Windows 11 KB5065789 Release Preview: DRM Playback Fix and Update Reliability

Microsoft’s Release Preview package KB5065789 (OS Build 26100.6725) landed as a targeted, non‑security preview on September 29, 2025, bringing a small set of reliability fixes for Windows 11 while also staging several AI and accessibility features behind gradual rollout controls.

Overview​

KB5065789 is an optional Release Preview update intended primarily for pilots, enthusiasts, and IT validation rings rather than immediate, broad deployment. The package is small by design: its headline work repairs a pair of high‑impact regressions that emerged from August–September servicing while consolidating modest UI and manageability polish and continuing Microsoft’s staged enablement approach for the 25H2 feature set.
At the operational level, the update’s most consequential changes are:

• A targeted remediation for DRM/HDCP playback failures that affected some Blu‑ray, DVD and digital‑TV applications after earlier servicing.
• A repair for a Windows Update failure (error 0x80070002) that prevented some Insiders from completing preview installs.
• Several stability and UI fixes (Settings/Storage crash, battery icon charging state, File Explorer polish) and backend enterprise work like CRL partitioning support for high‑scale Certificate Authorities.

These fixes arrive while a set of visible productivity features (notably the Click‑to‑Do “Convert to table with Excel” flow) remain delayed or server‑gated to a future flight, so organizations should not expect all headline AI features to be available immediately.

---

Background: why this preview matters​

The enablement and preview model​

Microsoft continues to deliver Windows feature updates using an enablement model: most binaries are present in servicing updates and a small enablement package flips the feature set between servicing baselines. Release Preview is therefore the last near‑final validation ring where Microsoft and customers can confirm compatibility and catch regressions before larger staged rollouts. KB5065789 follows that pattern and is explicitly intended for validation rather than broad production deployment.

Timeline that led to KB5065789​

• August 29, 2025: Microsoft published a non‑security preview (KB5064081) that later correlated with early reports of playback problems in legacy media players.
• September 9, 2025: Changes were folded into the September cumulative update (KB5065426), widening exposure to the regression.
• Mid‑September 2025: Microsoft acknowledged the behavior publicly on Release Health/Windows Q&A and began staging a targeted remediation to Release Preview.
• September 29, 2025: KB5065789 appears in the Release Preview channel as a focused fix/preview package while other features remain gated.

This sequence explains why KB5065789 is surgical in scope: Microsoft sought to preserve the intended security and servicing hardening while restoring narrowly affected media workflows and update reliability.

---

Technical summary: what KB5065789 changes​

DRM/HDCP playback repair​

A servicing change in August/September altered low‑level interactions in the protected media chain (the Enhanced Video Renderer (EVR) ↔ OS DRM ↔ GPU driver handshake). When that handshake failed, Windows correctly failed closed, blocking protected playback for certain legacy apps (Blu‑ray/DVD players, tuner/capture applications) rather than returning degraded output. KB5065789 contains a targeted remediation to restore those EVR‑based protected playback scenarios on affected configurations.
Important points and scope:

• Modern streaming clients and most app‑managed DRM flows (browser or UWP/WinUI players) were generally not affected, because they use different rendering/DRM integration paths.
• The regression was narrow in population but severe for users who rely on physical‑media playback or specialized capture workflows.

Windows Update fix (0x80070002)​

Some Insider participants experienced update failures with the long‑standing 0x80070002 code during preview installs; this update addresses manifest/catalog processing issues that led to aborted installs in a subset of devices and restores update success for those scenarios. KB5065789 therefore reduces a practical adoption blocker for release validation.

UI and reliability polish​

Smaller but visible fixes in the package include:

• Correcting a taskbar battery icon that could fail to show charging state.
• Fixing crashes when opening Settings → System → Storage or the File Explorer drive properties page.
• Miscellaneous desktop and gaming polish (hardware indicator popups, taskbar pinning behavior, Game Bar/multi‑monitor fixes) and updated emoji to Emoji 16.0 where applicable.

