Windows 11 KB5070773 OOB Cumulative: 25H2 and 24H2 Install Guide

Microsoft has pushed an out‑of‑band cumulative for Windows 11 — KB5070773 — to address immediate servicing and compatibility needs for the 25H2 and 24H2 servicing branches (OS Builds 26200.6901 and 26100.6901), and the release comes with specific offline installation guidance, bundled servicing‑stack behavior, and a few operational caveats every admin should treat as high priority.

Background​

Microsoft’s October out‑of‑band rollup KB5070773 is delivered as a catalog/MSU package that includes both the latest servicing stack elements and the cumulative quality/security payload. The vendor documents two supported installation patterns: (1) place all MSU files in the same folder and install them together with DISM so dependency discovery is automatic; or (2) install MSU files one‑by‑one in the precise order Microsoft lists in the KB. The catalog includes multiple MSU files — for example, the KB references a prerequisite MSU (windows11.0-kb5043080-x64.msu) followed by the main LCU (windows11.0-kb5070773-x64.msu).
This delivery model — combined SSU + LCU in MSU form — is common for urgent or OOB fixes because bundling the servicing stack reduces the likelihood of later update failures while ensuring the OS is on a consistent servicing level for future patches. Community guidance and Microsoft’s own KB notes emphasize verifying SSU prerequisites before mass deployment.

---

What KB5070773 contains (summary)​

• Target OS builds: 26200.6901 (25H2 servicing family) and 26100.6901 (24H2 servicing family).
• Packaging: Multiple MSU files. Microsoft documents both a combined installation method (DISM /Add‑Package using a package folder) and a manual per‑MSU install order. Example filenames mentioned in the KB include windows11.0-kb5043080-x64.msu (prerequisite) and windows11.0-kb5070773-x64.msu (main package).
• Installation guidance: For online systems, DISM /Online /Add‑Package /PackagePath:<folder\file.msu> or PowerShell Add‑WindowsPackage -Online -PackagePath "<path>" — both approaches are documented. For offline images, use DISM /Image:<mountdir> /Add‑Package /PackagePath:<file.msu> or Add‑WindowsPackage -Path "<offline>" -PackagePath "<msu>" -PreventPending.
• Deployment note: When applying Dynamic Update packages to installation media, ensure that SafeOS and Setup Dynamic Update packages match the same month as this KB or use the most recent published versions where same‑month packages aren’t available.

The KB itself is concise and focuses on installation mechanics and the package contents; Microsoft’s public KB pages sometimes intentionally omit granular CVE lists in short KB text, directing administrators to the Security Update Guide or the servicing catalog for the CVE mapping. Where a KB does not enumerate individual CVEs, those mappings remain the authoritative source for security tracking. Treat any specific CVE claims that are not explicitly listed in the KB as unverifiable until confirmed in Microsoft’s security mapping.

---

Why this update matters now​

• Out‑of‑band (OOB) nature signals urgency. Microsoft reserves OOB cumulatives for regressions or security items that cannot wait for the regular monthly cadence. The OOB label means the fix addresses an immediately material problem for some customers, or it consolidates urgent security content alongside a targeted quality repair. Administrators should escalate pilot and validation for OOB packages.
• Servicing stack paired with the LCU. Bundling the Servicing Stack Update (SSU) with the LCU increases install reliability but complicates rollback: SSUs are commonly not removable by conventional means, so rollback strategies focus on removing the LCU portion only and require exact package names and DISM workflows. Plan and test rollback runbooks before broad deployment.
• Offline / imaging scenarios demand strict ordering. Because the MSU payload includes prerequisite packages, mixing versions or unordered installs on mounted images can result in partial installs or blocking conditions. Microsoft’s DISM discovery mechanism handles prerequisites if all MSUs are placed together and installed from the same folder, which is why DISM is the recommended approach for offline servicing.

---

Installation methods — practical guidance​

Microsoft documents two supported methods; choose the one that fits your operational constraints.

