Microsoft released hotpatch KB5065474 for Windows 11 Enterprise LTSC 2024 on September 9, 2025, advancing the operating system to build 26100.6508. The update eliminates nuisance User Account Control prompts during MSI repair operations—a pain point for non-admin users—but carries a stern advisory about PowerShell Direct connectivity failures in mixed-patch virtual environments. It’s a classic hotpatch: security improvements without a mandatory reboot, paired with operational caveats that demand IT teams adjust their playbooks.
The Hotpatch Model in Brief
Hotpatching is Microsoft’s “rebootless” servicing mechanism for eligible Windows 11 Enterprise editions, notably 24H2 and LTSC 2024. Quarterly baseline updates require a restart, but intervening months deliver security-only fixes that patch running code in memory. The result: minimal downtime for mission-critical endpoints. KB5065474 is September’s contribution to that cadence. Devices receive it automatically via Windows Update if they’re managed through Intune or Windows Autopatch and meet strict eligibility criteria.
What KB5065474 Fixes
According to Microsoft’s official support document, the hotpatch bundles quality and security improvements. The headline change is an app-compatibility correction: non-admin users were getting unexpected UAC elevation prompts when MSI installers ran custom actions—think repair operations, silent configuration tasks, or background maintenance. Applications like Office Professional Plus 2010 and various Autodesk products (including AutoCAD) were particularly affected. The fix narrows the scenarios that trigger UAC and lets administrators add specific applications to an allowlist to suppress prompts entirely.
Beyond that, the KB uses Microsoft’s standard phrase “miscellaneous security improvements.” No CVE IDs are listed—hotpatch release notes rarely enumerate them. Administrators who need CVE detail for compliance must cross-reference the Security Update Guide or open a support case.
The PSDirect Caveat: A Virtualization Seam
A known issue documented in KB5065474 will give virtualization admins pause. When a patched virtual machine (guest) attempts a PowerShell Direct connection to an unpatched host—or vice versa—the fallback handshake sometimes fails. Socket cleanup doesn’t complete gracefully, causing intermittent connection failures and Event ID 4625 entries in the Security log. In mixed-patch environments, this could break automation scripts or troubleshooting workflows that rely on PSDirect. Microsoft’s remedy: update both host and guest to the latest cumulative or hotpatch level. KB5066360 addresses the underlying fallback issue, so applying that on both sides restores reliable connectivity.
Prerequisites: Who Gets the Hotpatch
KB5065474 isn’t a universal push. Only devices running Windows 11 Enterprise LTSC 2024 (with a current quarterly baseline) qualify. The device must be managed via Microsoft Intune or Windows Autopatch, with a quality update policy that explicitly allows hotpatching. Licensing requirements are specific: Windows 11 Enterprise E3/E5, Microsoft 365 F3, Windows 11 Education A3/A5, Microsoft 365 Business Premium, Windows 365 Enterprise, and equivalent subscriptions. Virtualization-based security (VBS) must be enabled on many endpoints.
For Arm64 devices, there’s an additional hoop: Microsoft requires disabling the Compiled Hybrid PE (CHPE) compatibility layer. CHPE improves x86 emulation performance, so turning it off—via the DisableCHPE configuration service provider or registry key—demands a one‑time restart and can degrade performance for legacy applications. IT teams with Arm64 fleets must test thoroughly before enabling hotpatching.
Deployment and Distribution
Eligible devices receive KB5065474 through Windows Update automatically. The package includes a servicing stack update (SSU) to reduce installation failures—a practice Microsoft now follows for most cumulative and hotpatch releases. Windows Update delivers the combined SSU + hotpatch; the Microsoft Update Catalog may list separate packages. For most organizations, letting Intune-managed endpoints pull the update through normal channels is simplest, provided all prerequisites are met.
A Practical Deployment Checklist
Implementing KB5065474 safely requires a staged approach:
- Inventory and eligibility: Confirm that target devices run Windows 11 Enterprise LTSC 2024 and are on a supported baseline build. Document current OS builds.
- Licensing and management: Validate that tenant and device licenses are compatible, and that Intune/Autopatch policies are correctly assigned.
- Arm64 preparation: Assess the impact of disabling CHPE for x86 workloads. Test critical apps, apply the DisableCHPE setting, schedule the restart, and log the change.
- Pilot ring: Enroll a small, representative group—including devices with EDR agents, specialty drivers, and virtualization hosts/guests. Enable hotpatching via Intune policy and monitor for 7–14 days.
