Windows 11 24H2 Out of Band KB5068221: App V Fix, AI Updates, Secure Boot Reminder

Microsoft released an out‑of‑band cumulative update for Windows 11 version 24H2 on September 22, 2025 — KB5068221 (OS Build 26100.6588) — that bundles quality fixes (including the fixes from the September 9, 2025 security rollup), updates several AI components, and quietly re‑emphasizes the looming Secure Boot certificate expiration program affecting many devices next year.

Background​

Microsoft’s September servicing cycle already shipped a large September 9, 2025 security rollup (LCU + SSU) that addressed dozens of vulnerabilities across Windows client and server families. The September 22 out‑of‑band release (KB5068221) is a small, targeted cumulative update for Windows 11 24H2 that consolidates the earlier security fixes and adds a narrow set of quality corrections flagged after the Patch Tuesday release. This pattern — a rapid follow‑up cumulative packaged as an out‑of‑band update — is intended to address post‑release regressions or compatibility issues surfaced by customers and telemetry.
Microsoft explicitly lists the release date (September 22, 2025), the target build (OS Build 26100.6588), and the product scope (Windows 11 version 24H2, all editions) in the public KB article. The KB also bundles a servicing stack update (SSU) — KB5064531 — with a reported SSU build of 26100.5074, and it provides file lists and component version metadata administrators can use for inventory and validation.

---

What’s in KB5068221 (26100.6588)​

Improvements and fixes (high‑level)​

• The update is cumulative and includes the security fixes and improvements shipped in the September 9, 2025 cumulative (KB5065426).
• Primary targeted fix called out by Microsoft: an App‑V (Microsoft Application Virtualization) compatibility fix for Microsoft Office running in App‑V environments. Microsoft says the failure was caused by a double handle closure in the AppVEntSubsystems32 or AppVEntSubsystems64 components; KB5068221 corrects that behavior.
• The package updates a set of AI components (Image Search, Content Extraction, Semantic Analysis, Settings Model) to version 1.2508.906.0 in this rollup; Microsoft lists component versions in the KB so administrators can verify installed component versions after deployment.
• The combined SSU + LCU packaging remains in effect for this update; Microsoft reiterates that the servicing stack (SSU) cannot be uninstalled once applied and that administrators must use DISM to remove only the LCU portion if rollback is required.

Known issues documented in KB5068221​

Microsoft documents at least one known issue in the public KB:

• SMBv1 protocol connectivity break when SMB over NetBIOS (NetBT) is used after systems receive the September 2025 updates. The symptom is that SMBv1 shares accessed via NetBT may fail to connect; Microsoft’s workaround is to allow TCP port 445 so the client and server can negotiate SMB over TCP instead of NetBT. Microsoft warns this impacts only SMBv1 over NetBT and notes SMBv2/SMBv3 are not affected.

---

Why this update matters (operational impact)​

App‑V and virtualized Office deployments​

App‑V remains in use in many enterprise app virtualization and VDI environments. A double handle closure in the App‑V subsystem that causes Office applications to fail is a material compatibility issue for organizations that publish Office via App‑V. For those customers, KB5068221 is effectively a high‑priority compatibility fix: it restores predictable behavior and reduces helpdesk traffic caused by Office crashes in App‑V sessions. Organizations that rely on App‑V should treat this update as a targeted patch and validate their published Office packages in a pilot ring before broad rollout.

Cumulative + SSU packaging and rollback considerations​

Because Microsoft bundles the SSU with the LCU in a single combined package, the conventional “wusa /uninstall” rollback doesn’t work for the entire package — the SSU portion is permanent. Administrators who need to remove the cumulative portion must use DISM /Remove‑Package with the precise package name. This distinction is operationally critical: test and pilot the update before deploying widely, and ensure your recovery playbooks include a documented DISM-based rollback path.

Secure Boot certificate expiration reminder​

KB5068221 reiterates the broader advisory that Windows Secure Boot certificates used by most Windows devices are set to begin expiring starting June 2026. Microsoft’s KB directs administrators to preparatory guidance for CA/KEK updates and recommends early planning to prevent unexpected Secure Boot or boot‑time failures on affected systems. This is not a fix inside KB5068221, but a timely reminder because the certificate‑rotation program is a multi‑stage process that can require firmware and OS coordination. Organizations must inventory devices for firmware updates and platform compatibility; failure to act before certificate expirations could lead to boot errors or inability to apply pre‑boot updates.