Method A — Install all MSUs together (recommended for offline/image servicing)​

• Steps:
• Download all MSU files referenced by KB5070773 to the same folder on your servicing machine (example: C:\Packages).
• Open an elevated Command Prompt.
• Run:
• DISM /Online /Add-Package /PackagePath:C:\Packages\Windows11.0-KB5070773-x64.msu
• Or, from PowerShell:
• Add-WindowsPackage -Online -PackagePath "C:\Packages\Windows11.0-KB5070773-x64.msu"
• DISM will automatically discover and apply any prerequisite MSUs in the same folder.

Method B — Install each MSU individually in order (for controlled manual installs)​

• Steps:
• Download the MSU files and install them one by one in the sequence Microsoft specifies: first the prerequisite (example: windows11.0-kb5043080-x64.msu), then the main package (windows11.0-kb5070773-x64.msu).
• Use DISM or WUSA respectively:
• DISM /Online /Add-Package /PackagePath:<file.msu>
• wusa <file.msu> /quiet /norestart (for interactive or scripted installs where WUSA is preferred)
• Reboot if required; confirm OS build with winver or systeminfo.

Offline image servicing (mounted WIM/ESD)​

• Use DISM /Image:<mountdir> /Add‑Package /PackagePath:<msu> or PowerShell Add‑WindowsPackage -Path "<offline>" -PackagePath "<msu>" -PreventPending to inject the packages into offline images used for deployment. Ensure the image is cleanly mounted and that all MSUs are present to satisfy dependencies.

---

Recommended pre‑deployment checklist​

• Inventory and backups
• Take a full system image or snapshot of target machines and images before applying the KB. If rollback is required, image‑level recovery is the most reliable path because SSUs are often non‑removable.
• Confirm SSU parity
• Ensure devices are on—or can accept—the SSU required by the package. Installing the older LCU before an SSU mismatch can lead to servicing failures. Use DISM /Online /Get-Packages and inventory current package state where possible.
• Pilot ring
• Deploy first to a representative pilot set that includes any known legacy or specialized workloads (App‑V hosts, RDP farms, shared printers, and hardware with firmware caveats). Monitor logs and user telemetry for at least 72 hours.
• Vendor coordination
• Coordinate with ISVs for EDR/AV, virtualization and imaging vendors, and any hardware vendors where kernel or driver-level fixes could trigger compatibility changes. Several prominent patches in recent months have required vendor driver updates to avoid regressions.
• Networking and mitigation plan
• If your environment still depends on legacy SMBv1/NetBT paths, have mitigations ready; recent servicing waves introduced connectivity regressions for SMBv1 over NetBIOS, and Microsoft documented a temporary workaround to allow TCP/445 between client and server to force SMB-over-TCP. That workaround reduces downtime but increases attack surface if used broadly — limit it to secure internal segments.

---

Operational risks and notable caveats​

• Rollback complexity — SSU permanence. Because SSUs bundled with LCUs commonly remain after removal of LCU components, rollbacks to pre‑patch states are more complex than simple WUSA /uninstall flows. Test DISM‑based removal in your lab and document exact package identities to support removal of the LCU portion if required.
• SMBv1 + NetBT connectivity — ongoing compatibility risk. Past cumulatives in the October cycle documented a known issue where SMBv1 over NetBT would fail after applying September/October updates. If your estate still uses SMBv1 with NetBT, plan to remove that dependency. Use the short‑term mitigation (TCP/445) only inside well‑controlled boundaries.
• Unlisted CVE details — or truncated security notes. If the KB text is terse and does not list CVEs, treat any public claims about exact CVE fixes as provisional until they are confirmed in Microsoft’s Security Update Guide or the MSRC advisory mapping. Administrators who must report CVE-level remediation for compliance should use the vendor’s published CVE mapping. Unverifiable claims should be flagged and verified against the Security Update Guide.
• Dynamic Update parity for media servicing. If you’re applying this KB to Windows installation media via Dynamic Update, make sure other Dynamic Update packages (SafeOS or Setup) come from the same month as the KB or use the most recent available versions. Mismatched month artifacts can cause unexpected setup behavior.

