Windows 11 KB5065790 Preview: Fixes Sign-In Freeze RDP Docking SMBv1 NetBT

Microsoft has rolled out the KB5065790 Preview update for Windows 11 — a compact, non‑security “quality” rollup that fixes a cluster of high‑impact reliability issues, most notably an SMBv1 over NetBIOS (NetBT) file‑sharing regression and a Windows sign‑in freeze that affected WWAN/eSIM devices.

Background / Overview​

Microsoft distributes targeted reliability fixes as optional preview (C‑release) updates so administrators and power users can validate fixes before they enter the regular monthly cumulative. KB5065790 follows that pattern: a narrow, surgical update that doesn’t add features but addresses several real‑world disruptions reported after September servicing. Depending on the OS baseline, the same KB can appear as different servicing builds (for example, Build 22631.5982 for the 23H2 baseline or Build 22621.5984 for the 22H2 baseline).
Why this matters now

• The fixes target visible, productivity‑stopping problems — sign‑in hangups, abrupt shutdowns with RDP/docking, printing UI crashes, and character rendering failures — all of which generate helpdesk tickets and user downtime.
• One fix intersects with an ongoing September servicing regression that impacted legacy SMBv1+NetBT scenarios, raising operational concerns for organizations that still rely on older file‑sharing stacks.
• Because KB5065790 is optional, it is designed for staged pilots; administrators should validate the changes in representative rings before broad rollout.

---

What KB5065790 actually fixes​

SMBv1 over NetBT connectivity (compatibility and security context)​

• Symptom: After the September update cycle, some environments reported inability to connect to SMBv1 shares when NetBIOS over TCP/IP (NetBT) was used for name resolution and transport. Symptoms included unreachable mapped drives, repeated credential prompts, and failed share access.
• Scope: The regression primarily affected legacy SMBv1 + NetBT scenarios. Modern SMBv2/v3 over direct TCP (port 445) was not the root cause for most of these reports.
• Microsoft’s pragmatic mitigation: allow and prioritize TCP port 445 traffic between clients and servers so SMB negotiates over direct TCP rather than falling back to NetBT. This forces SMB to use native TCP transport and restores connectivity in many cases. This is a short‑term workaround, not a migration plan.

Why SMBv1 is a special case

• SMBv1 is deprecated and insecure. It lacks protections introduced in SMBv2/3 and has been a known attack surface for years. Continued reliance on SMBv1 is a security and reliability liability; migration to SMBv2/3 and DNS‑based name resolution should be prioritized.
• The September servicing changes included hardening and auditing behaviors at the server/servicing‑stack level; when auditing or stricter enforcement is introduced, previously tolerated legacy interactions can break in unexpected ways. That’s what appears to have manifested in NetBT + SMBv1 environments.

Windows sign‑in freeze after entering a SIM PIN (WWAN/eSIM)​

• Symptom: Devices that required a SIM PIN during sign‑in could present an unresponsive sign‑in screen after entry, effectively locking users out until a reboot or alternative sign‑in method. This particularly impacted mobile‑first field devices and corporate laptops using WWAN/eSIM.
• Fix: KB5065790 resolves a race / UI handling path that caused the sign‑in screen to stop responding after SIM PIN entry, restoring the expected sign‑in flow for affected devices.

Remote Desktop Protocol (RDP), display, and docking stability​

• Symptom: Under certain multi‑monitor RDP sessions, disconnecting a dock or changing display configuration could trigger display‑related kernel interactions that caused unexpected system shutdowns or crashes.
• Fix: The update adjusts display reconfiguration handling during RDP sessions to avoid the shutdown scenario — an important fix for users who dock/undock frequently or remote into multi‑monitor sessions. Note that display drivers and docking firmware remain key variables for end‑to‑end behavior; OEM driver updates may still be required.