---

Technical verification and cross‑checks​

To ensure accuracy, the key technical claims in Microsoft’s KB were cross‑checked with independent community and reporting channels:

• The release date, target build number (26100.6588), and the App‑V Office fix are published in the Microsoft KB page.
• Community reporting and forum tracking around the September servicing cycle describe the update as a short follow‑up cumulative to the large September 9 security rollup; that context is corroborated by community trackers and forum writeups that documented the broader September releases and subsequent hotpatches and out‑of‑band fixes. These community summaries also highlight similar operational concerns (SSU+LCU behavior, hotpatch eligibility, pilot/testing guidance).
• The SMBv1 over NetBT connectivity problem and the Secure Boot certificate expiration advisory were noted both in Microsoft’s official text and in community advisories and support threads tracking post‑September regressions and policy changes. Administrators should take Microsoft’s KB as authoritative, but community threads are useful for field reports of real‑world impact and workarounds while Microsoft produces a formal resolution.

Note: where third‑party blogs or forums summarize the KB, readers should validate CVE counts or module‑level file versions against Microsoft’s file information payloads (Microsoft publishes downloadable file lists for both the cumulative and the SSU). The exact number of CVEs or classification of fixes is sometimes summarized differently outside Microsoft’s Security Update Guide; treat Microsoft’s official product KB and the Security Update Guide as the vendor of record for CVE ↔ KB mappings.

---

Deployment guidance — recommended steps​

• Inventory and identify affected systems
• Target: Windows 11 version 24H2 devices (all editions) that report earlier builds in the 26100 family. Prioritize App‑V hosts, VDI farms, and endpoints that run Office in App‑V containers.
• Pilot in a representative test ring
• Include App‑V environments, shared workstation images, and any systems still using legacy SMBv1/NetBT connectivity to network shares. Validate Office launch/repair behavior and SMB file access.
• Verify SSU and LCU file versions after install
• Use the file lists Microsoft provides (downloadable from the KB) to confirm correct versions and timestamps; ensure your inventory/CMDB records the new build (26100.6588) and SSU (26100.5074) for compliance reporting.
• If rollback is necessary, remove only the LCU
• Use DISM /online /get-packages to get the LCU package name, then DISM /online /Remove-Package /PackageName:<LCU‑package> to remove it. Do not attempt wusa /uninstall on the combined package because the SSU will remain. Test rollback in the pilot ring to confirm behavior.
• Address SMBv1 NetBT environments proactively
• For environments that still depend on SMBv1 over NetBT (NetBIOS name resolution), prepare to move them to SMB‑over‑TCP (port 445) or upgrade to SMBv2/SMBv3 by replacing legacy file‑sharing hosts. The KB provides a temporary workaround (allow TCP/445) but this should not be treated as a permanent fix.
• Secure Boot certificate rotation planning
• Begin firmware and platform checks now. If devices cannot accept the updated CA/KEK values through firmware updates, plan for exception handling or hardware refresh for the affected systems prior to June 2026. Consult your OEMs for device‑firmware timelines.

---

Risk analysis — strengths and potential pitfalls​

Strengths​

• Rapid response: Microsoft used an out‑of‑band release to address compatibility concerns after the September cumulative, which reduces operational friction for affected customers and prevents prolonged helpdesk churn for App‑V Office failures.
• Consolidated packaging: by bundling the SSU with the cumulative update, Microsoft reduces the chance of partial update states and improves long‑term servicing reliability on affected devices — provided administrators understand the rollback implications.
• Transparency about component versions and known issues: the KB includes explicit file information and a documented known issue (SMBv1 over NetBT), which helps enterprises plan mitigations and inventory changes.

Risks and operational caveats​

• SMBv1 NetBT regression: organizations still using SMBv1 over NetBT risk immediate connectivity disruption unless they open TCP/445 or migrate away from NetBT. Because SMBv1 is deprecated, the incident may accelerate necessary migrations, but it also poses short‑term business continuity risks for legacy infrastructure.
• Rollback complexity: the SSU cannot be uninstalled. If the cumulative introduces an unforeseen regression, removal requires targeted DISM operations and careful validation. This limits rapid rollback options and increases the need for thorough piloting.
• Secure Boot certificate rotation complexity: the June 2026 expiration window means organizations must coordinate firmware updates, platform support, and OS updates in a multi‑vendor environment. Failure to plan could create boot issues; the timetable and device support status vary widely by OEM and model. Microsoft’s KB highlights the risk but implementation details are largely dependent on OEM firmware updates. This is a cross‑supply‑chain problem that requires active follow‑up.
• Hidden regressions: community reports after major rollups sometimes surface narrow, hardware‑ or driver‑specific regressions. The out‑of‑band release reduces some risk, but operational teams should still monitor telemetry and community channels for new reports after deployment.

---

Practical checks and verification commands​

• Confirm installed build and OS version:
• Run: winver or
• Run in elevated PowerShell: (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").ReleaseId / or check BuildLabEx values to confirm OS Build 26100.6588.
• List installed packages to identify the LCU package name for potential removal:
• DISM /online /get-packages
• Identify the LCU package name (look for KB5068221 or a package with the reported build string).
• To remove the LCU (test only in pilot): DISM /online /Remove-Package /PackageName:<package>.
• Verify SSU version:
• Microsoft’s KB lists the SSU package name and version (KB5064531, version 26100.5074); confirm presence via the same DISM /get-packages output.

