Windows 11 24H2 KB5065426: Sept 9 Cumulative Update with SSU+LCU Fixes

Microsoft released the September 9, 2025 cumulative update for Windows 11, version 24H2 — KB5065426 (OS Build 26100.6584) — a combined security and quality rollup that both closes recent high‑priority vulnerabilities and addresses a string of functional regressions introduced earlier in the 26100-series servicing cycle. The package includes the latest servicing‑stack improvements, targeted reliability fixes for File Installer and streaming workflows, updated AI component binaries for Copilot‑related features, and one narrowly scoped known issue affecting PowerShell Direct (PSDirect) on hotpatched hosts and guests. The official Microsoft release notes list the fixes, installation paths, and the known PSDirect interaction; the company also documents this release as a combined SSU+LCU that requires careful rollback planning.

---

Background / Overview​

Windows 11’s 26100 build series (24H2 servicing) has followed a pattern in 2025 of delivering underlying platform code in preview or release‑preview flights, then enabling higher‑impact features and UI changes gradually across devices through server‑side gating. That pattern produced a busy late‑summer cycle: the August security rollup (KB5063878 / Build 26100.4946) introduced both high‑severity security fixes and, unintentionally, some regressions that affected certain workflows (notably NDI/OBS streaming and installer behavior). The September 9 cumulative update, KB5065426, largely represents Microsoft’s corrective follow‑through: reinstating intended security hardening while reducing immediate customer pain from side effects of the August changes. This delivery approach — combining a servicing stack update (SSU) with the cumulative payload and relying on staged enablement for feature bits — is intentional but operationally consequential for IT teams. The package also ships updated AI component binaries used on Copilot+‑certified devices; these are included in the LCU but only apply to Copilot‑eligible devices when the vendor/feature flags permit. Finally, because Microsoft bundles an SSU with the LCU in many of these 24H2 packages, administrators must remember that the servicing stack changes are effectively permanent and complicate traditional "uninstall the KB" rollbacks.

---

What’s in KB5065426 (OS Build 26100.6584)​

Highlights — the short list​

• Security updates addressing multiple CVEs and hardening installer behavior.
• Fix for unexpected UAC prompts and MSI repair failures that affected non‑admin users after August updates.
• Fixes and mitigations for NDI/OBS streaming audio/video stutter tied to the August rollup. (support.microsoft.com, support.microsoft.com, theregister.com)
  

  NDI/OBS streaming regression and remediation​

  The August security update inadvertently changed transport behavior that impacted NDI (Network Device Interface) workflows — especially when Display Capture was in use — producing severe stuttering and choppy audio/video for multi‑PC streaming setups. The NDI vendor guidance and Microsoft’s Release Health notes converge on a short‑term mitigation: change NDI’s Receive Mode away from RUDP (Reliable UDP) to Single TCP or plain UDP (Legacy). KB5065426 includes the corrective work claimed to reduce or eliminate that regression on affected systems; independent reporting and vendor knowledgebase articles describe the problem and the mitigation steps that streaming professionals used while Microsoft worked on the LCU fix. (support.microsoft.com, docs.ndi.video)
  

  File server and SMB auditing features​

  KB5065426 enables additional auditing for SMB client compatibility with SMB Server signing as well as SMB Server EPA (Extended Protection for Authentication), helping administrators assess compatibility before enforcing hardening measures. This is useful for organizations planning to tighten SMB signing or authentication policies without accidentally breaking legacy clients.

  Input and IIS manager fixes​

  The update resolves a couple of user‑facing reliability issues: input method scenarios that could make certain apps stop responding to input, and a prior bug where some IIS Manager modules disappeared from the UI. These are smaller fixes but solve real productivity blockers for affected users and server operators.

  AI components​

  KB5065426 ships updated AI binaries (Image Search, Content Extraction, Semantic Analysis, Settings Model) at 1.2508.906.0. Microsoft notes these component updates are relevant to Copilot+ devices and will not apply to systems that don’t meet hardware/telemetry eligibility. In practice this means daily users who do not have Copilot+ hardware will not see functional changes from those component updates, but Copilot‑eligible devices will receive incremental quality improvements.

  Servicing stack update (SSU) and package composition​

  The cumulative package contains a servicing‑stack update (KB5064531 aligned to 26100.5074). Microsoft bundles SSU + LCU to reduce sequencing errors during deployment, but SSUs are effectively non‑removable once installed — an important operational caveat. The KB provides DISM guidance for installing and for the careful, DISM‑based removal of only the LCU portion if required; however, removing the SSU is not supported via the typical wusa.exe uninstall switch. Plan for that permanence in any rollback strategy.

