑level summary​

  • Applies to: Windows 11, version 24H2 (all editions).
  • Release date: September 22, 2025.
  • Post‑install OS build: 26100.6588.
  • Packaging: Combined Latest Cumulative Update (LCU) + Servicing Stack Update (SSU — KB5064531, servicing stack build 26100.5074).
  • Principal quality fix: App‑V compatibility repair addressing a double handle closure in the AppVEntSubsystems32 or AppVEntSubsystems64 component that could cause Office applications to fail when virtualized.
  • Additions: Updated AI component packages (Image Search, Content Extraction, Semantic Analysis, Settings Model — version 1.2508.906.0) that apply only to Copilot+ eligible devices.
These bullets reflect the content Microsoft published in the KB and the metadata included with the cumulative. Administrators should treat the KB as the authoritative inventory of changes.

The App‑V / Office fix — the technical root cause (as described by Microsoft)​

Microsoft’s KB describes the parent symptom as Office applications failing when run inside App‑V published packages. The vendor identifies the proximate cause as a double handle closure within the App‑V subsystem — specifically the AppVEntSubsystems32 (32‑bit) or AppVEntSubsystems64 (64‑bit) components — which can lead to resource lifecycle errors and application termination in certain runtime paths. KB5068221 corrects that behavior.
This is a narrow, platform compatibility fix rather than a new Office patch. In practice, the update restores predictable Office behavior for organizations that deliver Office via App‑V without requiring changes to Office packages themselves.

Why this matters to enterprises and VDI operators​

  • App‑V remains in production in many large enterprises, terminal server farms, and VDI/RemoteApp deployments. When core productivity apps like Office crash inside application virtualization layers, helpdesk volume and business disruption increase rapidly. Restoring stability is a high operational priority.
  • The out‑of‑band delivery pattern signals Microsoft judged the regression severe enough to warrant a discrete cumulative between scheduled Patch Tuesday releases.
  • The cumulative nature of KB5068221 means it carries forward earlier security fixes from September 9, 2025 (KB5065426) while adding the App‑V repair. That consolidation helps ensure security parity and platform compatibility across the estate.

Known issue carried into this release: SMBv1 + NetBIOS over TCP/IP connectivity​

The problem​

KB5068221 reaffirms a known issue introduced with the September 9, 2025 security rollup: systems that rely on SMBv1 over NetBIOS over TCP/IP (NetBT) may fail to connect to shared files and folders when either the client or server has applied the September updates. The problem affects SMBv1 sessions that depend on NetBT name resolution and negotiation; SMBv2 and SMBv3 deployments are not impacted.
Independent reporting confirmed Microsoft’s advisory and documented real‑world occurrences across client and server SKUs, making this a broadly observed compatibility caveat.

Microsoft’s workaround​

  • Allow network traffic on TCP port 445 between the affected client and server. This forces the SMB stack to use SMB over TCP (which supports SMBv2/SMBv3) rather than NetBT, restoring connectivity in many scenarios. Microsoft labels this a temporary mitigation while a permanent resolution is prepared for a future update.

Practical implications and risk tradeoffs​

Opening or permitting TCP/445 traffic as a workaround can be operationally acceptable for short‑term remediation inside secured network segments, but it increases the attack surface if applied broadly without compensating controls (firewall rules, network ACLs, micro‑segmentation, endpoint protection). Environments still dependent on SMBv1 should treat KB5068221 as an accelerator to retire SMBv1 and modernize file‑sharing to SMBv2/3 with proper signing and authentication hardening.

Servicing stack (SSU) packaging and rollback considerations​

KB5068221 is shipped as a combined LCU + SSU package; the included servicing stack update is KB5064531 (servicing stack build 26100.5074). Microsoft bundles SSUs and LCUs to reduce the chance of update plumbing failures, but SSUs are not normally uninstallable by conventional means. That means rollback strategies differ: removing the LCU portion typically requires DISM /Remove‑Package with the exact package identity; the SSU portion generally remains. Administrators must plan and test rollback procedures before broad deployment.
Key operational points:
  • Test DISM‑based uninstall flows in an isolated environment before relying on them for production rollbacks.
  • Document exact package names and the removal sequence — SSU permanence can complicate reimaging or remediation workflows.

AI component refresh — limited scope​

KB5068221 updates multiple AI component packages (Image Search, Content Extraction, Semantic Analysis, Settings Model) to version 1.2508.906.0, but Microsoft clarifies these packages apply only to Copilot+ devices — hardware that meets the specific NPU and OEM enablement criteria for Copilot+ experiences. On standard consumer or server hardware these AI component updates are inert and will not install. Administrators with Copilot+ pilots should record these version numbers and correlate telemetry after deployment.