---

Recommended timeline and checklist for IT teams​

• Day 0 (now): Read the KB, download the file lists, and note the exact package names and file versions for inventory matching.
• Day 1–3: Run a pilot on a small, representative set of machines:
• Include App‑V hosts, VDI golden images, and any systems still using SMBv1/NetBT.
• Validate Office App‑V sessions, file‑share access, boot behavior, and key business apps.
• Day 4–10: Expand to broader pilot if no regressions are found. Monitor logs for unexpected behavior (Event Viewer, Defender/EDR alerts, MSRC telemetry).
• Two weeks: Staged rollout across production windows. Maintain a rollback runbook using DISM-based steps.
• Immediately start Secure Boot/firmware inventory exercises if not already underway; coordinate with OEMs for certificate rotation support.

---

Final assessment​

KB5068221 (OS Build 26100.6588) is a focused out‑of‑band cumulative that corrects a significant compatibility regression for App‑V Office deployments, refreshes selected AI components, and bundles a servicing stack update to ensure update reliability. Microsoft’s inclusion of a clear known‑issue entry (SMBv1 over NetBT) and the Secure Boot certificate expiration warning in the same KB makes this release both a corrective package and a reminder of longer‑term platform maintenance tasks.
From an operational standpoint, the update is constructive: it addresses a real compatibility pain point and keeps devices on a supported servicing posture. At the same time, the SSU+LCU packaging model and the SM Bv1 regression underline the need for careful piloting, clear rollback runbooks (DISM‑based), and an accelerated plan to retire legacy SMBv1/NetBT dependencies. Enterprises should also treat the Secure Boot certificate rotation as a high‑impact program that will require coordination across firmware vendors, IT operations, and change management processes.
Administrators and power users should read the KB, download the file information Microsoft publishes, pilot the update on representative systems (particularly App‑V and VDI images), and start or continue Secure Boot certificate readiness activities well ahead of June 2026.

---

KB5068221 is available via Windows Update and the business distribution channels Microsoft lists in the KB; check your update management tooling for the package and ensure your inventory and compliance records reflect the new OS Build (26100.6588) after deployment.

---

Source: Microsoft Support September 22, 2025—KB5068221 (OS Build 26100.6588) Out-of-band - Microsoft Support

 

[ChatGPT]

Microsoft issued an out‑of‑band cumulative update today — KB5068221 (OS Build 26100.6588) — for Windows 11 version 24H2, delivering a focused set of quality and security fixes while reiterating several high‑impact operational advisories that administrators and power users must act on now.

Background​

Microsoft’s September servicing cadence began with the Patch Tuesday release on September 9 (KB5065426, OS Build 26100.6584), followed by additional Release Preview and hotpatch rolls through the month. The out‑of‑band package released on September 22 — KB5068221 — is cumulative: it includes the September 9 security updates and targeted fixes that needed faster distribution outside the normal Patch Tuesday window. The update also carries a servicing stack update (SSU) component packaged as KB5064531 (servicing stack version 26100.5074) to improve installation reliability.
Why an out‑of‑band release? Microsoft uses OOB updates to fix urgent regressions or operational problems that cannot wait for the next monthly release cycle. In this case, the package addresses a platform compatibility bug affecting Microsoft Application Virtualization (App‑V) environments and carries forward fixes from the September security rollup. At the same time Microsoft documented a known issue in this release relating to legacy SMBv1 connectivity over NetBIOS (NetBT).

---

What’s in KB5068221 (Quick summary)​

• Applies to: Windows 11, version 24H2 (all editions).
• Release date: September 22, 2025.
• OS Build after install: 26100.6588 (LCU + SSU combined).
• Principal fix called out by Microsoft: a double handle closure in App‑V components (AppVEntSubsystems32/AppVEntSubsystems64) that could cause Microsoft Office applications to fail when run in App‑V environments.
• Additional content: inclusion of fixes from the September 9 security update (KB5065426), AI component updates (four AI component versions updated in this build), and the servicing stack update KB5064531.

These are factual, verifiable items that Microsoft lists in the official KB release notes. Where the KB notes clearly matter operationally — known issues, required mitigations, and uninstall guidance — those items are reproduced and analyzed below.

---

Detailed view: fixes, AI components, and servicing stack​

App‑V / Office compatibility fix​

The headline quality fix in KB5068221 is an App‑V regression: Microsoft documented a double handle closure in the AppVEntSubsystems32 / AppVEntSubsystems64 component that could break Microsoft Office apps running in App‑V packaging/virtualization scenarios. This is a targeted compatibility fix important to organizations that still rely on App‑V for application delivery. The KB explicitly lists this as the primary resolved item in the OOB release.
Why it matters: App‑V remains in use in many enterprise environments that rely on streaming or virtualization for application lifecycle management. A broken Office experience in App‑V contexts can be disruptive to wide classes of users in enterprise rings. The OOB delivery indicates Microsoft treated this as a high‑priority regression requiring immediate remediation.

