Windows 11 24H2 September 2025 KB5065426: Security Update & Secure Boot Readiness

Microsoft has released the September 2025 cumulative security update for Windows 11, version 24H2 — KB5065426 (OS Build 26100.6584) — a combined Latest Cumulative Update (LCU) and Servicing Stack Update (SSU) that delivers security hardening, targeted bug fixes, AI component updates for Copilot+ hardware, and an urgent operational reminder about the pending Secure Boot certificate rollover beginning in June 2026.

Background​

Microsoft’s monthly cumulative for September 9, 2025, targets Windows 11, version 24H2 (all editions) and is intended to be installed via Windows Update, Windows Update for Business, WSUS, or through the Microsoft Update Catalog as an MSU package. The release bundles the latest servicing stack (SSU) to reduce installation failures and includes fixes that follow earlier August updates. The update notes explicitly call out several reliability and compatibility fixes, SMB auditing additions, AI component refreshes for eligible Copilot+ devices, and an important Secure Boot certificate advisory.
For IT administrators and enthusiasts, this patch is important for three overlapping reasons:

• It closes security exposure in several platform areas.
• It introduces or enables auditing and hardening features that can change interoperability with legacy SMB/third-party devices.
• It reiterates Microsoft’s Secure Boot certificate expiration timeline and the practical steps organizations must take to avoid boot-time or pre-boot update failures.

---

What’s in KB5065426 — at a glance​

This cumulative update contains multiple fixes and improvements across the OS, plus an updated SSU and optional AI component updates for Copilot+ PCs. Key highlights in the published notes include:

• App compatibility (UAC / MSI repair): A fix reduces unexpected User Account Control (UAC) prompts for non‑administrator users when MSI installers run certain custom actions, including repair or configuration operations. The change also exposes an allowlist mechanism that IT admins can use to exempt specific MSI-based apps from prompting. This addresses real-world breakage for legacy installers (examples cited include Office Professional Plus 2010 and several Autodesk titles).
• File server / SMB auditing: The update enables auditing for SMB client compatibility related to SMB Server signing and SMB Server Extended Protection for Authentication (EPA). This is an auditing capability so organizations can identify clients and servers that will break when stricter SMB signing/EPA enforcement is applied. The change is preparatory — it allows assessment ahead of hardening.
• Input and management fixes: Several stability fixes address apps that stopped responding to input in certain IME scenarios and an issue where some IIS modules could disappear from IIS Manager, which prevented configuration via the GUI.
• Networking / audio (NDI / OBS): A known issue introduced earlier that caused audio stuttering in apps using the Network Device Interface (NDI) — notably when Display Capture is enabled in OBS Studio — has been fixed. The notes indicate this was a regression tied to a prior update.
• AI component updates: The package includes versioned updates for modular AI components (Image Search, Content Extraction, Semantic Analysis, Settings Model). These are only applicable and installed on Windows Copilot+ hardware; non‑Copilot PCs and Windows Server SKUs will not receive these AI binaries.
• Servicing Stack Update (SSU): The update incorporates the SSU (KB5064531) for build 26100.5074, improving the reliability of the component that installs Windows updates. SSUs are bundled to reduce a class of installation failures and to make combined packages more robust.

These items are summarized in Microsoft’s release notes for the update and are the primary operational takeaways from this monthly patch cycle.

---

The Secure Boot certificate expiration — why this matters now​

One of the most consequential operational advisories in the KB is the reminder that the Secure Boot certificates Microsoft has used since ~2011 are scheduled to start expiring in June 2026. Devices that still rely on the legacy 2011 CA chain and do not receive (or accept) the new 2023 CA family risk losing the ability to install Secure Boot pre‑boot updates and could encounter boot trust failures or inability to validate boot components. Microsoft has described this as a global, coordinated certificate rollover that affects most Windows devices shipped since 2012. (techcommunity.microsoft.com, support.microsoft.com)
Why this is operationally significant:

