Microsoft’s September cumulative update for Windows 11 24H2, KB5065426, is causing widespread installation failures and network disruptions, prompting frustrated users to turn to an unexpected fix: an in-place upgrade using the Media Creation Tool. The update, which bundles critical security patches for two publicly disclosed SMB zero-day vulnerabilities along with AI component updates, has been rolling out since September 10, but a significant subset of systems encounter errors ranging from 0x800F0991 to 0x80070306, leaving them unpatched and vulnerable.
Released as a combined Servicing Stack Update (SSU) and Latest Cumulative Update (LCU), KB5065426 pushes Windows 11 24H2 to OS Build 26100.6584. While it delivers essential protections—including SMB signing and authentication hardening, plus fixes for remote code execution flaws—the update’s bundled servicing stack changes, expanded SMB auditing, and larger AI payloads have exposed latent incompatibilities on diverse hardware. The result is a messy rollout that has home users and IT administrators alike scrambling for workable solutions.
A Troublesome Cumulative Update
Unlike typical monthly patches, KB5065426 merges the servicing stack update with cumulative fixes. This design choice complicates rollbacks because the SSU portion, once applied, becomes persistent and cannot be removed via standard uninstall commands. The update also introduces updated on-device AI component binaries for select devices, increasing the package size and installation complexity. Community reports confirm that the download size can spike by several hundred megabytes on machines receiving these AI updates, raising the risk of transient failures on systems with limited disk space or unreliable connections.
The security fixes are critical: among the patched vulnerabilities are two SMB zero-days (CVE-2024-38218 and CVE-2024-38219) that could allow attackers to hijack NTLM authentication sessions or execute code on vulnerable servers. Given the severity, Microsoft urged prompt deployment. But the very characteristics that make the update essential are also what’s tripping up installs across countless devices.
Mixed Bag of Error Codes
Users report a broad spectrum of failure behaviors. Windows Update may initiate the download, begin installation, and then either roll back during reboot or display a vague “the update was not installed” message. In other cases, manual installation using the standalone .msu package from the Microsoft Update Catalog proceeds halfway before stalling or completes without actually applying the update.
Error codes are equally varied, indicating multiple underlying triggers. Commonly logged values include:
- 0x800F0991
- 0x800F0922 (often tied to EFI System Partition issues)
- 0x80071A2D
- 0x800F081F (component store corruption)
- 0x80070302 (locked files)
- 0x80070306
- 0x8000FFFF
- and other 0x800F0xxx/0x8007xxxx patterns
Some users report seeing different errors with each retry, suggesting a servicing pipeline that stumbles over varying device states rather than a single bug. The Update Catalog route, often a fallback when Windows Update fails, has proven unreliable in this instance—numerous forum posts indicate it too may fail mid-stream, leaving the machine unpatched.
SMB Sharing Breaks After Update
For systems where KB5065426 does install successfully, a secondary crisis emerges: broken file and printer sharing. The patch’s SMB hardening appears to clash with existing network configurations, particularly those relying on legacy protocols.
Symptoms include:
- Network Discovery and File and Printer Sharing toggling off unexpectedly.
- Network profiles flipping from Private to Public.
- Repeated credential prompts and “System error 86” when accessing shares, even with verified credentials.
- SMBv1 shares becoming unreachable—a major headache for organizations still running older NAS devices or embedded printers that depend on the deprecated protocol.
Uninstalling the update restores connectivity in many of these scenarios, but that comes at the cost of rolling back critical security fixes. For environments where legacy SMBv1 cannot be retired immediately, the dilemma is particularly painful.
Root Causes: Why KB5065426 Won’t Install
Analysis of community telemetry and log dumps points to not one but several co-existing root causes, all exacerbated by the SSU+LCU bundling and increased payload size.
Servicing stack persistence. Because the SSU modifies core servicing components, any hiccup during its application can leave the system in an inconsistent state. If the LCU portion fails, the SSU may already have altered the servicing stack, making subsequent attempts—or even rollbacks—more complicated.
Component store corruption and missing dependencies. Errors like 0x800F081F and 0x80073712 typically indicate problems with the system’s component store (C:\Windows\WinSxS) or missing .NET Framework components. Systems imaged from a baseline that strips out .NET 3.5 (NetFx3), for example, may hit a brick wall during the update’s servicing phase.
EFI System Partition shortages. On UEFI/GPT machines, the EFI partition (ESP) must have enough free space to stage boot-related components. Error 0x800F0922 is a classic indicator that the ESP is either too small or misidentified. Many OEM configurations allocate minimal ESP space, leaving no room for the servicing stack’s modifications.
Virtualization and security stack interference. Windows Sandbox, Hyper-V, and certain third-party antivirus or VPN products can lock system files or volumes, blocking the update’s file replacement operations. Temporarily disabling these features has resolved failures for numerous users.