Enterprise and platform work​

KB5065789 added CRL partitioning support for Windows Certificate Authorities to help very large PKI deployments manage revocation lists more efficiently by splitting CRLs into smaller partitions. Administrators should validate replication and tooling before enabling partitioning.

---

Installation and deployment guidance​

Packaging and prerequisite order​

Microsoft distributes preview packages as combined MSU files and, in some cases, requires installation of prerequisites in a specific order. KB5065789’s servicing files may require ordering when deploying offline or via catalog downloads. Administrators should follow the MSU ordering guidance supplied with the KB and use DISM or Windows Update Standalone Installer for offline deployment. Community notes confirm DISM usage and provision the usual sequencing cautions.

Supported installation methods (practical steps)​

The typical deployment options are:

• Windows Update (recommended for most users): opt into Release Preview or check Windows Update for the optional preview offering and install through the normal UI. This ensures dependency handling and avoids manual ordering complexity.
• Offline/manual install (advanced or imaging scenarios):
• Gather all MSU packages required by the KB into a single folder.
• Use DISM to add packages online:
• DISM /Online /Add-Package /PackagePath:C:\Packages\Windows11.0-KB5065789-x64.msu
• Or run PowerShell: Add-WindowsPackage -Online -PackagePath "C:\Packages\Windows11.0-KB5065789-x64.msu"
• For offline images (mounted WIM):
• DISM /Image:mountdir /Add-Package /PackagePath:Windows11.0-KB5065789-x64.msu
• Or PowerShell: Add-WindowsPackage -Path "C:\offline" -PackagePath "Windows11.0-KB5065789-x64.msu" -PreventPending

These are standard, supported commands for MSU package application and match the packaging model used for Release Preview MSUs. Administrators should ensure the MSUs they download match the month and branch of the install media when servicing offline images.

• Windows Update Standalone Installer (wusa.exe): useful when a single MSU is known to be self‑contained and dependency ordering is trivial; however, in combined SSU+LCU packages, DISM and catalog ordering are safer for scripted deployments.

Rollback and recovery considerations​

• If you must remove an LCU, DISM’s Remove‑Package and wusa /uninstall can be used for LCUs; however, Servicing Stack Updates (SSUs) are not removable. MSU packaging sometimes bundles SSU + LCU, which complicates rollback and means imaging or full re‑deployment may be the safest recovery option in managed estates. Plan rollback and backups accordingly.

Recommended pilot strategy​

• Pilot KB5065789 on a representative subset that includes: media‑critical HTPCs, devices that previously failed with 0x80070002, devices with diverse GPU drivers and docking firmware, and a sample of enterprise endpoints for CRL partitioning validation.
• Observe update logs, event telemetry, application playback tests across affected players, and certificate revocation behavior in lab CA environments before enabling CRL partitioning on production CAs.

---

Practical mitigation options (if you were affected by earlier updates)​

If you experienced playback failures or the 0x80070002 update error after earlier August/September servicing, short‑term choices boil down to three paths: uninstall the problematic cumulative update, pilot Microsoft’s Release Preview remediation, or use alternative playback paths/devices. Each carries tradeoffs:

• Pause installations of KB5064081/KB5065426 on production, content‑critical machines until remediation is validated. This is safest but delays security/quality patches.
• Pilot the Release Preview remediations (KB5065789) in controlled rings to validate playback and update health before broad rollout. Release Preview is not recommended for production fleets without testing.
• If immediate playback is essential and rollback is acceptable, uninstall the problematic LCU (wusa /uninstall /kb:5065426 or DISM removal), while accepting the security tradeoffs of removing a cumulative update. Always back up or create an image before rollback.
• Try alternate players or replay paths that use Media Foundation / Simple Video Renderer (SVR) instead of EVR, if the application supports it, or use external physical players. Modern streaming clients were typically unaffected.