AI component refresh​

The KB lists updated AI component packages included in the release — Image Search, Content Extraction, Semantic Analysis, and Settings Model — each moving to version 1.2508.906.0 in this build. These component updates reflect Microsoft’s ongoing modular approach to AI features and telemetry in Windows 11. While the KB does not list functional changes for each AI component, this kind of refresh generally contains model or query‑handling improvements and should be considered part of the cumulative quality picture.

Servicing Stack Update (SSU)​

KB5068221 is delivered together with KB5064531 (26100.5074) — a servicing stack update that hardens the update engine itself and is included to reduce install failures and make future servicing more reliable. Microsoft has repeatedly emphasized bundling SSUs with LCUs to avoid chained failure scenarios. Note that when SSUs and LCUs are combined into a single package, the SSU component typically cannot be removed after installation, which has implications for rollback strategies.

---

Known issues, workarounds and operational impact​

SMBv1 over NetBIOS (NetBT) connectivity regression​

Microsoft lists a specific known issue: after installing the September 9 update or later (including KB5068221), devices using the SMBv1 protocol over NetBIOS over TCP/IP (NetBT) may fail to connect to shared files and folders if either the SMB client or server has the September security update installed. Microsoft’s KB notes that SMBv1 is deprecated and not enabled by default, but real‑world environments still run legacy devices that depend on it. The official mitigation Microsoft provides is to allow SMB traffic on TCP port 445, which forces SMB to use TCP rather than NetBT and restores connectivity for affected scenarios. Microsoft says it is working on a resolution in a future update.
Practical context and community confirmation: independent community triage and forum logs corroborate Microsoft’s description — many small offices, legacy NAS devices, printers, and Windows‑only appliance workflows rely on NetBIOS name resolution and SMBv1 fallbacks, and those flows were observed to break after the September updates. The community guidance echoes Microsoft’s mitigation (allow TCP/445, upgrade devices to SMBv2/3 when possible) and warns administrators that uninstalling the LCU has tradeoffs because the SSU may remain installed.
Caveats and risk: allowing TCP port 445 across untrusted network boundaries carries security risk — historically SMB over TCP is an attractive attack surface when left exposed to the internet. The KB’s recommended mitigation is intended for internal network troubleshooting and controlled environments; it is not a replacement for upgrading legacy equipment or migrating to SMBv2/v3.

Other community‑reported regressions (contextual)​

The September servicing wave (KB5065426 and earlier preview packages) produced several targeted regressions affecting specialized subsystems: EVR/DirectShow DRM playback, PowerShell Direct (PSDirect) hotpatch interoperability, kernel‑mode anti‑cheat interactions (some EA titles using Javelin), and legacy DirectX 9 rendering artifacts. Microsoft’s KBs and Q&A threads confirm a number of these edge cases and promise follow‑up fixes; community threads have been the primary conduit for reporting reproducible failures to Microsoft. Administrators should prioritize testing for these scenarios if they exist in their environment.

---

Installation, rollback, and practical guidance​

How to get the update​

Microsoft distributes KB5068221 via the normal enterprise channels: Windows Update, Windows Update for Business, Microsoft Update Catalog, and downstream management tools (WSUS/MECM/Intune). The combined package includes both the LCU and SSU; follow established deployment best practices: pilot, monitor, then broaden.

Uninstall considerations​

Important technical constraint: when the SSU and LCU are bundled, you cannot uninstall the SSU separately, and running wusa.exe with /uninstall on the combined package will not remove the SSU component. Microsoft documents DISM-based procedures to remove the LCU portion by package name, but the SSU remains. That limitation complicates rollback plans and is explicitly called out in Microsoft’s release notes. Administrators should prepare and test recovery images and rollback playbooks before broad deployment.

Recommended deployment checklist (executive summary)​

• Inventory: identify endpoints that use legacy SMBv1, App‑V, PSDirect, EVR/DirectShow, and kernel anti‑cheat drivers.
• Pilot: install KB5068221 on a small representative pilot ring that includes the above scenarios. Monitor logs (SMB client/server operational channels, Security event log for PSDirect, and application traces for EVR).
• Harden network controls: if you rely on the Microsoft mitigation for SMBv1, restrict TCP/445 allowances to trusted internal segments and avoid exposing SMB endpoints to untrusted networks. Use egress filtering where possible.
• Vendor coordination: confirm driver and anti‑cheat vendor guidance for affected titles or drivers (EA Javelin, GPU capture stacks, NDI/OBS components).
• Backup and rollback planning: export installable package names (DISM /online /get-packages) and prepare an LCU removal plan via DISM /online /remove-package /PackageName if rollback becomes necessary. Remember the SSU may remain installed.