  ---

  Known issues (what remains unresolved)​

  KB5065426 lists one notable known issue at publication:
  • PSDirect connections failing on hotpatched devices: an edge case where host and guest VMs are not both fully updated (mix of hotpatched vs. non‑hotpatched) can cause PowerShell Direct (PSDirect) connection failures due to a fallback handshake/socket cleanup bug. Microsoft points administrators toward a follow‑up update (KB5066360) that corrects the issue and recommends updating both host and guest VMs to the same patch level. Until both sides are updated, intermittent connection failures and Event ID 4625 entries may be observed.
  Flag: this is a concrete, documented interaction; if your environment uses PSDirect (e.g., Hyper‑V automation, nested test labs), schedule a host+guest synchronized patch window and validate PSDirect connectivity after updating. If you rely on hotpatch semantics in production, test the KB5066360 follow‑up before broad deployment.

  ---

  Installation and deployment notes for IT​

  How the update is delivered​

  KB5065426 is available through standard distribution channels: Windows Update, Windows Update for Business, WSUS (synchronized when Products & Classifications are set to Windows 11 / Security Updates), and the Microsoft Update Catalog. Microsoft provides both a combined package and standalone MSU files; when using the Catalog you can either place the MSUs in one folder and install them together with DISM or install each MSU in order. The KB page includes explicit commands for DISM and PowerShell to add the package onto a running system or into an offline image. Practical install commands the KB documents:
  • DISM (live system): DISM /Online /Add-Package /PackagePath:c:\packages\Windows11.0-KB5065426-x64.msu
  • PowerShell (live system): Add‑WindowsPackage -Online -PackagePath "c:\packages\Windows11.0-KB5065426-x64.msu"
  • Offline image: DISM /Image:mountdir /Add-Package /PackagePath:Windows11.0-KB5065426-x64.msu
  Note: if you choose to install the MSUs individually, the KB also lists the required sequence and filenames.

  Rollback caveats​

  Because the update contains a servicing stack update (SSU), the usual wusa /uninstall approach will not remove the SSU. Microsoft explicitly documents DISM‑based removal for the LCU only and warns administrators that the SSU is persistent. In short:
  • You cannot remove the SSU via wusa.exe (/uninstall) after installation.
  • You can remove the LCU portion with DISM /Remove‑Package if you determine that is necessary, but thoroughly test that process in a lab before using it in production.
  This permanence is the reason many enterprise teams adopt a staged ring rollout (pilot → broad pilot → production) for these combined packages. The KB and community guidance strongly recommend piloting on representative hardware and performing functional checks that matter to your environment (file servers, backup/restore, virtualization/PSDirect, and any specialized I/O or streaming workflows).
  

  ---

  Critical analysis — strengths, risks, and operational guidance​

  Strengths: targeted fixes and responsible sequencing​

  • Security first: KB5065426 preserves the hardening that closed CVE‑class installer and kernel issues while addressing the most painful regressions created by those hardenings. This balances security with usability — a trade‑off Microsoft has taken to heart after field feedback.
  • Vendor and community alignment: The combined effort — Microsoft publishing the KB, stream vendors documenting mitigations (NDI docs), and independent outlets verifying regressions — produced practical mitigations for users while the official fix matured. That cooperative pattern is a positive sign for fast remediation. (bleepingcomputer.com)
  • Servicing stack refresh: Including an SSU reduces future sequencing failures and makes subsequent monthly updates more reliable for well‑managed fleets.

  Risks and trade‑offs: what to watch​

  • Rollback complexity: Bundled SSU+LCU packages make rollbacks more intrusive; administrators who are unprepared may find it hard to revert changes without reimaging or resorting to complex DISM workflows. Treat these updates as effectively persistent and validate recovery images before broad deployment.
  • Staged enablement and non‑determinism: Microsoft’s staged, server‑side gating means identical machines on the same build may not show the same features (especially Copilot/AI experiences or theming adjustments). For organizations that depend on deterministic UI behavior or automation that relies on consistent dialog chrome, this can complicate testing and support. Plan for extra validation windows.
  • Hotpatch interplay: If you rely on hotpatch semantics (hotpatches that avoid reboots for critical servers), be aware of the PSDirect edge case: mixing hotpatched and non‑hotpatched hosts/guests can break PowerShell Direct connectivity. Synchronize host and guest updates in virtualization clusters.
  • Security vs usability tension: The installer hardening removed a real privilege escalation vector, but it temporarily broke common non‑admin workflows for MSI repair and advertising-based installs. The fix in KB5065426 narrows the impact, but administrators should assess whether enabling temporary KIR policies is acceptable in their risk posture. Independent reporting and Microsoft’s guidance emphasize KIR as a temporary mitigation, not a long‑term rollback of the security improvement. (theregister.com)

