The September 2025 cumulative update for Windows 11 version 24H2, KB5065426 (OS Build 26100.6584), breaks new ground not for its fixes, but for the urgency of its operational advisory: Microsoft’s Secure Boot certificates used since 2011 begin expiring in June 2026, and organizations must act now to avoid a boot-trust catastrophe. Released on September 9, 2025, this combined Latest Cumulative Update (LCU) and Servicing Stack Update (SSU) packages security patches, bug fixes, and AI component updates for Copilot+ PCs alongside a blunt reminder that the clock is ticking on pre-boot certificate trust. Enterprise IT teams, OEMs, and device managers face a time-sensitive, firmware-dependent remediation process that, if ignored, will leave devices unable to install Secure Boot pre-boot updates or validate boot components.
What’s Inside KB5065426
This update bundles the servicing stack KB5064531 (build 26100.5074) to reduce installation failures and delivers targeted fixes that address real-world pain points. The headline items include:
- UAC prompts during MSI repairs: Non‑administrator users no longer face unexpected User Account Control (UAC) interruptions when MSI installers run custom actions, such as repair or configuration operations. Microsoft has also exposed an allowlist mechanism so IT admins can exempt specific legacy MSI-based applications—like Office Professional Plus 2010 and certain Autodesk titles—from the new behavior, eliminating a long-standing friction point.
- SMB compatibility auditing: New auditing capabilities let administrators discover SMB clients and servers that do not support SMB signing or SMB Extended Protection for Authentication (EPA). This is a preparation step before Microsoft enforces these hardening controls by default in Windows 11 24H2 and Windows Server 2025.
- Input and management fixes: Several issues are resolved, including apps that stopped responding in certain IME scenarios and IIS modules that would vanish from IIS Manager, blocking GUI configuration.
- NDI audio stutter: The update fixes a regression introduced earlier that caused audio crackling in apps using Network Device Interface (NDI), most notably when Display Capture was enabled in OBS Studio.
- AI component refreshes: Copilot+ devices receive versioned updates to modular AI components—Image Search, Content Extraction, Semantic Analysis, and Settings Model—that improve on-device AI experiences. These components are not installed on standard PCs or Windows Server.
The cumulative update also includes the latest servicing stack, making installations more robust and reducing a class of common update failures.
The Secure Boot Bombshell
The most consequential item in KB5065426 is not a fix at all—it’s Microsoft’s formal and urgent reminder that the Secure Boot certificates anchored in the 2011 CA chain expire starting June 2026. Since its introduction with Windows 8, Secure Boot has relied on these certificates to validate the integrity of boot loaders, option ROMs, and drivers before the OS loads. Once the signing CA expires, platforms will no longer trust newly signed firmware components, potentially blocking pre-boot patches, triggering boot failures, or leaving devices unable to receive critical firmware updates.
Microsoft’s plan is a global, coordinated rollover to a new 2023 CA family. For consumers and many managed devices, Microsoft‑managed Secure Boot certificate updates will be delivered via Windows Update or similar channels. But countless enterprise, industrial, medical, and air‑gapped devices require explicit OEM firmware intervention to accept the new CAs. Without it, they remain stuck on the old trust chain, cut off from future Secure Boot updates.
Immediate IT Actions
- Inventory Secure Boot–enabled devices across the fleet, recording UEFI/firmware versions and OEM support status.
- Engage OEMs immediately—confirm whether firmware updates are needed to inject the 2023 CA family. For long‑lifecycle devices (e.g., ATMs, SCADA systems, medical imaging), this may require service contracts and planned maintenance windows.
- Allow Microsoft‑managed Secure Boot updates on devices capable of receiving them automatically. For managed fleets, use Windows Update for Business or Intune to ensure the updates are deployed.
- Plan manual certificate rollouts for air‑gapped or firmware‑locked systems, including testing in a representative staging environment well before the June 2026 deadline.
The advisory transforms Secure Boot from a forgettable compliance checkbox into a top‑priority infrastructure project. Delaying will increase risk exponentially as the expiry date approaches.
SMB Auditing: Preparing for Harder Lockdowns
KB5065426 turns on auditing for SMB client compatibility with SMB Server signing and EPA, but it does not yet enforce them. This reconnaissance‑only mode generates event‑log entries so administrators can discover legacy NAS appliances, embedded devices, and third‑party SMB stacks that will break when stricter requirements arrive.
Microsoft has been steadily raising the floor for SMB security: Windows 11 24H2 and Windows Server 2025 will eventually require SMB signing by default, and EPA enforcement will follow. The auditing feature provides a safe, no‑impact way to:
- Identify devices that do not advertise signing or EPA support.