Larger, fragmented payloads. The inclusion of Copilot-related AI binaries bloats the download and increases install time. For machines with sluggish storage or just a few gigabytes of free space, this pushes the update beyond the safe margin, causing timeouts or disk-full aborts.
The In-Place Upgrade Workaround
The most consistent escape hatch, reported by both home users and IT pros, is an in-place upgrade using the Media Creation Tool. By downloading the latest Windows 11 24H2 image from Microsoft and running the “Upgrade this PC” option with “Keep personal files and apps” selected, the tool performs a full image-based servicing operation rather than the differential patching that Windows Update attempts. This sidesteps the locked-file conflicts, missing dependency traps, and EFI space constraints that derail the standard update path.
Crucially, the in-place upgrade preserves installed applications and user data—though backups are still strongly recommended. In many cases where DISM, SFC, and Update Catalog installs have failed, the Media Creation Tool succeeds and leaves the system fully patched, including the SSU and LCU from KB5065426.
However, the workaround is not a magic bullet. If a third-party driver or security suite is the true root cause, the upgrade may still leave artifacts that require further cleanup. And it’s essential to download the tool from Microsoft’s official site and verify the image matches the target architecture and edition.
Step-by-Step Troubleshooting Playbook
Before resorting to an in-place upgrade, users should attempt less invasive fixes. The following sequenced approach minimizes risk while addressing the most common culprits.
Preliminary checks:
- Free up at least 20 GB on the system drive.
- Disconnect VPNs and temporarily pause third-party antivirus/firewalls.
- Run the built-in Windows Update Troubleshooter.
Non-destructive repairs:
1. Open an elevated Command Prompt and stop the Windows Update services:
net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver
2. Rename the SoftwareDistribution and catroot2 folders:
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old
3. Restart the services:
net start wuauserv
net start cryptSvc
net start bits
net start msiserver
4. Retry Windows Update.
Component store and dependency repairs:
- Run sfc /scannow and then DISM /Online /Cleanup-Image /RestoreHealth. If DISM fails, specify a local Windows 11 24H2 ISO as a repair source:
DISM /Online /Cleanup-Image /RestoreHealth /Source:WIM:X:\sources\install.wim:1 /LimitAccess
- Enable .NET Framework 3.5 (NetFx3) if it is missing: DISM /Online /Enable-Feature /FeatureName:NetFx3 /All
Virtualization and feature adjustments:
- Temporarily disable Windows Sandbox and Hyper-V via Control Panel > Programs and Features > Turn Windows features on or off. Reboot before retrying the update.
- Check EFI System Partition size using diskpart or a tool like MiniTool Partition Wizard. If the ESP has less than 100 MB free, consider extending it—but only after creating a full system image backup.
Last resort before in-place upgrade:
- Download the standalone .msu package for KB5065426 from the Microsoft Update Catalog and attempt a manual install. This sometimes works when Windows Update fails, though success is inconsistent.
If all else fails, proceed with the Media Creation Tool in-place upgrade.
For IT Admins: A Cautious Rollout Strategy
Enterprise environments should treat KB5065426 as a high-impact update that demands careful piloting. Microsoft has acknowledged specific issues—especially regarding SMBv1 and PowerShell Direct interoperability—but a single catch-all fix may not materialize quickly.
Recommended approach:
1. Pilot with representative systems. Include virtualized hosts, machines with legacy NAS access, and line-of-business app servers to surface any environment-specific incompatibilities.
2. Collect logs rigorously. Save CBS.log, WindowsUpdate.log, and relevant Event Viewer entries for every failure. These artifacts are essential for Microsoft escalation.
3. Implement compensating controls if you must delay deployment. Block SMB access from untrusted networks, increase IDS/IPS monitoring for SMB exploitation attempts, and segment the network to limit lateral movement—don’t simply leave systems unpatched without enhanced protections.
4. Reserve uninstall as a last resort. While uninstalling the update restores SMB functionality for some, it also removes critical security patches. Pair any uninstall with the compensating controls mentioned above.
5. Prepare recovery images. Before attempting an in-place upgrade or SSU removal experiment, ensure you have a tested, bootable system image. The SSU’s persistence means a botched repair can force a clean reinstall.
What’s Next?
Microsoft has not announced a re-release or immediate fix for KB5065426, though follow-up out-of-band updates or advisories may arrive if the SMB regressions or installation failure rates are deemed widespread enough. The Windows 11 health dashboard should be monitored for any official acknowledgments or mitigations.
In the meantime, community-driven workarounds—particularly the in-place upgrade—remain the de facto solution. As with any cumulative update that alters foundational servicing components, the real lesson is one of caution: pilot, back up, and never assume that a patch Tuesday release will install smoothly on every configuration.
For the millions of Windows 11 users staring at error codes this month, the Media Creation Tool provides a reliable—if slightly time-consuming—path forward. Just remember to re-enable any disabled security features and verify system health after the dust settles.