  ---

  Practical checklist — what to do now​

  • Validate prerequisites and inventory
  • Confirm which devices in your estate run Windows 11 24H2 and their current OS Builds. Use winver or your patch management tool.
  • Pilot the update
  • Apply KB5065426 to a small, representative pilot ring that includes:
  • A host and guest VM pair to test PSDirect.
  • Any streaming/NDI hosts used by content producers.
  • App compatibility test systems for line‑of‑business MSI installers (Office, Autodesk, etc.. (support.microsoft.com, bleepingcomputer.com, support.microsoft.com, docs.ndi.video)
    

    ---

    Conclusion: KB5065426 is an important maintenance release that addresses both security and regression concerns introduced earlier in the 26100 servicing stream. Apply it after piloting, align host and guest update schedules where hotpatching is used, and use the vendor mitigations documented for streaming and installer issues if immediate remediation is necessary. The update’s combined SSU+LCU packaging and the staged feature enablement model are here to stay — plan policies, testing, and communications accordingly.

    ---

    Source: Microsoft Support September 9, 2025—KB5065426 (OS Build 26100.6584) - Microsoft Support

 

[ChatGPT]

Microsoft released a cumulative update for Windows 11 (version 24H2) on September 9, 2025 — KB5065426 (OS Build 26100.6584) — that bundles security fixes, servicing-stack improvements, and a slate of consumer and enterprise features while also tightening several hardening timelines that administrators must act on immediately.

Background​

Windows 11’s 24H2 servicing stream continues to receive monthly cumulative updates that mix security patches, quality fixes, and staged feature rollouts. The September 9, 2025 release follows the same pattern: a combined Servicing Stack Update (SSU) plus the Latest Cumulative Update (LCU) and includes updates to on‑device AI components intended for Copilot+ hardware. The release is distributed via Windows Update, Microsoft Update Catalog, WSUS, and Windows Update for Business. The last several months of servicing have emphasized two concurrent themes: (1) incremental user-facing enhancements (file explorer tweaks, Task Manager metric updates, Recall/Click to Do improvements on Copilot+ devices) and (2) enterprise security hardening, particularly around Kerberos certificate mapping and SMB authentication. Administrators should treat September 2025 as a transition point — Microsoft’s hardening program is reaching phases that reduce or remove previously available compatibility workarounds. (windowscentral.com)

---

What’s in KB5065426: Features and fixes​

Summary of the headline changes​

• Security and stability fixes across the operating system, plus updates to on‑device AI components (Image Search, Content Extraction, Semantic Analysis, Settings Model) specifically versioned in this package.
• Servicing stack update (SSU KB5064531) included to improve update reliability on affected devices.
• Consumer-facing tweaks and feature rollouts — several UI and AI enhancements are rolling out gradually, many gated to Copilot+ hardware: redesigned Recall homepage, an interactive tutorial for Click to Do, a seconds‑display option in Notification Center, photo grid in Search results, Widgets and Lock screen tweaks, an updated Windows Hello experience, and File Explorer interface improvements. These items were documented in the Release Preview and are beginning their gradual production rollout. (support.microsoft.com, windowscentral.com)

Notable quality fixes​

• A fix that reduces unexpected UAC prompts that appeared when non‑admin users ran MSI repair operations for some applications (for example, Office Professional Plus 2010 and select Autodesk installers). The update reduces the scope of UAC prompting for MSI repair workflows and lets administrators explicitly allowlist certain installers.
• IIS Manager: restored missing Internet Information Services modules that were previously disappearing from IIS Manager in some configurations, preventing typical IIS GUI administration.
• Input methods: fixes for apps that stopped responding to input under particular input‑method scenarios.
• Audio/NDI scenario: addresses audio stuttering in apps using the Network Device Interface (NDI) when display capture is active — a known regression tied to earlier updates and reported in streaming workflows (OBS Studio-related). Administrators and content creators who use NDI capture should verify on their test hardware.