Microsoft Edge (IE mode) behavior and other UI crashes​

• Symptom: Microsoft Edge running in Internet Explorer compatibility / IE mode could become unresponsive on certain same‑domain redirects; viewing the printer queue for shared printers could cause a crash in Settings; some Chinese IME characters rendered as empty boxes in constrained fields.
• Fixes: KB5065790 patches the relevant code paths to:
• Improve IE mode redirect handling in Edge,
• Prevent crashes when opening shared printer queues from Settings,
• Correct Chinese IME rendering issues where characters previously appeared as empty boxes.

Housekeeping: McpManagement service description​

• Small but practical: the McpManagement service now displays the correct description in Services and management consoles — a longstanding administrative annoyance that the update cleans up.

---

Related patch: KB5068221 (Office + App‑V compatibility)​

A separate, out‑of‑band update — KB5068221 — was also released to address a regression where Microsoft Office apps could crash when run via App‑V (Microsoft Application Virtualization) in certain environments. This OOB update bundles the September security rollup plus a narrowly scoped compatibility fix and is intended for Windows 11 24H2 servicing. Administrators running App‑V must inventory and prioritize App‑V hosts and VDI images for testing before deploying this patch widely.

---

Technical analysis: what probably went wrong (high‑level)​

• Servicing‑stack hardening and SSU+LCU interactions
• Recent September servicing packages combined a Servicing Stack Update (SSU) with the Latest Cumulative Update (LCU). SSUs are persistent and designed to improve servicing reliability, but they can change runtime or validation behaviors in subtle ways that are difficult to roll back. When an SSU hardens certain behaviors (for example, SMB auditing/negotiation), that change can reveal compatibility gaps in legacy stacks.
• SMB hardening vs legacy NetBT negotiation
• The update cycle introduced stricter auditing and hardening for SMB. Legacy SMBv1 over NetBT lacks modern negotiation and signing features; when a hardening change surfaces, devices using NetBT may fail to complete authentication or session negotiation. That mismatch explains why allowing TCP/445 (forcing SMB over TCP) restores connectivity in many deployments.
• Community‑reported SID/imagery anomalies (plausible but not confirmed)
• Administrators in forums reported cloned or imaged machines (with near‑identical SIDs) suddenly failing to authenticate to each other after the updates. Community diagnostics suggest the update surfaced SID‑binding checks or changed how SMB/Kerberos flows interpret principal identifiers. This is an unverified community hypothesis and is not confirmed as Microsoft’s official root cause. Treat it as plausible, but flag it as unverified.

Cautionary note: Microsoft’s public KB entries and Release Preview notes describe symptoms and outcomes but generally do not publish low‑level engineering details or stack traces. For deep diagnostics, administrators should collect logs, crash dumps, and escalate to Microsoft support when necessary.

---

Deployment guidance: how to approach KB5065790 safely​

Who should pilot this update first​

• Devices with WWAN/eSIM that require SIM PIN entry (field devices, laptop fleets with cellular).
• Docked laptops and systems frequently using multi‑monitor RDP sessions.
• Users or VDI images that rely on Chinese IME input and have experienced rendering problems.
• App‑V hosts and VDI pools only for KB5068221 (Office/App‑V) testing.

Recommended rollout strategy (sequence)​

• Inventory: identify WWAN devices, docked fleets, App‑V hosts, and any endpoints still using SMBv1/NetBT.
• Pilot: install the preview on a small, representative pilot ring that includes each affected workload (cellular, docking, RDP, IME, App‑V).
• Validate: run focused acceptance tests — SIM PIN sign‑in flow, dock/undock RDP sessions, print queue access, IE‑mode redirects, Chinese IME entry fields, and App‑V Office launches. Capture Event Viewer logs and dump files if crashes occur.
• Staged rollout: expand to larger rings only after clean validation; monitor telemetry and user feedback closely.
• Rollback: because preview updates are optional, maintain rollback runbooks. Use Settings > Windows Update > Update history > Uninstall updates for pilot machines if needed. For managed deployments consider the Microsoft Update Catalog MSU packages and scripted DISM/wusa removal where applicable.

