Windows 11 September 2025 Patch: KB5065431 SSU+LCU for 22621/22631

Microsoft released a cumulative security update today for Windows 11’s servicing branches 22621 and 22631 — published as KB5065431 (OS Builds 22621.5909 and 22631.5909) — that combines a Latest Cumulative Update (LCU) with a servicing‑stack update (SSU) and carries a set of security and quality improvements drawn forward from prior rollups. The package includes an updated servicing stack identified as KB5064743 and reiterates Microsoft’s ongoing guidance about Secure Boot certificate lifecycle and SMB hardening; at publication Microsoft reports no known issues with this release. (support.microsoft.com)

---

Background​

Why this update matters now​

This is the September 9, 2025 Patch Tuesday cumulative update for the older Windows 11 servicing families that still use the 22621/22631 build lines. Microsoft is shipping the update as a combined SSU+LCU to improve installation reliability and to make future servicing more robust; that packaging approach has become Microsoft’s standard for monthly rollups in 2025. Combined packages are intended to reduce failed installs, but they also change rollback dynamics because the SSU component is non‑removable after install. (support.microsoft.com)
The KB also pulls forward fixes and quality items that appeared in earlier August and late‑August rollups (notably elements of KB5064080 and other August packages), so customers on 22H2 Enterprise/Education SKUs receive those targeted corrections through this cumulative. That lineage matters because many of the fixes address enterprise scenarios — SMB hardening, file‑server auditing, and MSI/UAC repair behavior — rather than consumer feature changes. (support.microsoft.com)

Build families explained (quick refresher)​

• 22621 — the feature-off-by-default branch that receives security and stability fixes without enabling newer feature flags.
• 22631 — the feature-on branch that exposes more aggressive feature behavior for eligible devices.

The same KB is applied to both branches, but the resulting OS build number differs slightly to reflect feature gating and branch differences. This update raises affected devices to 22621.5909 or 22631.5909, respectively. (support.microsoft.com)

---

What’s in KB5065431​

Highlights and headline changes​

Microsoft frames KB5065431 primarily as a security update that also includes quality improvements; the public KB explicitly lists the inclusion of improvements from earlier August rollups and states the update contains “all the improvements in Windows 11, version 22H2” for the 23H2 branch. It also bundles the servicing stack update KB5064743 for the 22621/22631 families. (support.microsoft.com)
Key, user‑facing and enterprise‑facing items called out in the KB include:

• Quality improvements that incorporate earlier fixes (for example, items backported from KB5064080). (support.microsoft.com)
• A fix to reduce unnecessary UAC prompts during MSI repair operations by enabling admins to allowlist specific apps that perform MSI repairs (addresses cases such as Office Professional Plus 2010 and certain Autodesk installers). (support.microsoft.com)
• File‑server and SMB server hardening / auditing improvements: the update enables auditing of SMB client compatibility for SMB Server signing and SMB Server EPA so organizations can better assess readiness before enforcing stricter SMB controls. The KB explicitly links this to CVE guidance (CVE‑2025‑55234) and to Microsoft’s Security Update Guide. (support.microsoft.com)
• Servicing stack improvements (SSU) to make the update pipeline more reliable going forward. (support.microsoft.com)

Servicing stack details​

The package includes KB5064743 as the servicing stack update for these builds. Servicing stack updates update the component that handles Windows update installation; because they touch the updater itself, Microsoft packages the SSU with the LCU to avoid install sequencing problems. Be aware: once the combined SSU+LCU is applied, the SSU cannot be removed with ordinary uninstall tools. (support.microsoft.com)

---

Deployment and rollback implications​

Combined SSU+LCU packaging — what admins need to know​

Microsoft continues to deliver combined SSU + LCU packages for reliability. That brings two operational consequences:

• The SSU portion is persistent and cannot be uninstalled using wusa.exe /uninstall. Attempting to use the Windows Update Standalone Installer (wusa) with /uninstall on a combined package will not remove the SSU component. (support.microsoft.com)
• If you must remove the Latest Cumulative Update (LCU) component after installation, the supported path is to use DISM to identify and remove the LCU package by name (DISM /online /get-packages followed by DISM /online /Remove-Package /PackageName:<LCU‑package>). Administrators should validate this workflow in a lab before relying on it in production. (support.microsoft.com)