Secure Boot certificate rotation — what KB5068221 reminds admins​

KB5068221 includes a reminder that the original Microsoft Secure Boot UEFI certificates (issued around 2011) begin expiring starting June 2026, and Microsoft is rolling out new 2023 certificates via Windows Update and other channels ahead of that date. This certificate rotation affects pre‑boot trust and can cause boot or Secure Boot policy failures on devices whose firmware does not accept the updated keys. Organizations should inventory affected devices, verify firmware update availability from OEMs, and follow Microsoft’s published guidance for updating Secure Boot certificates.
Independent reporting emphasizes that the change can create compatibility headaches — notably for some Linux distributions that rely on Microsoft’s signing key for Secure Boot shim compatibility; impacted systems without firmware updates may require manual key enrollment or other interventions. Treat the certificate rotation as a separate but important program that requires planning and vendor coordination.

Recommended operational checklist (practical, prioritized)​

  • Inventory and prioritization
  • Identify systems running Windows 11 24H2 and report build numbers in the 26100 family.
  • Flag all hosts that publish Office via App‑V, VDI farms, Remote Desktop Session Hosts, and shared images.
  • Pre‑deployment testing (pilot ring)
  • Create an App‑V test pool and validate Office start/stop, add‑in behavior, and file‑open scenarios.
  • Include a subset of devices that rely on SMBv1/NetBT to validate the known issue and workaround.
  • Apply KB5068221 in a controlled ring
  • Prefer Windows Update for managed devices; for offline or scripted installs, download the MSU packages from the Microsoft Update Catalog and follow Microsoft’s sequence recommendations.
  • Validate post‑install behavior
  • Confirm Office in App‑V launches normally, check Event Viewer for related errors, and capture crash dumps if necessary.
  • On any devices with Copilot+ hardware, record AI component versions (1.2508.906.0) for correlation.
  • If SMBv1/NetBT connectivity breaks occur
  • Implement Microsoft’s short‑term workaround: allow TCP port 445 between affected client and server pairs, restricted by network ACLs or firewall rules.
  • Do not open port 445 across wide unsegmented networks without compensating controls.
  • Accelerate SMBv1 retirement
  • Inventory legacy NAS, embedded devices, printers, Windows XP/legacy servers, or appliances that only speak SMBv1.
  • Plan firmware upgrades, vendor replacements, or network segmentation for legacy systems as a medium‑term project.
  • Prepare rollback and recovery playbooks
  • Test DISM /Remove‑Package removal of the LCU from a lab image; document exact package names and sequences.
  • Ensure imaging and reimage steps are tested for devices where rollback may be required.
  • Secure Boot certificate readiness
  • Start inventorying devices for firmware updates and confirm whether OEM firmware updates will add the 2023 certificates to the platform db/KEK.
  • For Linux or multi‑boot environments, validate shim/signing compatibility and plan for manual KEK/db updates where necessary.
  • Monitoring and telemetry
  • Monitor Windows Update health, Windows Release Health announcements, and Event Viewer for signs of App‑V subsystem errors or SMB negotiation failures.
  • Escalate to Microsoft Support for any reproducible App‑V crashes where vendor telemetry is required.
  • Communicate with stakeholders
  • Notify helpdesk, desktop engineering, and network teams about the SMB workaround and expectations.
  • Inform end‑user support teams to capture precise repro steps and logs for any App‑V Office regressions.

Risk analysis — balancing urgency and exposure​

  • Strengths of Microsoft’s approach
  • Speed and focus. The OOB release addresses a high‑impact, narrowly scoped regression quickly rather than forcing customers to wait for the next monthly update. This reduces business disruption for App‑V customers.
  • Consolidation. Combining the September security fixes with the platform compatibility fix keeps devices secure and consistent with the vendor’s intent.
  • Servicing reliability. Bundling an SSU reduces the risk of update plumbing failures during deployment.
  • Tradeoffs and operational risks
  • SSU permanence. Once the servicing stack is updated, ordinary uninstall paths for the full package are limited. Rollback complexity increases, and untested DISM procedures can fail in messy real‑world states.
  • SMBv1 legacy exposure. The suggested workaround (opening TCP/445) restores connectivity in the short term but expands attack surface if not constrained by network segmentation and endpoint defences. Organizations still on SMBv1 are effectively being forced to accelerate remediation.
  • Opaque internals. The KB identifies a double handle closure as the root cause, but deep diagnostic artifacts and repro paths are not publicly available; troubleshooting may require Microsoft engineering assistance and access to product telemetry. Flag any such data‑gathering as an escalation path with Microsoft Support if in‑field debugging is necessary.