• Secure Boot ensures integrity of early boot components (bootloader, option ROMs, drivers). If the signing CA expires, the platform will not trust new signed firmware/components and may prevent certain pre‑boot patches.
• Certificate rollover often requires firmware (OEM) interaction, especially for devices with older UEFI implementations. Microsoft’s guidance stresses OEM coordination, testing, and — for managed fleets — allowing Microsoft-managed Secure Boot certificate updates where possible. (techcommunity.microsoft.com, support.microsoft.com)

Practical near-term steps recommended for organizations:

• Inventory devices with Secure Boot enabled and record firmware/UEFI versions and OEM support status.
• Engage OEMs to confirm whether firmware updates are required to accept the 2023 CA family.
• Allow Microsoft‑managed Secure Boot certificate updates where feasible (via Windows Update/management channels) for consumer and managed devices.
• For air‑gapped or firmware‑locked systems, plan manual certificate rollouts and testing well ahead of June 2026. (techcommunity.microsoft.com)

This advisory elevates Secure Boot readiness from a long‑term compliance note to an immediate planning item for IT teams and device managers.

---

Deeper look: SMB auditing and the push to strict signing​

KB5065426 helps administrators prepare environments for SMB security hardening by enabling auditing of SMB client compatibility with SMB Server signing and EPA. It is not the enforcement step; it’s the reconnaissance step — designed so admins can discover incompatible devices and third‑party SMB stacks before flipping the enforcement switch.
Context and implications:

• Microsoft has been moving to require SMB signing by default on Windows 11 24H2 and in Windows Server 2025; auditing gives visibility into clients that do not support signing or EPA. (learn.microsoft.com, techcommunity.microsoft.com)
• Many legacy appliances, embedded devices, NAS units, or appliances using older SMB stacks (or Samba versions) may not support SMB signing or EPA. When enforcement is activated, those devices may fail to connect until firmware or vendor patches are applied.
• Auditing settings are configurable via Group Policy or PowerShell and produce event‑log entries administrators can use to build remediation lists. (learn.microsoft.com, techcommunity.microsoft.com)

Operational checklist for SMB readiness:

• Enable the new SMB auditing policies in a test OU and collect logs for 30–90 days.
• Identify devices that show “client does not support signing” or similar events.
• Engage application and appliance owners to patch or replace incompatible endpoints.
• Stagger enforcement: convert auditing → limited hardening → full enforcement to reduce blast radius. (learn.microsoft.com)

---

Known issues and troubleshooting​

KB5065426 documents a small set of known issues and their mitigations. The primary operational-known issue to call out is the PSDirect (PowerShell Direct) connection failure observed on hotpatched devices (devices that installed the September hotpatch KB or this cumulative update while the host/guest were mismatched). The symptoms and mitigation are summarized below:

• Symptom: PSDirect connections may intermittently fail when a patched guest tries to connect to an unpatched host (or vice versa). The fallback to a legacy handshake can fail, leaving sockets uncleared and producing authentication failure events (Event ID 4625) in the Security Event log.
• Workaround / Fix: Microsoft notes the problem is fixed in KB5066360; administrators experiencing PSDirect failures on hotpatched systems should update both host and guest VMs to the KB5066360 package (or apply the recommended cumulative update that contains the fix). Until both sides are aligned, avoid relying on PSDirect sessions for remote guest administration.

Other known items to watch for:

• If your environment uses hotpatching widely, ensure management tooling (SCCM, Intune, CMDB) and compliance scanners are updated to recognize hotpatched states — hotpatches can change reported KB identifiers and build numbers in non‑obvious ways.
• If you rely on legacy MSI installers or older applications that invoke MSI repairs, test non‑admin user install flows after applying this update and use the new allowlist option where necessary to avoid lingering UAC disruptions.