---

Analysis: strengths, tradeoffs, and risks​

Strengths​

• Surgical approach: Microsoft fixed two high‑visibility regressions without broadly rolling back security hardening, minimizing re‑exposure while restoring functionality. This is the conservative engineering posture expected for late servicing cycles.
• Operationally efficient enablement model: The enablement package approach continues to reduce upgrade downtime and simplifies broad 25H2 activation for devices already carrying the requisite binaries.
• Enterprise ergonomics: CRL partitioning addresses a real scalability pain point for large PKIs and is a welcome platform improvement for enterprise certificate management.

Risks and caveats​

• Residual edge cases: Not every instance of 0x80070002 shares the same root cause; some devices required deeper artifact recovery (component resets, DISM/SFC or in‑place repair ISOs). Administrators must be prepared with standard remediation runbooks.
• Driver/firmware interactions: Low‑level fixes in DRM, update plumbing, or certificate handling can surface unpredictable interactions with third‑party drivers (GPU, capture, docking). Coordinate vendor driver updates during pilot windows.
• Fragmented user experience: Microsoft’s gating of headline features by hardware entitlement or Microsoft 365/Copilot licensing produces heterogeneous UX across a fleet — communications and license planning are required for organizations adopting AI features.

Unverified or ambiguous claims​

Several community summaries circulated an assertion that an earlier update caused SSD failures during large file transfers. The dataset reviewed for this analysis did not corroborate that claim with vendor advisories or Microsoft documentation. Treat the SSD‑failure narrative as unverified until confirmed telemetry or official guidance appears. Collect logs and escalate to vendor/Microsoft support if you observe unusual storage behavior after updates.

---

What to watch next (operational checklist)​

• Confirm whether KB5065789 appears in your Windows Update console for Release Preview devices and test installs on non‑production machines.
• Validate playback across the specific Blu‑ray/tuner/capture applications you rely on; don’t assume all players behave the same because some vendor code paths differ.
• Keep GPU and capture drivers current and coordinate firmware updates for docking stations and WWAN modems if part of your fleet — mismatches are a common source of lingering issues.
• For PKI operators: test CRL partitioning in a lab CA topology, verify replication and tooling, and only enable in production after successful staged validation.
• Track Microsoft’s Release Health and the general availability rollout schedule; features delayed or gated in Release Preview may receive new rollout dates in subsequent cumulative updates.

---

Conclusion​

KB5065789 (OS Build 26100.6725) is a tightly scoped Release Preview package that prioritizes operational stability over headline feature exposure. It restores two user‑facing blockers — protected media playback in EVR‑dependent apps and an update failure class that stalled some preview installs — while delivering modest UI, accessibility, and enterprise manageability improvements. The update illustrates Microsoft’s current servicing tradeoffs: maintain security hardening and harden the platform while issuing surgical fixes for compatibility regressions. For administrators and power users the pragmatic approach is clear: pilot KB5065789 in representative rings, validate media and update workflows, coordinate driver/firmware updates, and reserve Release Preview for controlled validation rather than immediate production adoption. fileciteturn1file1turn1file5turn1file3

---

Source: Microsoft Support September 29, 2025—KB5065789 (OS Build 26100.6725) Preview - Microsoft Support

 

[ChatGPT]

Microsoft has released the September 2025 non‑security preview for Windows as KB5065789 — an optional Release Preview package that delivers targeted quality fixes (including a staged repair for protected playback regressions and a set of reliability patches) and ships as one or more MSU files that administrators can apply offline or via Windows Update channels.

Background / Overview​

The September preview cycle continues Microsoft’s pattern of shipping small, focused “C” (non‑security) updates to the Release Preview channel so administrators and advanced users can validate critical fixes before they are promoted into the regular monthly rollups. KB5065789 is distributed as MSU packages for Windows 11 servicing families (24H2 and 25H2 build series) and, depending on the target SKU and baseline, may be bundled with a Servicing Stack Update (SSU) or be delivered as a checkpoint‑style cumulative that has prerequisites.
Why Release Preview matters now: this preview is intentionally conservative — not a feature update but a set of reliability fixes for real‑world regressions discovered after the August/September cumulative updates. For some professional and enthusiast scenarios (protected media playback, legacy SMBv1/NetBIOS connectivity, Autopilot provisioning flows), these fixes remove operational blockers that appeared when broader monthly updates rolled out. Community testing and Microsoft’s Release Preview notes should guide production rollouts.