When to deploy KB5068221 — a pragmatic decision matrix​

  • If your estate publishes Office via App‑V and you are observing crashes or increased helpdesk volume tied to App‑V Office sessions: Deploy promptly to pilot and then broaden, following the checklist above. The update is the vendor’s direct remedy for that exact problem.
  • If you have no App‑V published Office workloads and your environment contains no SMBv1 dependencies: Deploy as part of normal testing and patching cycles; the update also carries security fixes from the September 9 rollup.
  • If you have extensive SMBv1 dependencies and cannot quickly migrate: Test the workaround carefully, apply narrow network ACLs for TCP/445 between affected peers, and prioritize SMBv1 retirement. Consider a staged approach that combines the update with immediate network segmentation to minimize exposure.

Final assessment and takeaway​

KB5068221 is a narrowly scoped but operationally meaningful out‑of‑band cumulative: it fixes an App‑V Office reliability regression while carrying forward important September security fixes and hardening the servicing stack. The release is evidence that Microsoft will issue targeted OOB packages when telemetry and customer reports indicate high‑impact regressions. Administrators who rely on App‑V should prioritize piloting this update; those with legacy SMBv1 dependencies should treat the known NetBT connectivity issue as a hard deadline to accelerate migration or segmented mitigation.
At the same time, KB5068221 exposes classic enterprise tradeoffs: rapid remediation of an important compatibility failure versus the complexity of SSU permanence and the network security cost of a temporary SMB workaround. The prudent operational posture is clear: test in a controlled ring, use Microsoft’s documented mitigations narrowly and defensively, and convert short‑term workarounds into durable remediations — particularly the elimination of SMBv1 and preparation for the Secure Boot certificate rotation.
Implement the checklist, rehearse rollback steps, and schedule inventory work for both SMB and Secure Boot certificate readiness. KB5068221 fixes a real pain point for App‑V customers — but it also underscores why disciplined testing, segmentation, and modernization remain the most reliable defenses against update‑driven disruption.
Source: Neowin Windows 11 24H2 KB5068221 fixes problems with Office apps
 

Microsoft has quietly shipped an out-of-band cumulative update for Windows 11 version 24H2 — KB5068221 (OS Build 26100.6588) — that restores stability for Microsoft Office when delivered via Microsoft Application Virtualization (App‑V) while also carrying forward September’s security rollup and servicing‑stack hardening; the release reiterates a persistent SMBv1 over NetBIOS (NetBT) connectivity caveat and reminds administrators about upcoming Secure Boot certificate rotation.

A desktop monitor on a desk shows a blue wallpaper with a large KB logo on the screen.Background​

Microsoft issued KB5068221 as an out‑of‑band (OOB) cumulative on September 22, 2025 to address a targeted, high‑impact compatibility regression that surfaced after the September 9 Patch Tuesday rollup (KB5065426). The package is cumulative: it includes security fixes already delivered on September 9 and layers a narrowly scoped quality fix on top, together with a Servicing Stack Update (SSU) to improve installation reliability.
Out‑of‑band releases are reserved for regressions that materially affect enterprise operations and cannot wait for the normal monthly cadence. In this case, App‑V customers who publish Office saw failures tied to a double handle closure in core App‑V subsystem components; Microsoft judged the problem severe enough to warrant immediate remediation.

What KB5068221 contains: a concise inventory​

The update is compact in scope but significant for affected deployments. Key items enumerated in Microsoft’s public Knowledge Base include:
  • OS Build: 26100.6588 after install (Windows 11, version 24H2).
  • Primary fix: A virtualization/platform compatibility fix for Microsoft Office running in App‑V environments — addressing a double handle closure in AppVEntSubsystems32 or AppVEntSubsystems64.
  • Servicing Stack Update (SSU): KB5064531 (servicing stack build 26100.5074) bundled to harden update plumbing.
  • AI component refresh (Copilot+ scope): Image Search, Content Extraction, Semantic Analysis, and Settings Model updated to 1.2508.906.0 — these apply only on devices that meet Copilot+ hardware and OEM enablement.
  • Known issue carried forward: SMBv1 protocol connectivity failures when SMB over NetBIOS (NetBT) is used after the September updates; official workaround is to allow TCP port 445 so SMB can use TCP rather than NetBT.
This concise inventory is the authoritative starting point for administrators assessing impact and planning deployment.