---

Security trade‑offs and strategic analysis​

Strengths: fast remediation and cumulative hardening​

• Microsoft moved quickly to push a targeted fix for a high‑impact App‑V regression via an OOB release, demonstrating the value of the out‑of‑band mechanism to address enterprise pain points. That rapid response reduces downtime for App‑V environments that rely on Office.
• The combined LCU+SSU package reduces installation failures over a wide device base by hardening the servicing stack, a prudent operational improvement for reliable patching.

Risks: regressions, legacy support friction, and rollback complexity​

• The updates in September — and the subsequent OOB release — highlight a persistent operational tension: security hardening vs. legacy compatibility. Tightening security or removing oldest‑path compatibility often triggers regressions in long‑lived pipelines (SMBv1/NetBT, EVR/DirectShow, PSDirect). Organizations with mixed modern/legacy fleets suffer the most.
• The mitigation for SMBv1 (allowing TCP/445) is a workaround rather than a fix — it restores connectivity but may increase exposure if applied beyond tightly controlled internal network segments. Administrators must balance short‑term restoration against medium‑term risk.
• Bundling the SSU with the LCU complicates rollback. In environments where rolling back is the last line of defense to recover application compatibility, the inability to remove the SSU independently can leave organizations in a security‑versus‑stability bind. This increases the importance of pilot stages and offline recovery imaging.

---

Special scenarios: guidance for admins, content creators, and gamers​

Administrators (enterprise and SMB)​

• Prioritize patching domain controllers, servers providing authentication, and devices that handle SMB traffic in your staging ring, but validate certificate and PKI interactions first — Microsoft reiterated Secure Boot certificate expiry planning in related September KBs and guidance. Unexpected certificate or firmware interactions can block secure boot or updates if not addressed ahead of mid‑2026 certificate transitions.
• For Hyper‑V environments using PSDirect, ensure host and guest parity when applying hotpatches or OOB fixes — uneven patching produced PSDirect handshake issues in prior September hotpatch cycles. If you use hotpatch workflows, test cross‑status host/guest workflows explicitly.

Content creators (OBS, NDI, capture workflows)​

• If you rely on EVR/DirectShow pipelines (legacy capture cards, certain TV tuner apps, or media workflows), test rendering and capture after installing the update. Community reports placed EVR and protected‑media path regressions among the early issues, and some capture stacks required vendor driver updates to restore full functionality. Consider delaying broad deployment until GPU/capture drivers are confirmed.

Gamers and anti‑cheat​

• Kernel‑mode anti‑cheat systems are sensitive to subtle kernel or driver changes. If a title requires a kernel anti‑cheat driver (EA Javelin and others were reported impacted during earlier September preview updates), consult vendor guidance before deploying the update to gaming rigs used for events or tournaments. Some community users temporarily uninstalled updates to regain functionality — an option that has security trade‑offs and should be handled carefully.

---

Step‑by‑step: safe rollout for administrators (recommended sequence)​

• Inventory and identification
• Run device discovery for legacy SMBv1, App‑V clients, PSDirect dependencies, and any kernel anti‑cheat drivers. Tag systems for early pilot or deferred deployment.
• Pilot group deployment (1–3 days)
• Apply KB5068221 to a carefully selected set of machines representative of your fleet (domain controllers, file servers, a few end‑user machines with legacy NAS/printers, and a VM host/guest pair). Monitor for SMB failures, PSDirect errors, playback regressions, and game launch issues.
• Network mitigations (if needed)
• If SMBv1 NetBT connectivity breaks in the pilot, apply the narrow mitigation: allow SMB traffic on TCP/445 only between the affected endpoints and internal management ranges. Do not open 445 broadly. Plan to migrate devices to SMBv2/v3 over the coming maintenance window.
• Vendor coordination and driver updates
• Ask vendors for validated driver versions for capture stacks, GPU, and anti‑cheat components. Stage driver updates before broad OS deployment.
• Broad rollout with monitoring and rollback plan
• Expand deployment to broader rings after 72 hours of clean telemetry. Keep package names and DISM removal instructions handy; remember that SSU removal is typically not possible after combined install. Maintain recovery images for rapid rollback of fully impacted endpoints.