---

Installation options and a recommended deployment path​

Microsoft supports multiple installation methods for KB5065426: Windows Update, Windows Update for Business, WSUS synchronization (Products: Windows 11; Classification: Security Updates), Microsoft Update Catalog downloads (MSU files), DISM/PowerShell offline servicing, or the Windows Update Standalone Installer (WUSA). The KB ships as a combined SSU + LCU package; Microsoft recommends using the combined package or DISM with a folder of required MSUs so dependencies are resolved automatically.
Recommended steps for enterprise deployment (concise):

• Inventory and pilot:
• Identify representative pilot groups (hardware vendors, EDR agents, VMs, Copilot+ devices).
• Ensure firmware inventory and OEM update readiness, especially for devices with Secure Boot enabled.
• Stage auditing:
• Enable SMB compatibility auditing in a controlled test OU to surface incompatible devices.
• Apply update to pilot devices:
• Use Windows Update for Business or WSUS to target a small pilot set.
• Monitor for PSDirect issues if any devices are hotpatched; keep host/guest parity in VMs.
• Expand to controlled ring:
• After 48–72 hours of pilot validation, broaden to production rings.
• Monitor event logs (SMB, Security, Application) for regressions.
• Full rollout:
• Coordinate firmware updates for Secure Boot certificate acceptance where needed.
• Use Microsoft-managed Secure Boot updates where possible for consumer/managed devices.

If you prefer manual offline installation, here are the exact DISM/PowerShell commands the KB documents (use an elevated prompt and ensure you have all MSU files in the folder):

• Using DISM (running on the running system):
  DISM /Online /Add-Package /PackagePath:C:\Packages\Windows11.0-KB5065426-x64.msu
• Using PowerShell:
  Add-WindowsPackage -Online -PackagePath "C:\Packages\Windows11.0-KB5065426-x64.msu"
• To service a mounted offline image:
  DISM /Image:mountdir /Add-Package /PackagePath:Windows11.0-KB5065426-x64.msu

The KB also explains how to add the update to installation media and highlights that you cannot uninstall the SSU after the combined package is applied; removing the LCU alone requires DISM with the package name.

---

Practical recommendations — prioritization and mitigations​

For IT managers and security teams evaluating this update, the following prioritized actions will reduce risk and operational friction:

• Priority 1 — Secure Boot readiness:
• Inventory all devices with Secure Boot enabled and confirm OEM firmware compatibility with the 2023 CA family.
• Allow Microsoft-managed Secure Boot updates for devices that accept Windows Update, or plan OEM/firmware-assisted rollouts for locked environments. Do this now rather than waiting for 2026. (techcommunity.microsoft.com, support.microsoft.com)
• Priority 2 — SMB auditing and remediation:
• Turn on SMB client/server auditing in a controlled stage to identify devices that will fail when signing or EPA enforcement is applied.
• Prioritize remediation of high-value file servers, backup clients, and appliances that interact across network segments. (learn.microsoft.com, techcommunity.microsoft.com)
• Priority 3 — Hotpatch parity and PSDirect:
• If you use hotpatching, ensure both hosts and guests are patched to the same compatibility level before relying on PSDirect.
• If experiencing PSDirect failures, install the KB that Microsoft identifies as the fix (KB5066360) on both sides.
• Priority 4 — App compatibility and UAC allowlist:
• For known legacy MSI installers that caused UAC prompts for non-admin users, validate the new behavior in the pilot. Use the allowlist mechanism when operationally required for apps that perform MSI repairs.
• Priority 5 — Copilot+ AI components:
• If your fleet includes Copilot+ PCs, track the AI component versions and validate Copilot-related experiences after the update. Non‑Copilot devices will not install these components, so inventorying Copilot+ hardware is necessary for meaningful validation.