These constraints make recovery planning and image testing more important than ever: ensure offline images and repair media are current so that full rollback or reimage operations remain available if a deployment causes unexpected regressions. The combined packaging approach reduces install failures in many cases, but it also raises the bar for rollback readiness. (support.microsoft.com)

Known issues​

Microsoft’s KB for KB5065431 explicitly states that “Microsoft is not currently aware of any issues with this update.” That language is standard when a release has no documented, confirmed regressions at publication time. However, real‑world environments can expose edge cases after wide distribution; past months show that even well‑tested updates can surface compatibility problems in diverse fleets. (support.microsoft.com)

---

Context — why some items here are operationally important​

Secure Boot certificate lifecycle​

The KB reiterates Microsoft’s ongoing advisory about Secure Boot certificates issued in 2011 that begin expiring in 2026 and the program to replace them with 2023-era replacement certificates. Devices that don’t receive updated KEK/DB entries via firmware or OS‑level updates could encounter problems applying pre‑boot fixes or validating new boot components after the 2011 certificates expire. That transition is cross‑vendor and requires coordination with OEM firmware updates in many scenarios. Treat this as a medium‑term operational program rather than a single KB to install.

SMB hardening and compatibility auditing​

Microsoft is continuing its rollout of SMB hardening controls — specifically signing and EPA enforcement — to reduce exposure to network attacks. KB5065431 adds auditing hooks that allow administrators to test client compatibility before enforcing server‑side hardening. In practice this means IT teams should:

• Use the new auditing to identify legacy clients or devices that will fail stricter SMB policies.
• Coordinate firmware and driver updates with endpoint teams and IoT/embedded device owners.
  This measured approach reduces the chance that a security hardening will unintentionally break business‑critical SMB workflows. (support.microsoft.com)

---

Independent verification and historical precedent​

Microsoft’s KB is the authoritative record for what the package contains and how it’s delivered; independent coverage of related past issues provides useful operational context. For example, community and press reporting earlier in 2025 highlighted real‑world regressions tied to monthly cumulative updates (including a March issue where the Copilot app was unintentionally uninstalled on some machines), demonstrating that even important security rollups can have unintended side effects when the installed fleet is heterogeneous. Those prior incidents underline the value of piloting updates and staging rollouts in controlled rings. (bleepingcomputer.com)
Windows community reporting and forum threads consistently emphasize a few recurring lessons: test in a small pilot ring first; keep recovery images and offline media current; and be prepared to use DISM workflows if you need to remove the LCU while the SSU remains. These are not theoretical — community telemetry and enterprise field reports repeatedly show that hardware, drivers, and specialized applications (industrial clients, legacy file servers, device management tools) are the usual sources of post‑update friction. (windowsforum.com)

---

Recommended rollout plan — a practical, step‑by‑step guide​

• Inventory and prioritize
• Identify domain controllers, file servers (SMB endpoints), application servers, and devices that use legacy SMB clients.
• Create an asset list that tags devices by OEM, model, driver roll level, and who owns each unit.
• Create a pilot ring (recommended 5–10% of fleet)
• Include a representative cross‑section of hardware vendors, drivers, security agents, and specialty devices.
• Apply KB5065431 to the pilot devices first and monitor for at least 48–72 hours under real workloads.
• Validate critical flows
• Verify authentication (Kerberos, NTLM fallbacks where still used), file share performance and mount stability, remote wipe and Reset this PC workflows, and any vendor management flows (MDM/Intune/WSUS/third‑party patch tools).
• Confirm MSI repair operations for major line‑of‑business applications work as expected (the KB contains explicit fixes in this area; validate in practice).
• Prepare recovery options before broad rollout
• Ensure offline images and the organization’s reimaging process are tested and available.
• If you must remove the LCU after installing the combined package, use DISM to enumerate and remove the LCU package:
• Identify installed packages: DISM /online /get-packages. (support.microsoft.com)
• Remove the LCU package by name: DISM /online /Remove-Package /PackageName:<LCU‑package>.
• Document the package name to avoid mistakes during removal. (support.microsoft.com)
• Staged rollout
• If pilot is successful, progress to targeted server groups (file servers, domain controllers), then to broader endpoint audiences in waves over several days.
• Use health checks and automated monitoring to detect anomalies early (update failure rates, increased helpdesk calls, authentication errors).
• Compensating controls where patching is delayed
• Limit SMB exposure at the network layer: segment file servers, restrict SMB over the internet, and enforce SMB signing where supported.
• Increase monitoring for authentication anomalies and rotate service account credentials after patching when possible.
• Consider application allowlists and temporary access controls for legacy devices awaiting firmware updates.