---

What’s inside KB5065789 — the practical summary​

KB5065789 focuses on a handful of distinct problem areas rather than broad feature work. The following is a concise list of the most relevant fixes and behavior changes that administrators and power users should know:

• A targeted repair for protected playback failures that affected some legacy EVR/DirectShow playback paths (Blu‑ray/DVD players, TV tuner/capture apps) after recent preview/cumulative updates. This is the remediation that was staged into Release Preview in mid‑September.
• Reliability fixes for multi‑monitor Remote Desktop (RDP) sessions and unexpected shutdowns when docking/undocking or disconnecting monitors in certain streaming scenarios.
• Resolutions for sign‑in hangs related to SIM PIN / mobile broadband during authentication workflows on WWAN/eSIM devices.
• Fixes for printer queue UI crashes when viewing shared printer queues in Settings.
• Input Method Editor (IME) rendering problems for certain languages (notably Chinese IME edge cases) corrected to prevent missing characters or empty blocks.
• Mitigations for an SMBv1 over NetBIOS (NetBT) connectivity regression that appeared after earlier September servicing; this preview delivers a specific correction for that regression on affected branches. Note: SMBv1 remains deprecated; these fixes are tactical.

Microsoft’s official release note for KB5065789 lists the builds and contains packaging instructions and prerequisites; the Release Preview blog and multiple community threads document the timeline and the real‑world symptoms that motivated the hotfix.

---

Packaging, prerequisites and how the MSU model works​

Microsoft ships cumulative/preview updates in a few packaging patterns administrators must understand:

• Single MSU (LCU) or combined SSU + LCU: Many recent packages include a Servicing Stack Update (SSU) paired with the Latest Cumulative Update (LCU). SSUs improve update reliability but are effectively permanent once applied. That means rollback options are limited and testing before broad deployment is required.
• Checkpoint cumulative chains: For some Windows 11 servicing branches, a target cumulative may require one or more checkpoint updates to be installed first; DISM and WUSA can automatically discover and apply prerequisites if the packages are placed together in the same folder. Microsoft documents this behavior in its DISM guidance.

Key technical points administrators must heed:

• If you download the MSU files from the Microsoft Update Catalog, confirm the files match your exact SKU (24H2 vs 25H2, Home/Pro vs Enterprise) and architecture (x64/ARM64).
• If an SSU is included in the package you plan to install, recognize that the SSU element is non‑removable — plan images and rollback strategies accordingly.
• For offline and air‑gapped scenarios, DISM’s /Add‑Package and PowerShell’s Add‑WindowsPackage can be used to service an offline or online image; the folder path can contain multiple MSUs and DISM will walk prerequisites if the files required are present.

---

Installation options — step‑by‑step and recommended commands​

Microsoft documents two main offline installation approaches for KB5065789: (A) place all required MSU files in a single folder and let the servicing tool discover and apply prerequisites; or (B) install MSU files individually in the required order. Both methods are valid — pick one that matches your deployment tooling and testing discipline. The official KB provides explicit command examples and a recommended order when multiple MSUs are required.

Method 1 — Install all MSU files together (recommended for automated or offline servicing)​

• Download all MSU files for KB5065789 from the Microsoft Update Catalog and place them in a single folder (for example, C:\Packages).
• Use DISM to install on a running PC (elevated Command Prompt):
• DISM /Online /Add‑Package /PackagePath:C:\Packages\Windows11.0‑KB5065789‑x64.msu
• Or use PowerShell (elevated):
• Add‑WindowsPackage ‑Online ‑PackagePath "C:\Packages\Windows11.0‑KB5065789‑x64.msu"
• For image servicing (offline mounted image), run from an elevated prompt:
• DISM /Image:C:\mountdir /Add‑Package /PackagePath:C:\Packages\Windows11.0‑KB5065789‑x64.msu
• Or PowerShell: Add‑WindowsPackage ‑Path "C:\offline" ‑PackagePath "Windows11.0‑KB5065789‑x64.msu" ‑PreventPending

These commands are consistent with Microsoft’s DISM documentation which notes that /PackagePath can point to a folder containing multiple MSU files; DISM will check applicability and install prerequisite checkpoint packages from that folder where needed.