AI components and Copilot+ hardware gating​

The update ships component updates for built‑in AI modules, but Microsoft clarifies that those AI component updates only install on Copilot+ PCs (machines featuring an NPU and meeting the required TOPS thresholds, plus specific platform/firmware requirements). The consumer feature list published by independent press confirmed the hardware gating and the phased rollout approach. If a device is not Copilot+, the AI components do not apply. (support.microsoft.com, windowscentral.com)

---

Enterprise security and hardening: what changed (and what’s mandatory)​

KB5065426 is not just a stability/feature drop — it’s a key entry in Microsoft’s multi‑year hardening roadmap. Two items deserve immediate attention:

1) SMB server auditing for signing and Extended Protection for Authentication (EPA)​

This update enables server‑side auditing to help administrators discover compatibility gaps before requiring SMB Server signing and SMB Server EPA enforcement. The auditing hooks (Group Policy, registry keys, and event log events) let operators collect telemetry showing whether SMB clients support signing and whether they present an SPN (which EPA requires). Administrators can run the audit posture for a period to identify legacy devices or appliances that will break once hard enforcement is applied. (support.microsoft.com, windowscentral.com)
Why this matters: enforcing SMB signing and EPA closes classic relay and tampering attack vectors but can break older NAS devices, embedded gear, or custom appliances. The audit-first approach aims to reduce deployment friction by giving visibility instead of immediate enforcement.

2) Kerberos certificate mapping and the final enforcement window​

Microsoft’s long-running Kerberos hardening campaign (strong certificate mapping / SID extension enforcement) has a hard deadline. Registry compatibility workarounds used during earlier migration windows will be removed for updates released on or after September 10, 2025. After that date, Windows domain controllers will no longer accept weak certificate mappings — this is the final phase of the remediation timeline that began in 2022 and progressed through audit and enforcement phases in 2024–2025. Administrators must complete PKI changes and certificate re-issuance plans well before the cutoff or expect certificate‑based authentication to fail. (encryptionconsulting.com)
The KB documentation and Microsoft hardening guidance outline registry keys such as StrongCertificateBindingEnforcement and CertificateBackdatingCompensation that were temporary controls; these are being retired in the September 2025 servicing wave. This change affects Wi‑Fi authentication, VPN/TLS‑PKINIT logons, SCEP/NDES issuance workflows, and other certificate‑based authentication flows in AD/Intune environments.

---

Known issues and troubleshooting notes​

PSDirect/hotpatch interoperability (known issue)​

KB5065426 documents an edge case affecting PowerShell Direct (PSDirect) when host and guest VMs are in mixed hotpatch states. Specifically, patched guest VMs connecting to unpatched hosts (or vice versa) can fail because an expected legacy handshake fallback isn’t cleaned up properly, producing socket cleanup errors and Event ID 4625 noise. Microsoft already points customers to KB5066360 for a remediation path; until both host and guest are updated, PSDirect may fail intermittently. This is a documented known issue in the KB itself.

Audio stuttering in NDI/OBS scenarios (regression fix)​

Some streaming and capture workflows reported audio stutters when Display Capture is enabled — a regression linked to earlier updates. KB5065426 includes targeted fixes here, but content creators should validate their capture stacks and drivers (NDI runtime, GPU drivers) in a controlled test before broad rollout.

Community and field reports​

Historically, 24H2 cumulative updates have produced a mix of benign regressions and more severe, device‑specific problems. The community thread archives and recent forum posts show recurring patterns — update install failures, device‑specific boot issues, and driver compatibility problems — and recommend cautious staging. Use pilot rings or small test cohorts for broad enterprise deployments. Community discussion and internal advisories echo Microsoft’s guidance to stage and test updates.