---

Risks and mitigation — what to watch for​

• Rollback complexity: The combined SSU/LCU package complicates uninstall workflows. Don’t assume a simple wusa /uninstall will suffice — plan for DISM‑based removal and full reimage as fallback. (support.microsoft.com)
• Compatibility with legacy SMB clients: Enforcing SMB signing and EPA without pre‑deployment auditing can break older devices, printers, or embedded systems; use the auditing capabilities added by this KB to identify incompatibilities before hardening. (support.microsoft.com)
• Secure Boot certificate lifecycle: Devices that never receive the 2023 replacement certificates or appropriate firmware updates could face pre‑boot validation gaps after the 2011 certificates expire; coordinate with OEMs now to understand firmware readiness. This is an operational program with mid‑2026 deadlines for some certificates.
• Unseen regressions: Even when a KB lists “no known issues,” broad fleets can reveal corner cases. Historical incidents (for example, Copilot uninstallation and other Patch Tuesday regressions earlier in 2025) show the value of conservative rollouts, telemetry monitoring and quick remediation playbooks. (bleepingcomputer.com)

---

Technical checklist for administrators​

• Confirm current OS build before and after install: run winver or check Settings > System > About. (support.microsoft.com)
• Download the standalone package from the Microsoft Update Catalog when offline servicing is required. (support.microsoft.com)
• If preparing images, ensure prerequisite SSUs are present in the offline image before applying the LCU. (support.microsoft.com)
• Use DISM /online /get-packages to capture the LCU package name before any broad removal attempt. Test the DISM removal procedure in an isolated environment first. (support.microsoft.com)
• For SMB hardening plans, run auditing in a test window, catalog clients that log incompatibilities, and coordinate remediation (patching, firmware updates, or configuration changes) before enforcing new server policies. (support.microsoft.com)

---

Final analysis and recommendation​

KB5065431 is a routine but consequential monthly cumulative update that packages security fixes, targeted quality improvements, and a servicing stack refresh for Windows 11 build families 22621 and 22631. The inclusion of KB5064743 (SSU) and the continued emphasis on SMB hardening and Secure Boot certificate lifecycle make this release particularly relevant for enterprise IT teams planning security enforcement or firmware coordination in the months ahead. Microsoft’s statement that there are no known issues at publication is useful, but not a substitute for local validation in diverse fleets. (support.microsoft.com)
Practical posture: pilot the update, validate critical authentication and file‑sharing flows, and maintain tested recovery images. If your environment contains legacy SMB clients, printers, or embedded devices, use the new SMB auditing hooks to detect problems before you enforce stricter policies. Keep OEM firmware readiness and Secure Boot certificate timelines on your radar as an operational program that will require coordination across device owners and vendors. (support.microsoft.com)
KB5065431 is not a “feature” release; it’s an important security and reliability rollup. Treat it like one: prepare, pilot, monitor, and then deploy in waves. That discipline will minimize helpdesk impact while ensuring the security benefits the update delivers are realized across the fleet. (support.microsoft.com)

---

Conclusion: apply the update in accordance with your organizational change control — prioritize high‑risk internet‑facing and authentication servers for early deployment, validate SMB and backup/restore workflows, and keep recovery procedures current. The package sharpens Windows’ update pipeline and hardening posture, but the operational realities of combined SSU packages and device diversity make conservative, well‑instrumented rollouts the safest path forward. (support.microsoft.com, bleepingcomputer.com)

---

Source: Microsoft Support September 9, 2025—KB5065431 (OS Builds 22621.5909 and 22631.5909) - Microsoft Support