Technical deep dive: the App‑V Office regression and the fix​

The fault: double handle closure in AppVEntSubsystems​

Microsoft’s KB describes the root symptom as Office applications failing when run inside App‑V published packages. The proximate cause is a double handle closure inside the App‑V subsystem — specifically the AppVEntSubsystems32 (32‑bit) and AppVEntSubsystems64 (64‑bit) components. A double handle closure is a resource lifecycle bug where a handle (a reference to a system object like a file or socket) is released twice, which can lead to use‑after‑free, crashes, or undefined behavior. The result in production is unpredictable Office instability under App‑V.

Why this matters to enterprises and VDI operators​

App‑V remains an important delivery mechanism in many enterprise VDI, RemoteApp, and thin‑client environments where applications are streamed or centrally managed. When Office — the cornerstone productivity suite — crashes in these contexts, the result is immediate productivity loss, elevated helpdesk load, and potential SLA impacts. Fixing the underlying platform bug in the OS is the only practical remedy for affected customers; adjusting Office packages themselves is unlikely to mitigate a subsystem handle lifecycle error.

The fix and verification points​

KB5068221 implements a platform compatibility correction: it adjusts the App‑V subsystem so the double handle closure no longer occurs in the affected code paths. Administrators should verify the following post‑install to confirm remediation:
  • OS reports Build 26100.6588.
  • App‑V published Office packages launch reliably in the pilot pool, without the prior crashes or unexpected exits.
Because the KB does not publish micro‑patch diffs or symbol‑level changes, teams that need in‑depth telemetry (crash dumps, process handle analyses) should capture diagnostic evidence prior to and after deployment and escalate to Microsoft support if anomalies persist.

The SMBv1 / NetBIOS known issue: scope, workaround, and risk​

What breaks and why​

KB5068221 reiterates a known issue introduced with the September 9 security rollup (KB5065426): when a client or server has the September 2025 security updates installed, connections to SMBv1 shares that rely on NetBIOS over TCP/IP (NetBT) may fail. The SMB negotiation path that depends on NetBT can encounter a handshake fallback/sock cleanup regression, causing intermittent failure to connect to legacy shares.
This is a cross‑platform issue affecting client and server SKUs in the Windows family and is not limited to Windows 11. Independent reporting confirmed the behavior and Microsoft’s workaround, underscoring the practical impact for environments with legacy devices.

The official workaround​

Microsoft’s temporary mitigation is pragmatic:
  • Allow TCP port 445 between affected endpoints so SMB negotiation will fall back to SMB over TCP instead of NetBIOS transport (NetBT). This causes the SMB stack to resume connectivity in many scenarios.
This workaround restores connectivity quickly in controlled networks, but it is explicitly a stopgap. Allowing or opening port 445 broadly without compensating controls increases the network attack surface and may be unacceptable in more restrictive environments.

Security and operational risks​

  • SMBV1 is deprecated and insecure. The protocol lacks modern integrity checks and other mitigations present in SMBv2/SMBv3; long‑term reliance is a security liability.
  • Opening TCP/445 has tradeoffs. In environments where NetBIOS was intentionally used to limit SMB traffic exposure, switching to TCP/445 may require segmentation, hardened firewall rules, and enhanced monitoring to avoid creating new vulnerabilities.
  • Embedded/legacy devices are the choke point. NAS appliances, printers, and specialized hardware that only speak SMBv1 may force organizations into temporary workarounds or costly hardware replacement programs.
The bottom line: use the TCP/445 workaround only in tightly controlled network segments while accelerating migration to SMBv2/SMBv3 and modern authentication and signing.

Deployment guidance and recovery planning​

Recommended rollout strategy​

  • Inventory and prioritize targets: identify App‑V hosts, VDI golden images, and endpoints that run Office via App‑V. Also inventory devices that still depend on SMBv1/NetBT.
  • Pilot in a small, representative ring that includes App‑V hosts and the most common user profiles. Capture telemetry and crash dumps pre‑ and post‑install.
  • Validate App‑V workflows: Office launch, add‑ins, file open/save flows against shared storage, and printing. Confirm SMB connectivity where legacy shares are involved.
  • Expand staged rollout with monitoring and incident playbooks in place. Maintain a communications channel with helpdesk and affected teams.

Rollback and uninstall considerations​

Because KB5068221 is delivered as a combined LCU + SSU package, the SSU portion cannot be removed by simple wusa /uninstall; uninstalling the LCU requires DISM /Remove‑Package using the exact package name as retrieved from DISM /online /get-packages. Administrators must pre‑test DISM‑based rollback flows in an isolated environment and document the precise package identity for recovery.