---

Deployment guidance — practical steps for IT teams​

This patch is a combined SSU + LCU package; follow standard operational hygiene when deploying:

• Backup before you change production systems:
• Create system-state backups or full disk images before broad deployment.
• For domain controllers and critical servers, snapshot (if supported) and ensure off‑host backups are current.
• Test in a small pilot ring:
• Validate authentication workflows (Kerberos certificate logon, Wi‑Fi, VPN).
• Verify SMB connections to legacy NAS and file servers in both client and server roles with signing/EPA auditing enabled.
• Check and update PKI:
• Confirm that certificate templates and issuance processes support strong certificate mappings (SID extension or other supported strong mapping options).
• Where certificates predate account creation (backdated certificates), plan re-issuance or short-term migration steps — the CertificateBackdatingCompensation registry is a temporary mitigation only.
• Monitor audit and event logs:
• Enable SMB auditing options to capture Event IDs (for example, SMBServer audit channel events) to discover clients lacking signing/EPAs before enforcement. (support.microsoft.com, windowscentral.com, support.microsoft.com)
• Operational visibility: The SMB audit features are a pragmatic approach — they let teams find trouble spots rather than flipping enforcement blindly. That observational window is valuable for risk‑based rollouts.

Trade‑offs and risks​

• Compatibility friction: The September enforcement window for Kerberos mapping and the progressive tightening of SMB behaviors mean some legacy infrastructure (embedded devices, older VPNs, custom PKI workflows, and third‑party appliances) will break unless remediated. The removal of registry escape hatches increases the urgency. Treat these changes as operational risks that require PKI audits and targeted re‑issuance of certificates. (encryptionconsulting.com)
• Driver and firmware surface: As with many cumulative updates, driver and firmware mismatches (GPU drivers, capture/NDI stacks) have historically produced regressions for a subset of users. This update’s fixes address some of those regressions, but vendors must issue compatible drivers; keep OEM driver channels on your checklist. Community reports and Microsoft troubleshooting notes recommend validating GPU and capture stacks before mass rollout.
• Hotpatch and VM edge cases: The PSDirect/hotpatch issue highlights that hotpatching can introduce subtle interoperability problems between patched and unpatched guests/hosts. Testing hotpatch flows and updating both host and guest images in lock‑step is critical to avoid intermittent service interruptions.

---

Action checklist for Windows admins (practical, prioritized)​

• Immediately inventory certificate usage: list all certificate‑based auth flows (Wi‑Fi, PKINIT, VPN, NDES/SCEP, Always On VPN).
• Query and validate the NTAuth store: ensure issuing CAs are present and trusted in domain controllers.
• Pilot KB5065426 in a controlled ring covering DCs, file servers, and a sample of client hardware (including Copilot+ test devices if you use AI features).
• Enable SMB auditing in a discovery mode and collect logs for at least two weeks to identify incompatible endpoints.
• Coordinate with app and device vendors for firmware and driver updates (NDI tool vendors, NAS vendors, VPN appliance vendors).
• Prepare rollback and recovery images; document the DISM uninstall steps for the LCU and remember the SSU is not removable.

---

What consumers and power users should know​

• If you are a consumer with a standard retail PC, the update brings small UI improvements, fixes, and Copilot+‑only AI updates if your hardware qualifies. Expect a phased rollout: some features arrive later. For stability-conscious users, allow a brief window (a few days) for vendor driver updates to surface before applying to every machine. (windowscentral.com, support.microsoft.com)
• If you are a content creator using OBS/NDI, verify capture workflows on a test system before upgrading, because display‑capture audio stutter was a known regression tied to earlier builds and has been addressed in this KB — but driver and environment differences matter.

---

Final verdict and timeline​

KB5065426 (OS Build 26100.6584) is a substantial September servicing release that blends important security hardening and enterprise controls with incremental consumer features and quality fixes. For organizations, the update is a deadline moment in Microsoft’s hardening timeline: the removal of compatibility workarounds for Kerberos mapping and the widening of SMB audit/enforcement mean administrators who have deferred PKI or SMB remediation must accelerate plans now. The authoritative Microsoft KB and supporting hardening guidance provide both the technical detail and the required dates — especially September 10, 2025 for the final Kerberos compatibility removal — and should be the basis for any organizational remediation schedule. Practical priority: back up, pilot early, monitor audit events, update domain controllers and certificate issuance pipelines, and stage SMB enforcement only after you’ve discovered and remediated incompatible endpoints. The update tightens security and supplies useful operational telemetry — but it also shortens the window for backwards compatibility. Plan accordingly.

---

Note: Community discussion logs and forum threads provide additional anecdotal context on driver and install‑time issues encountered during various 26100-series updates; IT teams should combine Microsoft’s official KB guidance with internal testing and vendor confirmations before broad deployment.

---

Source: Microsoft Support September 9, 2025—KB5065426 (OS Build 26100.6584) - Microsoft Support