Microsoft’s latest hotpatch for Windows 11 Enterprise LTSC 2024, KB5065474, landed on September 9, 2025, delivering immediate security hardening without a mandatory reboot — and packing a louder message than its quiet installation might suggest. Behind the no-restart convenience, the update squashes a persistent User Account Control (UAC) annoyance that has tripped up non-admin users for months, while simultaneously flashing a bright warning about the impending expiration of Secure Boot certificates in mid-2026. For IT teams managing long-term servicing channel devices, the patch upgrades systems to OS Build 26100.6508 and demands attention to a trio of operational imperatives: app compatibility, virtual machine management, and cryptographic trust roots.
Hotpatching, the technology powering KB5065474, is Microsoft’s answer to the reboot fatigue that plagues enterprise patching cycles. Unlike traditional cumulative updates that replace on-disk binaries and force restarts, hotpatches inject security fixes directly into running memory, letting protection take effect immediately. This model alternates between quarterly baseline months — which still require restarts for comprehensive cumulative updates — and intervening hotpatch months that keep systems online. It’s a boon for mission-critical endpoints in manufacturing, healthcare, and finance, where uptime is paramount. But hotpatching isn’t a free lunch; it demands rigorous prerequisite checks and disciplined change control.
The UAC Fix: Silencing Unwanted Prompts for Non-Admins
The most visible fix in KB5065474 tackles a UAC prompt problem that has frustrated users and admins alike since the August 2025 Windows security update. When MSI installers perform certain custom actions — think configuration steps or repairs during initial app setup — non-admin users were unexpectedly bombarded with elevation requests. This hit popular applications like Office Professional Plus 2010 and Autodesk’s AutoCAD, effectively blocking workflows for standard accounts in managed environments. Microsoft’s fix narrows the scope of UAC prompts for these MSI repair operations and, crucially, gives IT administrators a new allowlist mechanism to disable prompts for specific apps entirely. According to the official KB article, the update “reduces the scope for requiring UAC prompts for MSI repairs and enables IT admins to disable UAC prompts for specific apps by adding them to an allowlist.” This addresses a known issue documented earlier, and it’s a tangible win for desktop management teams struggling with help-desk tickets about mysterious elevation dialogs.
Known Issue: PSDirect Interoperability Broken When Patching Is Uneven
Alongside the UAC relief, the hotpatch carries a documented known issue that will trip up shops heavily invested in virtualized workloads. PowerShell Direct (PSDirect) connections — a lifeline for Hyper-V administrators who manage guest VMs without network access — can fail intermittently when a hotpatched device communicates with an unpatched host or vice versa. The fallback mechanism that should gracefully degrade to a legacy handshake instead sometimes bungles socket cleanup, leading to seemingly random rejection errors. Administrators may spot Event ID 4625 in the Security log, a red flag for failed logon attempts. Microsoft’s workaround is straightforward but requires coordinated action: apply the companion update KB5066360 to both host and guest VMs. This edge case underscores the interdependency risks of partial patching in virtual environments; uneven update states can break the very management channels meant to simplify administration.
The Big Warning: Secure Boot Certificates Expire in 2026
If the UAC fix and PSDirect glitch are the immediate news, the long-term headline from KB5065474 is its re-emphasis on the Secure Boot certificate expiration program. Microsoft warns that many Windows devices rely on certificates that will start expiring in June 2026. Failure to coordinate firmware updates, OEM patches, and CA certificate refreshes could jeopardize pre-boot trust, rendering systems unable to boot securely or apply future updates. The advisory is not exclusive to this hotpatch — it’s a cross-cutting platform concern — but KB5065474 amplifies the urgency. IT organizations must begin engaging hardware vendors, firmware teams, and update management processes now to avoid a mid-2026 scramble. This is not a box to tick in three months; it’s a program-level initiative that touches every device in the fleet.
Hotpatch Prerequisites: Not Just Any Device Gets the No-Reboot Love
Before any of these fixes or warnings can matter, devices must meet the hotpatch prerequisites. Microsoft has reiterated the strict enrollment criteria, which are especially prickly for Arm64 systems. Eligible devices must run Windows 11 Enterprise LTSC 2024 on a baseline build (historical requirements pegged Build 26100.2033 or later, with recent cycles demanding 26100.4929 or above) and hold qualifying subscriptions like Windows 11 Enterprise E3/E5, Microsoft 365 F3, or Windows 365 Enterprise. Management must be through Microsoft Intune or Windows Autopatch, with a Windows quality update policy explicitly allowing hotpatching — the “When available, apply without restarting the device” setting toggled to Allow. Virtualization-Based Security (VBS) must be enabled, a foundational requirement that ensures the OS can safely apply in-memory patches.