Short‑term SMB remediation checklist (if you still rely on SMBv1)​

• Permit TCP 445 between clients and servers to force SMB over direct TCP and bypass NetBT fallback. This commonly restores access quickly.
• Prioritize migration to SMBv2 or SMBv3 with DNS‑based name resolution and disable SMBv1 where feasible.
• Coordinate patching across clients and servers to avoid mixed states that could make fallback behavior brittle.

---

Installation: how to get KB5065790 (and KB5068221)​

• For most pilot users: Settings > Windows Update > Check for updates and look for optional preview updates, then install KB5065790. Because it is an optional Preview (C‑release), it will not automatically flow to production devices that are not configured to accept Release Preview or optional updates.
• For managed environments: obtain the MSU / package from the Microsoft Update Catalog for staged deployment through WSUS, Windows Update for Business, or your patch management system. Ensure your ring policies allow optional preview updates if you intend to pilot.
• For KB5068221 (App‑V Office fix): treat as an out‑of‑band cumulative update; download the MSU from the catalog and deploy to App‑V hosts and representative test images first.

---

Risk assessment — strengths and residual concerns​

Strengths

• The update addresses immediate, user‑visible reliability problems that materially impact productivity and remote/mobile workflows (SIM PIN sign‑in freeze, RDP/docking crashes, IME rendering, printer UI crashes). Fixing these reduces helpdesk load and user downtime.
• Targeted OOB fix for App‑V Office crashes (KB5068221) shows Microsoft responding to high‑impact compatibility regressions outside the normal monthly cycle.
• Small administrative improvements (e.g., McpManagement service description) reduce friction for IT staff.

Risks and caveats

• Any servicing update touching kernel/display/WWAN stacks carries a small but real chance of causing new regressions on some hardware or driver stacks; OEM driver updates can still be required. Pilot first.
• The SMBv1/NetBT issue underscores operational risk for environments still on legacy protocols. The temporary TCP/445 workaround is useful but should not be mistaken for long‑term security posture.
• Public documentation for these fixes is high level. Microsoft’s KB text typically describes symptoms and outcomes rather than low‑level root causes; administrators needing deep diagnostics must gather logs and engage support. Any claim about exact code paths should be treated as unverified unless Microsoft releases the engineering detail.

---

Practical checklist for administrators (quick reference)​

• Inventory affected endpoints: WWAN/eSIM devices, docked laptops, App‑V hosts, and any systems still using SMBv1/NetBT.
• Pilot KB5065790 on a small, representative set across those categories.
• Validate critical flows:
• SIM PIN sign‑in on WWAN devices.
• RDP multi‑monitor sessions and undock scenarios.
• Printing: view shared printer queues from Settings.
• IE mode redirects in Edge for legacy web apps.
• Chinese IME input fields where rendering issues were reported.
• Office launch paths for App‑V images (if KB5068221 applies).
• For SMBv1 dependency:
• Open TCP/445 as a temporary mitigation.
• Plan and budget migration to SMBv2/3 and DNS‑based name resolution.
• Keep rollback tools and telemetry monitoring active; capture Event Viewer, minidumps, and other diagnostics for any regressions.

---

Conclusion​

KB5065790 is a targeted, pragmatic preview update that fixes a handful of disruptive reliability issues affecting cellular sign‑ins, RDP/docking stability, input/IME rendering, and printer UI behavior — and it arrives against the backdrop of a September servicing window that exposed a fragile interaction with legacy SMBv1 + NetBT configurations. The update reduces specific pain points for mobile and remote workers and prevents user lockouts in WWAN scenarios, but it also reinforces an enduring operational lesson: legacy protocols and mixed servicing states increase fragility and demand deliberate migration plans.
Administrators should pilot the update in representative rings, apply the short‑term SMB TCP/445 mitigation where required, and accelerate SMBv1 deprecation plans. Because Microsoft’s public notes are high level, teams that encounter persistent issues must collect diagnostics and be prepared to engage support. In short: the fixes are valuable and should be validated promptly, but they come with the usual caveats of optional preview servicing — test first, monitor closely, and plan for migration away from legacy stacks.

---

Source: Windows Report Windows 11 KB5065790 Preview fixes SMBv1 file sharing issue and Windows sign-in freezes