Microsoft’s September 2025 cumulative update for Windows 11 24H2, KB5065426, landed with a dual purpose: deliver a grab bag of consumer-facing improvements while kicking off the final, non-negotiable phase of two major security hardening projects that enterprise admins have been dodging for years. The update, which carries build number 26100.6584 and integrates servicing stack update KB5064531, simultaneously introduces a redesigned Recall homepage, a Click to Do tutorial, and other AI-powered niceties for Copilot+ PC owners, but it’s the mandatory tightening of Kerberos certificate mapping and the new SMB auditing telemetry that will dominate IT war rooms this month.

Released on September 9, 2025, the patch bundles security fixes, quality improvements, and a set of AI component updates for Image Search, Content Extraction, Semantic Analysis, and the Settings model. Those AI bits only install on Copilot+ hardware—devices with a neural processing unit (NPU) capable of 40 or more TOPS, plus specific firmware requirements. Everyone else gets the underlying OS fixes and the gradual rollout of UI tweaks.

Consumer Features: A Phased Rollout of UI and AI Enhancements

The September update is stuffed with user-facing changes that Microsoft has been testing in the Release Preview ring. They’re rolling out in stages, so not every device will see them immediately. The headliners for Copilot+ PC owners are a revamped Recall experience and a new interactive tutorial for Click to Do. Recall’s homepage now surfaces recent activities and top content, with a navigation pane similar to the Microsoft Store that links to the timeline and Click to Do tools. When you launch Click to Do for the first time, an illustrated tutorial walks you through its capabilities—think of it as a guided tour for the AI-powered snapshot interaction feature.

Other changes span the UI:
- The notification center can now display a clock with seconds, a toggle available under Settings > Time & language > Date & time.
- Windows Search shows photo results in a grid view and warns when indexing is incomplete.
- The Widgets board gets a design refresh with a fly-out left pane and support for multiple dashboards—European users can already browse additional dashboards in the Microsoft Store, while the “Discover” feed now includes Copilot-curated stories. Lock screen widget controls, previously exclusive to Europe, are now available to all, with a new “Suggest widgets” option that auto-selects four random widgets if you’d rather not choose.
- Windows Hello surfaces—sign-in, passkey prompts, Recall, Store purchases—have been visually overhauled with new animations, clearer authentication type indicators, and a modern look.
- In the Settings app, an AI agent that lets you describe problems in natural language to find or change settings expands from Snapdragon-powered Copilot+ PCs to those with AMD and Intel AI processors. A new “Recent activity” page under Privacy & security > Text and image generation logs AI requests made by third-party apps. Activation and expiration dialogs now match the Windows 11 aesthetic, while privacy prompts for camera, microphone, or location access dim the entire screen—just like an elevation prompt.
- Task Manager now reports CPU utilization using industry-standard metrics. If you prefer the old numbers, head to the Details tab and add the “CPU Utility” column.
- File Explorer’s context menu introduces visual separators for top-level actions, and the Home page shows people icons next to activity and recommendations, with a Microsoft 365 Live Person Card popping up on hover for work or school accounts.

For commercial customers, Windows Backup for Organizations graduates to general availability, offering the same consumer-grade backup and restore experience tailored to enterprise device transitions.

Beneath the polish, the update squashes several bugs that have irked users and content creators. A much-discussed UAC prompt issue—where non-admin users running MSI repair operations for apps like Office Professional Plus 2010 or certain Autodesk installers would get unexpected elevation requests—has been dialed back. The update allows explicit allowlisting of installers and reduces the UAC prompting scope for MSI repairs. Internet Information Services (IIS) Manager gets its missing modules back, restoring GUI administration for those who’d seen them vanish. Input method scenarios that previously locked up applications also receive fixes. For streamers and broadcast pros, the audio stuttering in apps using the Network Device Interface (NDI) when display capture is active—a known regression tied to earlier 24H2 builds—gets a targeted fix. OBS Studio users who rely on NDI for multi-machine streaming should notice smoother audio after applying this patch, though it’s wise to test your full capture stack first.