For Arm64 devices, the road to hotpatch eligibility includes a mandatory, one-time configuration: disabling Compiled Hybrid PE (CHPE). CHPE improves performance for x86 emulation on Arm, but it conflicts with hotpatch’s memory patching mechanics. Administrators must either set the registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\HotPatchRestrictions to 1, or deploy the DisableCHPE configuration service provider (CSP) via Intune (Device/Vendor/MSFT/Policy/Config/Hotpatch/DisableCHPE = 1). After a single restart, the device becomes a candidate for no-reboot updates. However, Microsoft cautions that disabling CHPE can impact performance for x86 emulation workloads, so thorough compatibility testing is not optional. Arm64 hotpatch support has graduated from preview to general availability, but the configuration trade-off demands careful planning.
How to Get KB5065474 and Keep Your Fleet Healthy
Installation of KB5065474 follows established channels. Windows Update automatically serves the package to compliant, managed devices, bundling the latest servicing stack update (SSU) to reduce installation failures. The Microsoft Update Catalog offers manual downloads for offline or targeted deployments. WSUS availability isn’t guaranteed for all hotpatch packages, so administrators relying on that path must verify. Because hotpatches are cumulative only within their quarter, devices with previous updates will pull only the delta, minimizing bandwidth consumption. Nevertheless, a pilot-based rollout — not a blanket push — is the only responsible approach.
Deployment Checklist: From Inventory to Fleet-Wide Rollout
The deployment checklist that emerges from the KB and community guidance demands a methodical sequence. Start with inventory: confirm OS build and baseline compliance via winver or management tools. Validate licensing and Intune enrollment; a single misconfigured device will silently skip the hotpatch and remain exposed. Enforce VBS at scale using Intune CSPs. For Arm64 fleets, plan the CHPE disablement, test emulation-dependent applications, and document the change before a broad rollout. Then execute a pilot ring of 10–50 devices, spanning x64 and Arm64 hardware, EDR solutions, and key drivers, and monitor for at least a week. Watch for anomalous event logs, performance regressions, and PSDirect issues in virtualized test beds. Only after a clean pilot should you expand to early adopters (10–25% of the fleet) and finally to broad deployment. Post-deployment, verify OS Build 26100.6508 on updated machines and update your CMDB, vulnerability scanners, and SIEM mappings to recognize the new build number and KB identifier.
Benefits: Less Downtime, Faster Protection
The operational advantages of embracing this hotpatch are tangible. By swapping a reboot-required update for an in-memory fix, organizations can significantly reduce downtime on critical endpoints. Security protections take effect the moment the patch installs, shrinking the window of exposure — a crucial edge when zero-day threats emerge between cumulative update cycles. Payloads are smaller than full LCUs, easing network strain in bandwidth-constrained sites. And the bundled SSU bolsters installation reliability, addressing a perennial source of update failures.
Risks and Mitigations: The Fine Print of In-Memory Patching
However, hotpatching isn’t without its sharp edges. Kernel-mode drivers and security agents that hook OS internals can clash with in-memory code modifications, potentially causing silent failures or system instability. The PSDirect interoperability bug is a concrete reminder that partial patching across virtualized stacks can sever management connectivity. Debugging such issues is subtler than diagnosing a failed cumulative update, because systems remain online; robust telemetry and event log monitoring become critical. The Secure Boot certificate work is a time bomb that demands cross-functional coordination, and over-reliance on “no restart” updates could seduce teams into neglecting the baseline LCUs and firmware updates that remain essential. Hotpatches are a supplement, not a substitute.
A Rollout Timeline You Can Steal
For organizations that thread the needle, the rewards are real. The following rollout timeline, synthesized from Microsoft’s documentation and community deployment experience, can serve as a template: Week 0—inventory and licensing check, confirm Intune/autopatch readiness and VBS coverage. Week 1—assemble a pilot group, including EDR vendors, key drivers, and both processor architectures. Week 2—apply CHPE disablement on Arm64 pilots, reboot, and validate application compatibility. Week 3—deploy KB5065474 to the pilot, monitoring for 7–14 days. Week 5—expand to early adopters, rolling to 10–25% of the fleet with continuous validation. Week 8—broad deployment if no systemic regressions appear, with a firm plan to apply the next baseline cumulative update on schedule.
Bottom Line: A Pragmatic Patch with an Expiration Date
In the grander scheme, KB5065474 is more than a routine hotpatch. It resolves a tangible user friction point, exposes the brittleness of mixed patch levels in virtual environments, and yanks the spotlight onto a looming cryptographic deadline that won’t negotiate. IT teams that treat this release as a checklist item will likely sail through; those that ignore its embedded warnings risk a cascade of help-desk calls and a frantic 2026. The no-reboot promise is enticing, but it comes with a matching demand for rigor. As Microsoft continues to mature its hotpatch servicing model, such releases will increasingly shift from niche tooling to default expectation — and the discipline required to wield them safely will separate the prepared from the panicked.