- Assess whether incompatible endpoints can be patched or replaced.
- Stagger enforcement from audit → limited hardening → full enforcement to minimize business disruption.
To enable auditing, IT teams can use Group Policy or PowerShell to configure the new SMB client and server auditing settings. Event ID categories in the SMB operational logs will surface the necessary details. This proactive discovery phase is essential; flipping enforcement blindly risks breaking connectivity for critical backup clients, storage appliances, and legacy line‑of‑business applications.
Known Issues: PSDirect and Hotpatch Gotchas
The update documents a specific operational issue affecting PowerShell Direct (PSDirect) on hotpatched virtual machines. If a host and guest VM are at different patching levels—for example, one has the September hotpatch or KB5065426 while the other does not—PSDirect connections can fail intermittently. The fallback to a legacy handshake leaves sockets uncleared, triggering authentication failure events (Event ID 4625) in the Security log. The fix, according to Microsoft, is to install KB5066360 on both host and guest to restore alignment.
Other caveats for IT shops:
- Hotpatched devices can report non‑standard KB identifiers and build numbers, potentially confusing compliance scanners and CMDB tools. Update scanning logic to recognize hotpatch states.
- Legacy MSI installers that rely on repair actions should be tested with non‑admin users after applying the update. The new allowlist option can be used to exempt problematic apps and avoid UAC pop‑up regressions.
Installation Options and Commands
KB5065426 is available through Windows Update, Windows Update for Business, WSUS (under the “Windows 11” product and “Security Updates” classification), and the Microsoft Update Catalog. Because the package is a combined SSU+LCU, Microsoft strongly recommends installing all MSU files together using DISM to automatically resolve dependencies.
For manual installation from the catalog, download all MSU files to a folder (e.g., C:\Packages) and run from an elevated command prompt:
DISM /Online /Add-Package /PackagePath:C:\Packages\Windows11.0-KB5065426-x64.msu
Or via PowerShell:
Add-WindowsPackage -Online -PackagePath "C:\Packages\Windows11.0-KB5065426-x64.msu"
For offline servicing of a mounted image:
DISM /Image:mountdir /Add-Package /PackagePath:Windows11.0-KB5065426-x64.msu
If you must install the MSUs individually, install the prerequisite KB5043080 first, then KB5065426. After installation, verify the OS build via winver or systeminfo | findstr "OS Build".
A Pragmatic Deployment Roadmap
Enterprise teams should approach this update with a deliberate, phased rollout:
- Inventory and pilot – Identify a cross-section of hardware (including Copilot+ devices and VMs using hotpatch) and catalog all Secure Boot–enabled systems.
- Enable SMB auditing – Turn on auditing in a test OU and collect logs for 30–90 days to build a remediation list.
- Apply to pilot group – Use Windows Update for Business to deploy the update to the pilot ring. Validate UAC, SMB, and PSDirect functionality, especially in mixed hotpatch environments.
- Expand to production rings – After 48–72 hours of successful pilot monitoring, broaden the rollout. Watch SMB operational logs and Security logs for new failures.
- Full deployment and firmware readiness – Concurrently with the update, push OEM firmware/BIOS updates that accept the 2023 Secure Boot CA. Leverage Microsoft‑managed certificate updates on capable devices.
Risk Assessment and Critical Analysis
Strengths
- The Secure Boot advisory is a rare, proactive push that gives organizations more than a year to coordinate firmware and OS remediation—far better than a last‑minute scramble.
- SMB auditing allows deliberate, data‑driven security hardening without immediate connectivity impact.
- Fixes for UAC prompts, IIS module disappearance, and NDI audio stutter address real user and admin pain points.
Pitfalls
- Secure Boot remediation is a multi‑vendor effort; firmware‑locked or older devices may never receive the necessary updates, forcing hardware upgrades or acceptance of boot‑trust risks.
- SMB signing/EPA enforcement will eventually break communication with many legacy NAS units, network scanners, and appliances that lack modern SMB stacks. Without thorough auditing, business‑critical workflows could be disrupted.
- Hotpatch complexity and the PSDirect issue highlight the fragility of mixed‑state environments; strict host‑guest parity is now an operational requirement.
The Bottom Line
KB5065426 is far more than a routine Patch Tuesday delivery. It patches real bugs, previews stricter SMB controls, and—critically—draws a bright red line under June 2026: the point at which millions of devices could lose Secure Boot trust if organizations delay. IT leaders must treat Secure Boot readiness as a top‑tier priority now, weaving firmware updates, SMB auditing, and AI‑component validation into their regular patch cycles. The tools and forewarning are here; the next move is theirs.