Method 2 — Install each MSU file individually, in order​

If you prefer explicit control, download and install each MSU file in the sequence Microsoft lists. The KB and Update Catalog may show one or more MSU files with checksum names; install them in the stated order to avoid dependency failures. Example (the user‑visible filenames commonly look like):

• windows11.0‑kb5043080‑x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
• windows11.0‑kb5065789‑x64_199ed7806a74fe78e3b0ef4f2073760000f71972.msu

Install each with DISM or WUSA/wusa.exe (interactive or scripted):

• wusa.exe C:\Packages\Windows11.0‑KB5065789‑x64.msu /quiet /norestart

WUSA supports /quiet and /norestart switches for silent installs; it will also extract and apply checkpoint MSUs if you double‑click the final MSU while the prerequisites are co‑located in the same folder. Microsoft’s WUSA guidance documents the recommended behaviors for chains of checkpoint cumulative packages.

---

Testing, piloting and rollout guidance (practical playbook)​

This preview is optional; treat it as a validation artifact for production environments. The recommended rollout pattern for organizations is:

• Apply to a small pilot ring (5–10 representative devices) that includes hardware permutations: docking stations, WWAN/eSIM devices, capture/HTPC machines, and virtual machines that mirror production.
• Validate the specific workloads affected by earlier regressions: DRM playback in your players, RDP multi‑monitor scenarios, printer queue UI, and Autopilot OOBE flows where applicable. Record telemetry and event logs during the pilot window.
• If pilot is successful, expand to a broader test group (20–30% of fleet) for 48–72 hours while monitoring for regressions (EVENT IDs, Setup logs, Windows Update logs, and OEM driver/firmware alerts).
• For large fleets, stage the SSU portion first on the pilot to confirm update plumbing behaves as expected; consider image snapshots and OS rollback plans because SSUs are persistent and complicate clean rollback.

Practical checks during validation:

• Confirm the OS build reported by winver or via Setup logs matches the KB’s targeted build numbers (the KB lists the build revisions for 24H2/25H2 and for 23H2 branches where applicable).
• Test protected‑playback workflows with the exact applications and hardware used in production; note that modern streaming apps were not affected — the regression targeted legacy EVR/DirectShow protected rendering paths.
• Verify WWAN/eSIM sign‑in works as expected on cellular devices and test Autopilot ESP flows on a lab Autopilot tenant if you manage such devices.

---

Troubleshooting and rollback notes​

• If you experience issues after installing a preview LCU, you can uninstall the LCU portion using Windows Update > Update history > Uninstall updates or DISM /Remove‑Package where applicable. Uninstalling may not revert SSU changes.
• If updates fail due to 0x80070002 or similar servicing errors, follow standard remediation: reset Windows Update components, run DISM /Online /Cleanup‑Image /RestoreHealth, run SFC /scannow, and consider in‑place repair from the Release Preview ISO if problems persist. Community guidance collected during the September cycle emphasizes these runbooks.
• For content owners and HTPC operators affected by protected playback regression, the two practical short‑term options were: (a) pause Windows Update on the playback machine until a validated fix reaches the production channel, or (b) uninstall the offending cumulative update if the device requires immediate restoration of playback. Both carry risk and require backups.

Caveat: some edge‑case failures reported to community forums required in‑place repair (Release Preview ISO) to fully restore update components. If you manage critical systems, ensure image‑level recovery is available before you apply SSU+LCU combinations.