---

Final assessment and recommendations​

KB5068221 is a classic trade‑off moment in platform stewardship: Microsoft ships an out‑of‑band cumulative update to fix a real enterprise regression (App‑V / Office) and fold in urgent security content, but the September servicing wave continues to show that tightening the platform risks breaking legacy paths that remain operationally critical for many organizations. The immediate strengths of the release are rapid remediation and improved servicing reliability; the immediate risks are legacy interoperability breakage and increased complexity when rollbacks are required.
Recommendations — short list:

• Pilot broadly where legacy subsystems exist and confirm vendor compatibility before mass deployment.
• If SMBv1/NetBT connections break, apply Microsoft’s mitigation (allow TCP/445) only in tightly controlled, internal network scopes while you plan device upgrades. Do not open 445 across untrusted networks.
• Maintain documented rollback and recovery images; export package names so DISM-based LCU removal is possible if necessary, and be aware that SSUs may remain after combined installs.
• Coordinate with anti‑cheat and media/capture vendors; those vendors often publish urgent driver updates when platform fixes change kernel or rendering behaviors.

Caveat and verification note: the KB release notes and Microsoft’s public documentation are the authoritative references for the package contents, known issues, and the official workarounds cited here. Community logs and forum analyses provide additional operational context and real‑world reproduction evidence but are anecdotal by nature; administrators should verify behavior in a controlled pilot before acting in production.

---

Microsoft’s out‑of‑band release today fixes a targeted, high‑impact regression while reminding organizations that legacy compatibility, hotpatch coordination, and firmware/certificate planning are not solved problems — they are operational obligations. For administrators and power users, the appropriate posture is pragmatic: test, stage, harden network boundaries, coordinate with vendors, and move devices off legacy protocols (SMBv1, EVR where feasible) to reduce both disruption and long‑term risk.

---

Source: Microsoft Support September 22, 2025—KB5068221 (OS Build 26100.6588) Out-of-band - Microsoft Support

 

[ChatGPT]

Microsoft released an out‑of‑band cumulative update on September 22, 2025 — KB5068221 (OS Build 26100.6588) — for Windows 11, version 24H2, delivering a targeted set of quality and security fixes (including items from the September 9, 2025 security rollup) while also documenting a persistent connectivity caveat for environments still using the deprecated SMBv1 protocol over NetBIOS over TCP/IP (NetBT).

Background​

Windows 11 servicing in 2025 continues to ship updates across two servicing families (the 24H2 family reporting build numbers in the 26100 series and the newer 25H2 family in the 26200 series). Administrators should treat each reported build revision (for example, 26100.6584 or 26100.6588) as the concrete identifier used for inventory and validation. Microsoft bundles the latest Servicing Stack Update (SSU) with the latest Cumulative Update (LCU) to ensure reliable servicing.
This OOB package is cumulative and includes the changes shipped in the September 9, 2025 security update (KB5065426), then layers an additional set of fixes and AI component updates on top. The Microsoft Support page for KB5068221 explicitly enumerates the fixes and the SSU pairing used in this release.

Why an Out‑of‑Band (OOB) release matters​

Out‑of‑band updates are used when Microsoft needs to ship important fixes between the regular monthly patch cycles. In this instance, KB5068221 acts as a timely corrective that folds security items from the prior security rollup together with additional quality improvements and AI component updates so administrators can restore or stabilize affected environments more quickly than waiting for the next scheduled cumulative update. This is consistent with Microsoft’s approach to minimize exposure and reduce operational impact where possible.

---

What’s inside KB5068221 (high‑level)​

• The update raises the reported OS build for affected devices to 26100.6588 and is described as an out‑of‑band cumulative update that includes the September 9 security rollup plus new fixes.
• It includes a servicing stack update pairing — KB5064531 (SSU, version 26100.5074) — that ensures update plumbing remains robust. Microsoft bundles SSU+LCU to reduce install failures and maintain consistent servicing behavior.
• The release contains targeted quality fixes, notably a correction for Microsoft Office applications running in Microsoft Application Virtualization (App‑V) environments where a double handle closure in the AppVEntSubsystems32/AppVEntSubsystems64 component could cause failures.
• The update also refreshes multiple AI components used by Copilot+ PCs. Component versions listed for Image Search, Content Extraction, Semantic Analysis, and Settings Model are 1.2508.906.0 in this package — applicable only to Copilot+ PCs when those components are present.
• Microsoft provides the LCU as MSU files in the Microsoft Update Catalog and documents both combined and granular installation instructions for offline deployment (DISM, Add‑WindowsPackage, or wusa usage as appropriate). The Knowledge Base outlines two installation methods: (1) install all MSU files together via DISM, or (2) install individual MSU files in a specified sequence. Example DISM commands are included for online and offline servicing.

---

The core fixes — technical summary​

App‑V / Office reliability​

A primary, non‑security quality fix addresses a crash/failure scenario in Microsoft Office when running in App‑V (Application Virtualization) containers. The reported root cause is a double handle closure inside AppV subsystem components (both 32‑ and 64‑bit variants). The symptom would typically show as application instability or failure when Office is virtualized using App‑V. Administrators managing App‑V images should validate Office workflows post‑deployment.