- Verify PSDirect parity: If PowerShell Direct is used, update both host and guest VMs in the pilot to avoid fallback failures. Apply KB5066360 as needed.
- Staged rollout: Expand in rings, monitor telemetry, and keep a pause trigger ready.
- Update compliance tooling: Ensure patch-management dashboards, SIEM rules, and CMDBs recognize hotpatch build numbers. Otherwise, scanners may flag patched devices as vulnerable.
Post-Installation Verification
After applying KB5065474, verify the OS build via winver or Settings > System > About—it should read 26100.6508. Check event logs for Security Event ID 4625, which may indicate PSDirect issues. Review WindowsUpdateClient and servicing stack logs for installation failures. Confirm that third-party vendors (EDR, backup agents, kernel drivers) have certified compatibility with hotpatching, and retest any integration points.
Operational Benefits
Hotpatching shines in high-uptime scenarios—healthcare workstations, industrial controllers, kiosks running LTSC. KB5065474 installs without forcing an immediate restart, shrinking the vulnerability window. Hotpatch payloads are typically smaller than full cumulative updates, reducing network strain and speeding up deployment. Bundling the SSU cuts down on a common failure mode, improving overall servicing reliability.
Risks and Watch-Items
- Opaque fix descriptions: The “miscellaneous security improvements” language may frustrate compliance teams needing CVE IDs. Cross-reference the Security Update Guide or engage Microsoft support for precise details.
- PSDirect interoperability: Mixed-patch hosts and guests break PowerShell Direct. Coordinate updates across virtualized environments to avoid automation failures.
- Arm64 CHPE performance hit: Disabling CHPE can measurably slow x86 apps. Test thoroughly before making the change fleet-wide, and be prepared to exclude certain devices from hotpatching.
- Third-party driver and EDR interactions: Hotpatches manipulate in‑memory code, which can trip up kernel‑hooking security products. Include EDR and driver vendors in pilot testing and maintain rollback procedures.
- Inventory visibility: Hotpatches change how patch state is represented. Without updating compliance scanners to recognize build 26100.6508, you’ll generate false negatives. Integrate hotpatch knowledge into asset management and vulnerability tools.
- Secure Boot certificate expiration: Microsoft warns that select Secure Boot certificates begin expiring in June 2026. KB5065474 highlights this timeline. IT teams must start coordinating firmware updates, OEM patches, and OS certificate rollouts now to avoid pre‑boot trust failures.
Tactical Mitigations to Implement Today
- Secure Boot readiness project: Inventory devices by firmware and OEM, verify Secure Boot state, and enable telemetry so Microsoft can manage certificate updates for eligible systems. Coordinate with OEMs on firmware availability.
- Compliance dashboard updates: Map KB5065474 and OS build 26100.6508 into your compliance rules. Update SIEM and vulnerability scanners accordingly.
- Vendor coordination: Add EDR, backup, virtualization, and critical app vendors to your pilot matrix. Track their hotpatch compatibility statements and recreate production-like scenarios in testing.
- Rollback documentation: Test uninstall behavior in a lab. Uninstalling a hotpatch often requires a restart and may necessitate reapplying a baseline cumulative update. Document the steps before production rollout.
Commands and Checks for Auditors
- Build verification:
winveror Settings > System > About → 26100.6508. - Policy check: In Intune, confirm the quality update policy allows hotpatching (“When available, apply without restarting the device” is set to Allow).
- Arm64 CHPE disable: Apply the DisableCHPE CSP or set
HotPatchRestrictions = 1underHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, then restart.
The Bigger Picture
KB5065474 exemplifies Microsoft’s hotpatch philosophy: immediate protection, minimal disruption, but operational diligence required. For LTSC 2024 environments that cannot tolerate frequent reboots, this update delivers tangible value—especially by fixing the MSI repair UAC headache. However, the PSDirect issue and looming Secure Boot certificate expiration demonstrate that hotpatching is not a set‑and‑forget affair. Organizations must invest in robust inventory management, cross‑vendor testing, and proactive lifecycle planning. The hotpatch reduces the patch window; it doesn’t eliminate the need for careful IT governance.
As Microsoft continues to refine the hotpatch model, IT pros should expect more of these interim, low‑reboot updates. Building the operational muscle to handle them—accurate compliance reporting, staged rollouts, and rapid rollback capability—will pay dividends long after the September 2025 patch cycle closes.