The Hardening Hammer: Kerberos and SMB Changes Are Now Deadline-Driven

What transforms KB5065426 from a routine feature-and-fix drop into a watershed moment are the security enforcement milestones baked into it. Microsoft has been running two long-term hardening programs—one for Kerberos certificate mapping and another for SMB authentication—and the September 2025 patch cycle removes the last compatibility safety nets.

Kerberos Strong Certificate Mapping: No More Exceptions

Since 2022, Microsoft has been gradually turning the screws on weak certificate-to-account mappings that could be exploited for privilege escalation (CVE-2022-37967 among others). The full enforcement timeline reached its final phase on September 10, 2025. Prior updates offered registry-based compatibility modes—specifically StrongCertificateBindingEnforcement and CertificateBackdatingCompensation—that allowed domain controllers to accept weaker certificate mappings during migration periods. Those escape hatches are now removed. Windows domain controllers that receive this month’s updates will reject certificate-based authentications that lack a strong mapping, such as an explicit SID extension or a new strong mapping type. This affects any service that uses certificate-based authentication in Active Directory environments: Wi-Fi (EAP-TLS), VPN logons using PKINIT, SCEP/NDES certificate enrollment, and any custom workflow that issues certificates for user or device identity.

The practical impact is immediate: if your organization has not reissued certificates to include strong mappings—or if you’ve been relying on backdating compensation to make old certificates work—you will see authentication failures. Microsoft’s support documentation explicitly warns that this could break production authentication flows, and the only fix is to update your PKI and re-issue affected certificates well before the cutoff. The forum discussions echo this urgency, noting that admins must audit their NTAuth store, validate issuing CAs, and coordinate certificate template changes now.

SMB Server Auditing for Signing and EPA

On a parallel track, KB5065426 enables server-side auditing for SMB signing and Extended Protection for Authentication (EPA). The goal is to give administrators a observational window before Microsoft eventually flips the switch to mandatory enforcement for SMB server signing and EPA. Using Group Policy, registry keys, and the new SMBServer audit event log channel, you can collect telemetry that reveals which SMB clients support signing and whether they provide a service principal name (SPN) required by EPA. This audit posture is designed to surface incompatible legacy devices—older NAS boxes, embedded appliances, custom SMB stacks—that would break if hardening were enforced blindly.

Why does this matter? SMB signing prevents man-in-the-middle tampering of SMB sessions, while EPA closes credential relay attacks against SMB by binding the authentication to a specific service. Both are critical for securing file-sharing traffic in enterprise networks, but they’ve historically been a minefield for backward compatibility. The audit-first strategy lets you map your exposure before the enforcement hammer drops, likely in a future update. The forum community and IT chatter confirm that smart admins are already enabling these audit policies, watching the logs, and reaching out to vendors for firmware upgrades.

Known Issues: PSDirect, Audio, and the Perennial Patch Hiccups

KB5065426 carries a documented known issue affecting PowerShell Direct (PSDirect) when host and guest virtual machines are in mixed hotpatch states. If a patched guest VM tries to PSDirect into an unpatched host—or vice versa—a legacy handshake fallback can fail, generating socket cleanup errors and authentication failure Event ID 4625. Microsoft points to KB5066360 for remediation; the quick fix is to ensure both host and guest are updated simultaneously. Until then, intermittent PSDirect failures may plague your VM management scripts.

While the NDI audio stutter fix is welcome, it’s not magic. The underlying regression was sensitive to driver versions and capture toolchain configurations, so content creators should validate their OBS Studio and NDI runtime setups on a test rig before pushing the update to production streaming machines. Community reports from earlier 24H2 cumulative updates also highlight sporadic boot failures and driver incompatibilities, reinforcing the standard advice to pilot on a small ring and wait a few days for vendor driver releases.