AI component update (Copilot+ PCs)​

KB5068221 updates four named AI components to version 1.2508.906.0. Microsoft notes these AI component packages are included but only apply on Copilot+ PCs; they will not install on devices that aren’t Copilot+ capable. Teams using hardware that ships with Copilot+ or organizations piloting AI experiences should record these version numbers for telemetry correlation and detection.

Servicing stack improvements (SSU)​

The SSU included with this LCU — KB5064531 — updates the servicing stack to 26100.5074, improving the update engine’s robustness. SSUs are not removable once installed; Microsoft explicitly documents removal limitations for combined packages. IT teams performing offline image servicing or scripted deployments must follow the ordering guidance when applying MSU packages to mounted images.

---

Known issue: SMBv1 + NetBT connectivity regression (detailed)​

KB5068221 documents (and reaffirms) a known connectivity problem that affects the SMBv1 protocol over NetBIOS over TCP/IP (NetBT) after installing September 2025 updates. The problem occurs when either the SMB client or SMB server has a September 2025 security update installed. Microsoft warns that shared file/folder access using SMBv1 over NetBT may fail.

• Symptoms: Failure to connect to SMBv1 shares when the connection depends on NetBT (NetBIOS over TCP/IP). The OS will not automatically migrate NetBIOS‑based sessions to SMBv2/3 if the network stack is constrained by NetBT-only negotiation behavior.
• Microsoft’s official workaround: Allow TCP port 445 traffic so SMB can use native TCP transport (which supports SMBv2/3) instead of NetBT. Opening TCP/445 forces the SMB stack to fall back to TCP instead of NetBIOS, restoring connectivity in affected scenarios. Microsoft is working on a permanent resolution to ship in a future update.

Independent reporting confirmed the problem and highlighted the breadth of impact across client and server Windows releases. BleepingComputer reported Microsoft’s confirmation that September updates caused SMBv1 connection failures over NetBT across multiple Windows releases, and security coverage of the September security set emphasized the SMB component changes as a high‑priority item for administrators to review.

Practical takeaway on SMBv1​

The top operational message is unchanged: SMBv1 is deprecated and insecure. Organizations still relying on SMBv1 and NetBT should accelerate migration to SMBv2/SMBv3 and modern authentication/hardening (SMB signing, Extended Protection for Authentication). The constraint here is not only compatibility but security posture: keeping SMBv1 alive increases exposure to relay and other network attacks. The Microsoft and independent advisory coverage together make clear that opening port 445 is a short‑term workaround — acceptable for immediate remediation in controlled environments but not a long‑term mitigant.

---

Cross‑referencing and verification of key claims​

• Microsoft’s KB page for KB5068221 is the authoritative Microsoft statement of what the update contains, the build number (26100.6588), the App‑V fix, AI component versions, the bundled SSU (KB5064531), installation guidance, and the documented SMBv1/NetBT known issue and workaround. This article uses that page as the primary factual source.
• Independent security reporting (BleepingComputer) confirmed Microsoft’s advisory that September updates caused SMBv1 over NetBT session failures, corroborating Microsoft’s statements and highlighting the issue’s cross‑platform breadth.
• Security analysts and vulnerability tracking (SecPod and other security blogs) documented the broader September security rollup context (large numbers of patched flaws, including SMB hardening and CVE references) and recommended testing before deployment — useful corroboration to understand why Microsoft shipped quick follow‑ups and out‑of‑band fixes.
• Historical context and hotpatch behavior (how Microsoft ships small, in‑memory hotpatches for eligible SKUs) are available in community/technical notes and internal tracking files; these provide deeper context for why some fixes appear as hotpatches on certain enterprise SKUs and how build reporting differs in hotpatch contexts. Administrators running hotpatch‑eligible SKUs should verify device eligibility and track reported build values after deployment.

If any specific numeric claim (build number or AI component version) is critical to your automation or compliance checks, validate the installed file version values against locally observed file metadata after deployment; the KB includes file tables and Microsoft also publishes downloadable file information for the cumulative update and SSU.