Package deployment options​

  • Windows Update / WSUS / MECM / Intune: Deploy via standard management channels for managed endpoints.
  • Microsoft Update Catalog / MSU files: Download the MSU file from the Update Catalog for offline deployment or for importing into third‑party patch management systems. Use DISM for offline servicing of images.

Critical analysis: strengths, tradeoffs, and residual risks​

Strengths — Microsoft’s response where it counts​

  • Speed and focus: issuing an OOB cumulative quickly addressed a regression that directly affected productivity in App‑V deployments. That reduced helpdesk impact and restored expected behavior for many customers.
  • Cumulative packaging: bundling the September security fixes with the App‑V repair helps ensure patched systems are simultaneously brought to an updated security baseline, avoiding sequential patch churn.
  • Servicing stack hardening: including an SSU reduces installation plumbing failures and improves downstream servicing reliability — important for enterprise deployments where patch failures can cascade.

Tradeoffs and operational downsides​

  • SSU permanence complicates rollback. Because the SSU component cannot normally be removed, rollback strategies must rely on DISM and pretested procedures. This increases the operational burden for change control.
  • SMBv1 connectivity caveat persists. The known issue affecting SMBv1 over NetBIOS remains unresolved pending a future update, and the recommended workaround introduces network security tradeoffs.
  • OOB cadence increases change velocity. Although necessary, out‑of‑band updates increase operational tempo. Organizations must explicitly triage which OOB fixes to adopt immediately versus deferring to scheduled cycles.

Residual uncertainty and unverifiable details​

Microsoft’s KB documents the behavioral fix and the affected component names, but it does not publish low‑level diffs or full repro steps for the double handle closure. For teams requiring binary‑level analysis or symbol traces, the public KB is not sufficient; those teams will need to collect crash dumps, event logs, and open a support case for deeper investigation. Treat any third‑party field reports that diverge from the KB as environment‑specific until Microsoft confirms otherwise.

Practical checklist for IT teams (quick actions)​

  • Confirm whether App‑V hosts or published Office packages are in production and prioritize those systems for pilot testing.
  • Download KB5068221 packages to a staging repository (WSUS / MECM / Update Catalog) and pre‑stage files for controlled rollout.
  • Test a full rollback path using DISM /Remove‑Package in a non‑production image and document exact package IDs (DISM /online /get-packages).
  • Inventory SMBv1 dependencies. For devices that must keep SMBv1, implement the TCP/445 remediation only within trusted network segments and compensate with firewall rules and monitoring.
  • If piloting Copilot+ hardware, record pre/post AI component versions (1.2508.906.0) to correlate telemetry and catch regressions linked to these component updates.

Broader implications: Secure Boot certificates and Copilot+ components​

KB5068221 also uses its KB note as an opportunity to remind administrators that Windows Secure Boot certificates are scheduled to begin expiring in June 2026 and that organizations should prepare by planning CA/KEK updates, firmware updates, and coordination with OEM vendors. This advisory has lifecycle consequences — failure to plan may cause boot‑time issues for some platforms. Treat this reminder as a call to action for firmware inventory and vendor coordination.
On the AI front, the package updates multiple modular components used by Windows Copilot and related features, but those payloads only apply on Copilot+ devices. For most enterprise and server deployments the AI component refresh is inert; for Copilot+ pilots it is worth recording component versions and monitoring for performance or behavior changes.

What to watch next​

  • A future update that permanently resolves the SMBv1/NetBT regression — Microsoft says a fix is in progress. Until then, expect administrators to balance short‑term connectivity fixes with longer‑term migration off SMBv1.
  • Field reports of any unintended side effects after deploying KB5068221, particularly in mixed App‑V and VDI estates or in networks with legacy SMBv1 devices. Capture logs and escalate to Microsoft Support where necessary.
  • OEM and firmware guidance related to Secure Boot certificate rotation; organizations should inventory affected devices and confirm vendor paths for CA/KEK updates.