Deployment Playbook for IT Teams

For enterprise admins, this patch is not optional. The security hardening clocks have run out, and procrastination now carries concrete authentication outages. Here’s a practical, prioritized action plan:

  1. Inventory certificate usage immediately – Map every certificate-based authentication flow: Wi-Fi 802.1X, VPN PKINIT, NDES/SCEP, Always On VPN, and any homegrown certificate solutions.
  2. Validate the NTAuth store – Ensure all issuing certification authorities are present and trusted on domain controllers.
  3. Pilot the update on a controlled ring – Include at least one domain controller, a representative file server, and a sample of client hardware, including any Copilot+ test devices if you plan to use AI features.
  4. Enable SMB auditing in discovery mode – Turn on the new audit policies via Group Policy or registry, set the logging level, and collect at least two weeks of SMBServer audit events to identify endpoints that lack signing or EPA support.
  5. Patch domain controllers early – Apply the update to DCs as soon as your pilot validates the Kerberos changes. Monitor Event Logs for authentication failures (e.g., Kerberos Key Distribution Center event IDs) and remediate any certificate mapping issues that surface.
  6. Coordinate with vendors – Reach out to NAS appliance makers, VPN vendors, and NDI tool providers for firmware and driver updates that align with the new SMB and Kerberos requirements.
  7. Prepare rollback images – The LCU can be uninstalled via DISM if necessary, but the servicing stack update (KB5064531) is permanent once applied. Keep a fresh system state backup or full disk image handy for your DCs and critical servers.
  8. Use official distribution channels – The update is available through Windows Update, WSUS, Update Catalog, and Windows Update for Business. For offline deployment, follow the KB’s DISM ordering instructions.

Risk vs. Reward: A Balancing Act

The security gains are tangible. Enforcing strong certificate mappings closes a well-documented privilege escalation door that attackers have targeted in the wild. SMB signing and EPA, even in audit mode, move organizations toward a posture where file-sharing traffic is cryptographically verified and relay resistant—a significant lift for Active Directory security. The consumer-facing improvements, from the Recall redesign to the expanded Settings AI agent, show Microsoft’s commitment to polishing the Copilot+ experience even as it drives long-term architectural changes.

But the risks are equally real. The removal of Kerberos compatibility workarounds offers no phased enforcement toggle; it’s a binary switch that will break authentication the moment a domain controller processes the update. Legacy infrastructure—print servers, old VPN concentrators, medical imaging appliances—that hasn’t been refreshed may suddenly stop accepting user logins. SMB auditing doesn’t break anything today, but it’s a clear signal that mandatory signing and EPA are coming, and the window to prepare is finite. The PSDirect/hotpatch bug, while edge-case, reminds us that the servicing stack itself can introduce subtle interop issues in virtualized environments.

For organizations that have been following Microsoft’s hardening guidance and iteratively upgrading their PKI, this update is a smooth milestone. For those that kicked the can down the road, September 2025 is the month the bill comes due.

Advice for Home Users and Creators

If you’re a consumer with a standard retail PC, the update is mostly benign. The UI tweaks will appear gradually; you’ll need a Copilot+ PC to get the AI fireworks. Wait a few days before hitting “Check for updates” if you’re stability-conscious—that gives GPU and peripheral vendors time to push compatible drivers. Content creators who rely on NDI for OBS streaming should absolutely test their audio chain after applying the patch, as the fix may interact differently with various NDI runtime and GPU driver versions. And for anyone still using a pre-Copilot+ machine, the AI component updates are inert, so your system won’t be cluttered with unusable packages.

Conclusion

KB5065426 is more than a monthly rollup; it’s the culmination of years of security architecture work and a bellwether for the Copilot+ era. Enterprises that have neglected their PKI hygiene will find themselves in scramble mode, while those who’ve kept pace can breathe easier after auditing their SMB telemetry. For consumers, the update is a gradual upgrade path toward a more AI-infused Windows experience—provided their hardware makes the cut. In either case, back up, pilot, and monitor. The deadlines are real, and the logs don’t lie.