---

Security, device lifecycle and the larger servicing context​

Although KB5065789 itself is a non‑security preview, it appears within a servicing season that's been notable for two wider operational headlines:

• Microsoft’s multi‑year program to refresh Secure Boot signing certificates (the “2011 CA family” replacement with 2023 CA family) and the related expiry windows beginning mid‑2026. Administrators should inventory Secure Boot‑enabled devices and coordinate with OEMs to ensure firmware will accept CA updates before expiry windows. This is a separate but cross‑cutting rollout that appears in September servicing advisories and must be handled proactively. This is a time‑sensitive, fleet‑level operational task and requires OEM coordination.
• Late‑cycle servicing during an OS lifecycle endpoint (Windows 10/11 servicing deadlines in 2025) heightens the importance of validating fixes in preview channels ahead of the final production rollouts. When a servicing branch approaches EOL, the optional preview channel becomes an important validation window for administrators.

Flag on unverifiable claims: third‑party analyses sometimes extrapolate the percentage of devices that will need OEM firmware intervention for the Secure Boot CA changes. These extrapolations are not verifiable from public telemetry and should be treated as speculative — inventory‑level validation is the only reliable way to assess device risk in a specific estate.

---

Strengths, trade‑offs and risks — editorial analysis​

Strengths

• Targeted fixes reduce blast radius. By focusing on specific regressions (protected playback, SMBv1/NetBT connectivity, RDP/docking shutdowns), Microsoft minimizes the scope of change that a preview pushes into a fleet and gives administrators a chance to validate without exposing the entire OS to new feature churn.
• Multiple installation paths. The availability of MSUs, DISM/PowerShell automation, and WUSA for interactive installs covers a wide range of deployment models from single machines to air‑gapped labs. This is practical for enterprise imaging and for advanced users.

Trade‑offs and risks

• SSU permanence. Servicing Stack Updates that are bundled with LCUs are effectively permanent; if a combined package introduces an unexpected regression, rollback may require full OS reimaging. That raises the bar for pilot testing and snapshotting.
• Driver/firmware interplay. Many of the fixes touch subsystems where third‑party drivers and firmware matter (graphics, docking firmware, WWAN modem stacks, capture drivers). Even with a validated OS fix, mismatched vendor drivers can produce residual symptoms — coordinate driver updates alongside the OS fix.
• Preview channel exposure. Enrolling machines into Release Preview to obtain the hotfix early exposes them to other preview artifacts; use dedicated pilot hardware rather than enabling Release Preview on broadly used endpoint devices.

---

Quick‑reference checklist (one page)​

• Verify the target OS build and SKU with winver before downloading MSUs.
• If deploying offline, download all MSU files for KB5065789 into a single folder (example: C:\Packages).
• Prefer DISM /Add‑Package against /Online for unattended installs, or Add‑WindowsPackage in PowerShell for scripted workflows.
• Pilot on «representative» hardware: docking stations, WWAN/eSIM laptops, HTPCs/tuner machines, virtual machines.
• If you have critical playback systems, either pause updates or pilot the Release Preview fix before broad rollout. Keep image backups.
• Prepare rollback plans that recognize SSU permanence — snapshot or image before applying SSU+LCU combos.

---

Conclusion — the practical takeaway​

KB5065789 is a focused Release Preview update designed to repair real, high‑impact regressions introduced earlier in the September servicing wave — most notably protected playback failures and reliability issues across input, printing, networking and RDP/docking scenarios. Administrators and advanced users who depend on the affected workflows should pilot the preview in controlled rings and coordinate driver/firmware updates with OEM vendors. For most users, waiting for the validated fix to arrive in the regular monthly cumulative will be the safest path; for HTPC, broadcast, or Autopilot‑reliant environments, the Release Preview option provides an early remediation route that should be handled carefully and with full backups.
Note: the KB and Microsoft Update Catalog entries include the authoritative MSU filenames and the explicit install order; when in doubt, follow the instructions on the Microsoft KB page and use DISM or WUSA as documented. Administrators managing large fleets should prioritize pilot testing and OEM firmware coordination because some servicing changes have dependencies that live outside the OS and require firmware-level updates to complete safely.

---

---

Source: Microsoft - Message Center September 29, 2025—KB5065789 (OS Build 26100.6725) Preview - Microsoft Support