---

Deployment and testing guidance (step‑by‑step)​

• Inventory and scope
• Identify devices still dependent on SMBv1/NetBT and App‑V workloads (Office in App‑V containers).
• Map Copilot+ hardware (if any) to confirm whether the AI component updates are applicable.
• Pre‑deployment validation
• For image servicing or offline updates, download the MSU files from the Microsoft Update Catalog in the exact order specified by Microsoft. The KB documents both combined and discrete MSU installation sequences.
• Verify that your management tooling recognizes the target build 26100.6588 as the expected post‑update state.
• Installation options
• Online via Windows Update (recommended for most managed estates).
• Standalone install via DISM for offline or unattended rollouts:
• Example (online): DISM /Online /Add‑Package /PackagePath:C:\packages\Windows11.0‑KB5068221‑x64.msu
• Example (offline / mounted image): DISM /Image:mountdir /Add‑Package /PackagePath:Windows11.0‑KB5068221‑x64.msu
• For PowerShell automation: Add‑WindowsPackage -Online -PackagePath "C:\packages\Windows11.0‑KB5068221‑x64.msu".
• Test plan (minimum)
• Verify App‑V delivered Office functionality with real-world workflows (save/open, add‑ins, update/repair scenarios).
• Confirm SMB share access from both patched and unpatched endpoints if you cannot immediately update all nodes; test the port 445 workaround but document the change and risk.
• Validate that Copilot+ devices (if present) receive AI component updates and that telemetry/agent functions remain stable.
• Rollout
• Staged rollout: apply to pilot group, monitor, then expand.
• Monitor Windows Update for any follow‑on advisories from Microsoft (they indicated a fix for the NetBT/SMBv1 issue would appear in a future update).

---

Risk analysis and operational impact​

• Security vs compatibility tradeoff: The presence of an SMBv1 connectivity regression underscores the security reasons for deprecating SMBv1. Organizations forced to open port 445 as a workaround increase their attack surface, especially if they do not have compensating controls. The ideal path is to migrate to SMBv2/SMBv3 with SMB signing and EPA enforcement rather than relying on long‑term use of the workaround.
• App‑V environments: The App‑V fix is targeted but significant for shops that still virtualize Office via App‑V. Organizations relying on App‑V should test Office pipelines because even narrowly scoped subsystem fixes can reveal hidden assumptions in published images or add‑ins.
• Hotpatch / reporting complexity: Hotpatches and enablement models alter how build numbers are reported and how inventory tools interpret patch state. If you run hotpatch‑eligible SKUs or mix hotpatched and traditionally patched devices, confirm that your asset management and compliance tooling recognizes the specific hotpatch build values to avoid false positives in compliance reports. Community analysis around hotpatch behavior is useful context for teams managing these estates.
• AI component changes: Although AI component updates in this KB are limited to Copilot+ devices, teams managing telemetry, privacy, or data governance should record the component versions and confirm that any EDR or monitoring agents treat these updates as expected. These components may change behavior or expose new telemetry surfaces that require updating detection rules.

---

Recommendations (clear, actionable)​

• Prioritize patching of Hyper‑V hosts, App‑V image pipelines, and servers participating in file‑share hosting, but do so in staged waves with functional validation for App‑V and SMB clients.
• Treat opening TCP/445 as an emergency, temporary workaround only. Document the firewall rule, timeline for reversal, and compensating controls (network segmentation, IDS/IPS monitoring, SMB hardening where possible).
• Accelerate migration off SMBv1: inventory legacy devices and update OS or storage appliances that still require it. Implement SMB signing and authentication hardening where feasible.
• If you run Copilot+ endpoints, track the AI component versions (listed in the KB) and confirm there is no adverse interaction with endpoint security products.
• Update documentation and automation: ensure SCCM/Intune/WSUS cataloging and your CMDB recognize 26100.6588 and the SSU pairing, and update any scripts that detect patch state by build number or package name.

---

What to watch next​

• Microsoft has stated it is working on a resolution for the SMBv1/NetBT connectivity issue and will ship it in a future update; teams should monitor the Windows Release Health Dashboard and @WindowsUpdate for follow‑up notices. Apply that future update promptly once it’s published to remove the need for the port 445 workaround.
• Keep an eye on telemetry from pilot systems for unexpected regressions in App‑V Office behavior, AI agent interactions, or update installation failures. Community forums and independent reporting (security blogs and outlets) were quick to highlight the SMB issue after the September rollup; those same channels are useful early warning signals for regressions after this OOB release.

---

Conclusion​

KB5068221 (OS Build 26100.6588) is a targeted, out‑of‑band cumulative update that combines the September 9 security fixes with critical quality improvements — most notably an App‑V/Office stability fix and AI component updates for Copilot+ machines — while pairing with a servicing stack update to ensure reliability during installation. Microsoft’s documentation also reiterates the known issue affecting SMBv1 over NetBIOS (NetBT) and recommends a short‑term workaround (allow TCP port 445), but the long‑term path remains migration away from SMBv1 and NetBT entirely. Administrators should stage the update, prioritize testing in App‑V and SMBv1‑dependent environments, and treat firewall changes as temporary emergency measures until Microsoft ships the promised follow‑up fix.
Note: If any specific file versions, package names, or CVE mappings are required for compliance or inventory, validate the installed file metadata after deployment and consult the Microsoft Security Update Guide for CVE mapping and exploitability details; the KB provides downloadable file information for both the cumulative update and the servicing stack update to assist with that verification.

---

Source: Microsoft Support September 22, 2025—KB5068221 (OS Build 26100.6588) Out-of-band - Microsoft Support