---

Risk assessment and critical analysis​

Strengths of this release

• Proactive operational guidance — Microsoft’s clear reminder about Secure Boot certificate expiry pushes a normally obscure pre‑boot dependency into actionable territory well before the expiry window. That gives organizations months, not weeks, to plan OEM, firmware, and OS-level remediation. (techcommunity.microsoft.com, support.microsoft.com)
• Preparatory hardening controls — Enabling SMB auditing (rather than flipping enforcement immediately) is a measured step that allows discovery and remediation before breaking connectivity for legacy devices. (learn.microsoft.com)
• Targeted compatibility fixes — Patching regressions such as UAC prompts during MSI repair, IIS module visibility, and NDI audio stutter shows Microsoft is addressing both security and usability regressions identified since August.

Risks and potential pitfalls

• Firmware dependency for Secure Boot — For many fleets, the Secure Boot certificate update is not only an OS update; firmware-level changes from OEMs may be required. Air‑gapped, firmware‑locked, or long‑lifecycle devices (medical, industrial, OT) present high‑touch migration paths with potential manual steps and service windows. Failure to coordinate with OEMs can lead to devices that are unreachable or unable to receive pre‑boot fixes. (techcommunity.microsoft.com)
• Third‑party appliance compatibility — SMB signing and EPA hardening can break older NAS appliances, virtualization storage appliances, and legacy appliances that do not support modern SMB signing or encryption. Without careful auditing and staged enforcement, administrators risk business-impacting outages. (techcommunity.microsoft.com)
• Hotpatch/diagnostic complexity — Hotpatching can leave inconsistent patch states across hosts and guests. The PSDirect issue demonstrates how subtle fallback mechanics between patched/unpatched endpoints can cause intermittent failures that are hard to triage without aligned patching policies. Inventory, reporting, and synchronized update state are essential to avoid these hard‑to‑reproduce problems.

Caveats and unverifiable claims

• Some parts of the KB and component updates (AI component internals, “miscellaneous security improvements”) are intentionally non‑specific. When a vendor uses general language, it is often because low‑profile or defensive changes are being shipped without disclosing exploit details. Treat those statements as legitimate protections but recognize that public exploit mapping (CVE mapping) may lag or not be provided for every micro‑fix. Where precise CVE mappings are required for compliance, use the Security Update Guide or the monthly security bulletin for authoritative CVE lists.

---

How to verify installation and what to watch for post‑install​

After applying KB5065426, confirm installation and monitor for regressions:

• Verify OS Build in Settings → System → About or by running:
• winver (graphical)
• systeminfo /fo list | findstr /i "OS Build" (command line)
• Check Update history in Settings → Windows Update to confirm the KB number and the combined SSU + LCU package presence.
• Monitor these event log channels for specific post‑install telemetry:
• Applications and Services Logs → Microsoft → Windows → SMBClient / SMBServer → Operational (audit events for SMB compatibility). (learn.microsoft.com)
• Windows Event Viewer → Security log for Event ID 4625 if experiencing PSDirect issues until host/guest parity is ensured.

---

Final assessment and bottom line​

KB5065426 is a routine but strategically important monthly cumulative update: it closes security exposure, removes several annoying regressions, and — most importantly for future boot reliability — renews Microsoft’s public reminder that Secure Boot certificates will begin expiring in June 2026. Organizations must act now to inventory devices with Secure Boot enabled, coordinate with OEMs on firmware readiness, enable Smart auditing (SMB), and validate Copilot+ hardware behavior if relevant. The update’s inclusion of an SSU makes installation more reliable, but the presence of hotpatch-related edge cases (PSDirect) and the dependency on firmware for Secure Boot remind administrators that patching is now an end‑to‑end process spanning firmware, OS, and appliance vendors. (techcommunity.microsoft.com, learn.microsoft.com)
Apply the patch with a staged, instrumented rollout; treat Secure Boot readiness as a calendarized project with OEMs and device owners; and use the SMB auditing capabilities to build a remediation plan for legacy appliances before enabling stricter enforcement. These steps will minimize disruption and ensure the security hardening delivered by the September 2025 Windows security update is realized without operational surprises.

---

---

Source: Microsoft - Message Center September 9, 2025—KB5065426 (OS Build 26100.6584) - Microsoft Support