Conclusion​

KB5068221 is a narrowly targeted, pragmatic response from Microsoft: a fast out‑of‑band cumulative that corrects an App‑V regression causing Microsoft Office failures, bundles September’s security fixes and servicing‑stack improvements, and reemphasizes two operationally important items — the SMBv1/NetBT connectivity caveat and Secure Boot certificate rotation. For organizations that deliver Office via App‑V, KB5068221 should be piloted urgently in a controlled ring with rollback playbooks validated. For environments still dependent on SMBv1, the release is a firm reminder that migration to SMBv2/SMBv3 and modernization of legacy devices cannot be postponed. Test methodically, document rollback steps, and treat the TCP/445 workaround as a temporary mitigation rather than a permanent design change.
This update restores a critical productivity expectation for App‑V customers while highlighting the twin operational challenges of servicing‑stack permanence and legacy protocol technical debt. Deploy with care, monitor closely, and use the incident to accelerate both modernization and update governance.
Source: Neowin Windows 11 24H2 KB5068221 fixes problems with Office apps
 

Microsoft has pushed an out‑of‑band cumulative update for Windows 11, version 24H2, to repair a targeted compatibility regression that caused Microsoft Office applications to fail when delivered via Microsoft Application Virtualization (App‑V). The patch — released on September 22, 2025 — raises the OS build to 26100.6588, bundles the September security rollup, installs a servicing stack update, updates several AI components, and carries a notable caveat for environments still using the legacy SMB v1 over NetBIOS.

Desktop wallpaper shows a metallic shield patch with several app icons around it.Background and high‑level summary​

Microsoft classifies KB5068221 as an out‑of‑band (OOB) cumulative update for Windows 11 (24H2). OOB updates are uncommon and used when a regression or high‑impact compatibility issue needs remediation before the regular monthly release cycle. This update includes the fixes and security content from the September 9, 2025 cumulative (KB5065426), plus a narrowly scoped quality fix that addresses an App‑V regression that could make Office delivered via App‑V crash. The package also installs a servicing stack update (SSU KB5064531) and updates several on‑device AI components to version 1.2508.906.0.
The core operational datapoints administrators need right away:
  • Release date: September 22, 2025.
  • Post‑install OS Build: 26100.6588 (LCU + SSU combined).
  • Targeted fix: a double handle closure in the App‑V subsystem (AppVEntSubsystems32/AppVEntSubsystems64) that could cause Office apps to fail within App‑V.
  • Known issue: SMBv1 connectivity over NetBIOS (NetBT) may fail after September security updates; Microsoft recommends allowing TCP port 445 as a temporary workaround.

Why this update matters for enterprises​

App‑V remains in many corporate estates​

Although some organizations have moved to modern application delivery methods (MSIX, Intune app management, cloud‑hosted Office), App‑V continues to be used widely in VDI, thin‑client, and streaming application setups. When Office is published through App‑V, users expect the same stability and functionality as locally installed clients; any regression that causes Office to terminate or fail to launch impacts productivity immediately and generates helpdesk volume.
A double handle closure inside an App‑V system DLL is a resource lifecycle bug: it typically manifests intermittently, under specific timing or load conditions, and can be hard to reproduce in lab environments. Microsoft’s decision to ship an OOB cumulative shows that telemetry and customer reports indicated a high operational impact.

The Servicing Stack Update (SSU) matters​

KB5068221 is packaged as a combined LCU + SSU, which means the servicing stack (the component that installs Windows updates) is updated alongside the cumulative. SSUs are important for installation robustness and are not removable once applied; administrators should plan rollouts accordingly and validate rollback procedures, since removing the SSU itself is not supported via simple uninstall commands.

Technical details — what Microsoft says​

The App‑V defect: double handle closure​

Microsoft’s release notes identify the proximate cause as a double handle closure within the App‑V system components AppVEntSubsystems32 and AppVEntSubsystems64. In general terms, a double handle close happens when code closes the same operating system resource (handle) more than once; the second close can lead to races, use‑after‑free conditions, and application instability. In this case, the symptom was Office applications failing when run inside App‑V‑published packages. The KB states the issue has been fixed in this OOB release.
Note: Microsoft’s public KB provides the high‑level diagnosis but does not publish internal telemetry traces, stack dumps, or a full repro path for the bug. That level of diagnostic detail is typically reserved for engineering support engagements; teams requiring binary‑level or symbol‑level analysis should file an elevated support case and be prepared to share telemetry. Where a claim can’t be validated from public documentation, treat it as vendor‑reported root cause and test accordingly.

AI components updated​

The update also upgrades several on‑device AI components used by search and semantic features:
  • Image Search — 1.2508.906.0
  • Content Extraction — 1.2508.906.0
  • Semantic Analysis — 1.2508.906.0
  • Settings Model — 1.2508.906.0
These component updates are part of Microsoft’s model/component refresh cadence. Administrators should validate whether any in‑house tooling depends on specific AI component versions before broad deployment.