---

Enterprise deployment playbook (step‑by‑step)​

• Inventory target systems and identify high-risk dependencies (App‑V, SMBv1/NetBT, legacy drivers, 3rd‑party kernel components).
• Download the exact MSU files from the Microsoft Update Catalog into a secure staging share; verify file hashes if provided.
• Stage the update in a test lab that mirrors production (images, domain, network segmentation, firmware). Use the DISM /Image flow on your golden images and verify OOBE and first‑boot behaviors.
• Pilot to a small ring (10–100 devices) that includes high‑risk systems. Validate application compatibility, network services, and EDR/AV behavior.
• Expand to broader rings: pilot → pre‑prod → production, monitoring telemetry and Event Viewer logs at each step.
• Maintain a rollback runbook: record exact package identities (DISM /Online /Get-Packages), test DISM /Online /Remove‑Package for the LCU, and keep system images ready for full rollback if an SSU‑related issue forces image restore.

---

Verification and post‑install checks​

• Confirm reported OS build via winver or systeminfo.
• Validate the presence and version of SSU and LCU entries with DISM /Online /Get-Packages.
• For Copilot/Copilot+ environments, verify AI component versions listed in the KB only where applicable (these component packages typically apply only on Copilot+ hardware).
• Monitor Event Viewer, Defender/EDR alerts, and application logs for new warnings or compatibility errors for at least 72 hours.

---

Critical analysis — strengths and risks​

Strengths​

• Rapid remediation: Microsoft’s decision to ship KB5070773 as an OOB update shows responsiveness to pressing compatibility or security needs. This reduces window of exposure and can restore operational stability faster than waiting for a monthly release.
• Bundled servicing stack: Including the SSU reduces the risk of future servicing failures and improves the reliability of subsequent cumulative installs. For many admins, the reliability benefit outweighs the rollback inconvenience.
• Clear offline servicing guidance: The KB provides explicit DISM and Add‑WindowsPackage examples for online and offline scenarios, which is essential for imaging teams, air‑gapped environments, and scripted deployment workflows.

Risks​

• Rollback complexity: Non‑removable SSUs make image‑level rollback the reliable recovery method. Organizations without good imaging discipline or backup processes may be exposed to longer remediation windows when issues are observed.
• Legacy protocol breakage: The SMBv1 + NetBT connectivity caveat in recent servicing waves highlights the risk of latent legacy dependencies in corporate environments. The short‑term TCP/445 workaround is operationally acceptable only within secure boundaries and must be treated as a stopgap.
• Incomplete public KB details: When a KB omits CVE lists or granular component notes, tracking compliance and attack surface reduction becomes harder; reliance on separate Security Update Guide mappings is required and introduces administrative overhead.

---

Final recommendations for admins and power users​

• Prioritize a pilot program: validate App‑V, virtualization workflows, driver-sensitive workloads, and SMB paths before broad rollout.
• Use DISM with all MSUs in one folder for offline/image servicing to reduce ordering mistakes; for interactive systems use the documented PowerShell or DISM /Online approaches.
• Maintain a tested rollback runbook that uses image restore as the fastest recovery route if an SSU‑related incompatibility appears.
• Treat any KB text that omits CVE details as an operational prompt to cross‑check the Security Update Guide for exact CVE mappings (especially if you must report compliance or track remediation for CVE lists). Do not assume CVE coverage without explicit confirmation.
• If you rely on SMBv1 or NetBT, accelerate migration plans; use Microsoft’s temporary mitigation sparingly and only within secure, internal network segments.

---

This KB is another reminder that modern Windows servicing balances reliability improvements, security remediation, and the continued friction of legacy dependencies. Administrators who approach KB5070773 with a structured pilot, robust image backups, and vendor coordination will minimize disruption while taking advantage of Microsoft’s expedited fix.

---

Source: Microsoft Support October 20, 2025—KB5070773 (OS Builds 26200.6901 and 26100.6901) Out-of-band - Microsoft Support