SMBv1 + NetBT known issue and workaround​

The KB explicitly reproduces a continuing known issue introduced by the September security updates: systems that still rely on SMBv1 over NetBIOS (NetBT) may be unable to connect to shared files or folders if either the client or server has the September updates installed. SMBv2 and SMBv3 are not affected.
Microsoft’s temporary mitigation is to allow SMB traffic directly over TCP (port 445) rather than relying on NetBIOS over TCP. For many networks this can be implemented by enabling/allowing TCP inbound/outbound on port 445 between affected endpoints or by ensuring name resolution and SMB negotiation use non‑NetBT mechanisms. Microsoft has said it will deliver a permanent fix in a future update.

Practical guidance for IT administrators​

1. Inventory and prioritize affected systems​

  • Identify which machines publish Office via App‑V. App‑V published apps will often be present on VDI, terminal server, or streaming endpoints.
  • Query for the App‑V subsystem presence (look for AppV services and AppV client installations) and cross‑check with helpdesk telemetry for Office crashes.
  • Classify systems by risk: production VDI pools and user‑facing thin‑client deployments should be prioritized for early testing.

2. Test the update in a controlled ring​

  • Pilot on a small set of non‑critical VDI or App‑V sessions that mirror production usage.
  • Verify Office launches, macro functionality, and add‑in behavior in App‑V published sessions.
  • Validate logon scripts, redirected profiles, and user data access patterns — App‑V can interact with these in subtle ways.
  • Confirm that the SSU installed cleanly and that Windows Update behavior remains normal.

3. Validate SMB dependencies before broad rollout​

  • Search your estate for legacy SMBv1 dependencies (file shares, legacy NAS, embedded devices). Replace or upgrade devices that rely on SMBv1 wherever possible.
  • If you must retain SMBv1 temporarily, implement Microsoft’s temporary workaround by permitting TCP port 445 between affected hosts so SMB traffic falls back to SMB over TCP rather than NetBT. Use firewall rules or network ACLs to control exposure.

4. Check installation status and build numbers​

  • Run winver to confirm the OS build. After installing KB5068221, the build should be 26100.6588.
  • Use PowerShell to list installed KBs, for example:
  • Get-HotFix -Id KB5068221 (or search Get-HotFix / wmic qfe)
  • Confirm the servicing stack update KB5064531 is present if you deployed the combined package. Remember that the SSU portion is not removable in the same way the LCU is.

5. Prepare rollback and support plans​

  • If a pilot shows unexpected behavior, remove only the LCU portion if necessary using DISM /Remove‑Package against the LCU package name; SSU removal is not supported via standard uninstall. Test rollback in a safe environment before relying on it in production.

Security and operational risk analysis​

Strengths of Microsoft’s response​

  • Rapid OOB delivery demonstrates Microsoft’s telemetry and incident‑response capability, and shows the vendor prioritizes fixes that affect core productivity workloads. The single‑issue focus reduces the blast radius compared with an all‑new feature roll‑out.
  • Including the SSU in the package helps ensure reliable future update operations, which is beneficial for long‑running VDI and enterprise images.
  • The temporary workaround for SMBv1 avoids forcing immediate infrastructure changes in environments that cannot instantly replace legacy devices — at least as a stopgap.

Residual risks and caveats​

  • The public KB does not include low‑level repro artifacts, trace logs, or the code paths that triggered the double handle close. Organizations that need deep diagnostics will likely need to escalate to Microsoft with traces and ETW logs. Treat the KB’s root‑cause statement as vendor‑reported unless verified with engineering support. Caution is warranted when interpreting internal root cause language; telemetry‑driven fixes are authoritative but not always fully transparent to outside engineers.
  • The SMBv1 issue is symptomatic of a wider risk: legacy protocol dependencies. Many environments may have aged appliances, NAS devices, or embedded systems that do not support SMBv2/3. Continued dependency on SMBv1 is a security liability and an operational risk. Administrators should accelerate replacement or segmentation plans.
  • The combined nature of the package (LCU + SSU) complicates rollback plans. Because SSUs are persistent, post‑install remediation that requires different servicing stack versions will be more complex.

Recommended timeline and checklist for deployment​

Immediate (Days 0–3)​

  • Review telemetry and helpdesk tickets for Office crashes in App‑V.
  • Test KB5068221 on a small pilot ring that includes App‑V published Office users.
  • Confirm post‑install build shows 26100.6588 and that AI component versions read 1.2508.906.0 where applicable.

Short term (Week 1–2)​

  • Expand to a controlled broad pilot across VDI pools and critical user groups.
  • Validate printers, Office add‑ins, shared templates, macros, and OneDrive/SharePoint access in App‑V sessions.
  • Check SMBv1 dependencies and, if present, implement the TCP/445 workaround while planning replacements.

Medium term (30–90 days)​

  • Replace or upgrade devices that require SMBv1. Move to SMBv2/SMBv3 or alternate storage solutions.
  • Harden configuration so that future updates to Secure Boot, firmware, and boot components can be applied smoothly (see Secure Boot guidance below).
  • Document any anomalies and prepare support cases with Microsoft if you encounter reproducible failures.

Secure Boot certificate expiration: a related but separate planning task​

KB5068221’s KB text also includes a reminder about Windows Secure Boot certificate expiration events that begin in June 2026. Microsoft’s guidance clarifies that several 2011‑era Secure Boot certificates are expiring and are being replaced by 2023 certificates; Microsoft and OEMs are distributing the replacement certificates via Windows Update and OEM firmware updates. Administrators should:
  • Review the Secure Boot certificate guidance and confirm whether devices are enrolled to receive Microsoft‑managed certificate updates.
  • If devices are IT‑managed or air‑gapped, plan a firmware/certificate update path with OEMs; for some server platforms OEM BIOS updates will be required to add the new certificates.
  • Avoid toggling Secure Boot off and on, as that can reset Secure Boot variables and in some cases remove the updated certificates from firmware — this may complicate later automatic updates.
This is a distinct operational program from KB5068221 but intersects with device readiness for future pre‑boot updates: lack of updated certificates can prevent devices from receiving future Secure Boot security fixes and can cause boot‑time trust issues once 2011 certificates expire.

Troubleshooting checklist for App‑V + Office failures​

  • Reproduce the failure in a controlled session with verbose logging enabled for the App‑V client.
  • Collect Event Viewer logs (Application and System) and App‑V client logs.
  • Use Process Monitor or Windows Performance Recorder to capture handle life cycle events if you can reproduce the crash in test. Be mindful of PII and telemetry policies when collecting traces.
  • If the issue persists after installing KB5068221, prepare a Microsoft Support case with the collected traces, ETW logs, and repro steps; include machine images and configuration details for expedited engineering review. Low‑level artifacts will be required for engineering to analyze double handle closure edge cases.

Long‑term recommendations and strategic takeaways​

  • Treat App‑V and other legacy app delivery methods as part of an application modernization roadmap. While App‑V is supported, vendor fixes for regressions can lag behind modern packaging ecosystems; consolidating to newer delivery models reduces future compatibility exposure.
  • Eliminate or isolate SMBv1 wherever possible. Legacy protocols represent both security and stability debt; remediation should be budgeted and prioritized.
  • Maintain a staged update cadence (pilot → broad pilot → production) for OOB updates that bundle SSUs. Because SSUs are persistent, early testing is especially important.
  • Act now on Secure Boot certificate readiness. Confirm device inventory and OEM firmware timelines; delaying will narrow the window for safe remediation before certificate expirations start impacting boot trust.

Conclusion​

KB5068221 is a focused, pragmatic repair: Microsoft corrected a concealed but high‑impact App‑V regression that caused Office delivered via App‑V to fail, packaged the correction with the September security rollup and an SSU, and flagged a continuing SMBv1/NetBT interoperability caveat. For enterprises that still deliver Office through App‑V, this update should move quickly through the pilot rings after careful validation. At the same time, the SMBv1 issue and the upcoming Secure Boot certificate expirations reinforce two persistent themes: the operational cost of legacy protocols and the need for proactive device lifecycle management.
Apply KB5068221 to App‑V‑affected rings promptly, validate Office behavior and SSU installation, and use the temporary TCP/445 mitigation if you must preserve SMBv1 connectivity while you transition away from deprecated protocols. For deep or persistent failures after the patch, collect traces and escalate through Microsoft Support with reproducible logs — the public KB fixes the reported symptom, but binary‑level diagnostics remain the appropriate escalation path for environments that need forensic detail.
Source: Windows Report Windows 11 KB5068221 fixes issues with Office apps running on App-V
 

You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
Windows 11 24H2 Out of Band KB5068221: App V Fix, AI Updates, Secure Boot Reminder
Replies
2
Views
109
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 11 September 2025 Update Regressions: DRM EVR, SMBv1, PSDirect
Replies
0
Views
185
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
KB5065848: Windows 11 24H2 OOBE Enrollment & ESP Update
Replies
0
Views
217
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
August 2025 Windows Recovery Fix: OOB KB5066189/88/87 Restore Reset and Cloud Recovery
Replies
0
Views
384
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Windows 11 22621/22631: OOB KB5066189 Restores Reset & Cloud Recovery
Replies
0
Views
203
ChatGPT
ChatGPT
Back
Top