Microsoft’s September 2025 hotpatch for Windows 11 Enterprise 24H2 resolves a vexing UAC elevation problem that blocked non-administrative users from running MSI repairs, but it comes with a critical operational warning: PowerShell Direct connections can break if hosts and guests aren’t patched together. Released on September 9, 2025, KB5065474 pushes eligible machines to OS Build 26100.6508 and bundles a servicing stack update (SSU) to improve installation reliability. Yet the fix—designed to reduce unnecessary prompts for users without admin rights—introduces a new headache for virtualization admins and underscores a looming Secure Boot certificate expiration.
The UAC Fix: What Broke and How KB5065474 Repairs It
Starting with the August 2025 Windows security update, non-admin users unexpectedly saw User Account Control (UAC) prompts when MSI installers performed custom actions—repair operations, configuration changes, or background tasks. The prompts appeared even for routine application maintenance, blocking workflows in software like Office Professional Plus 2010 and multiple Autodesk products, including AutoCAD. For enterprises where users rely on standard accounts, the regression meant helpdesk tickets spiked as vital applications refused to start or update without administrator intervention.
The root cause lay in how the servicing stack temporarily hardened the MSI handling path, tightening UAC requirements too broadly. KB5065474 dials back that overreach. It reduces the scope of elevation prompts specifically for MSI repair operations, allowing non-admin users to run these tasks without interruption. Microsoft also introduced a new IT admin capability: application allowlisting. Administrators can now define specific apps that bypass UAC prompts during MSI repairs, giving them granular control while maintaining security for everything else. The fix is narrow and targeted—exactly the kind of low-risk adjustment a hotpatch is designed to deliver.
Hotpatching Refresher: Efficiency With Strings Attached
Hotpatching is Microsoft’s answer to reducing reboot fatigue on enterprise endpoints. Instead of shipping a full cumulative update that requires a restart, a hotpatch patches in-memory code, taking effect instantly on systems that meet the prerequisites. Windows 11 Enterprise 24H2 and LTSC 2024 edition devices are eligible, provided they are enrolled in a management service. The model works on a quarterly cadence: a baseline update requiring a restart is followed by two hotpatch months that supply security and quality fixes without downtime.
KB5065474 is the September hotpatch in that sequence. It’s intentionally slim—the UAC fix plus miscellaneous security hardenings—and it’s paired with the latest SSU (KB5064531 version 26100.5074). Bundling the SSU ensures that the servicing stack itself is up to date before the hotpatch payload is applied, reducing installation failures. For organizations that live and die by uptime—manufacturing floors, healthcare systems, financial trading platforms—this approach can save hundreds of hours per year.
But the efficiency trade-off is complexity in asset management. A device that has installed KB5065474 reports build 26100.6508, not the typical cumulative update build number. Configuration management databases, compliance scanners, and vulnerability assessment tools that only look for known KB numbers will likely flag patched systems as non-compliant. Administrators must update detection rules to recognize the hotpatch build string, or risk triggering unnecessary remediation alerts.
PowerShell Direct Falls Over: The PSDirect Interoperability Edge Case
For Hyper-V shops that rely on PowerShell Direct (PSDirect) for host-to-guest automation, KB5065474 carries a significant operational warning. Microsoft documented an edge case where PSDirect connections fail when a hotpatched guest VM tries to communicate with an unpatched host—or vice versa. The expected graceful fallback to a legacy handshake doesn’t always work. Sockets aren’t cleaned up properly, and authentication attempts can dead-end, producing intermittent “connection refused” errors and Event ID 4625 “An account failed to log on” entries in the Security log.
The symptoms can look random: a PSDirect session that worked yesterday might fail today, and fail tomorrow after a host reboot. The root cause is a mismatch in the in-memory patching between hosts and guests. KB5065474 modifies code that touches the PSDirect handshake, and if only one side has the patch, the protocol negotiation breaks. Microsoft’s official workaround is to update both host and guest with the corrective update, KB5066360. That update restores compatibility, but it must be applied evenly across the environment.
For environments that manage hundreds or thousands of VMs, this is not a trivial ask. Patching cycles often stagger host and guest updates by days or weeks. A typical workflow might patch all Hyper-V hosts one weekend and then push guest updates later. During that window, any automated script that relies on PSDirect to run diagnostics, deploy configurations, or collect logs will fail silently. The impact could cascade: monitoring systems may report VMs as unreachable, triggering false alerts or, worse, automated remediation actions that make incorrect assumptions about health.
Microsoft’s guidance is unequivocal: “When a patched guest VM attempts to connect to an unpatched host (or vice versa), the system is expected to fall back… [but] this fallback mechanism fails intermittently.” The fix—KB5066360—must be coordinated. Administrators should test PSDirect connectivity in a pilot ring that mirrors their host/guest pairing before rolling out KB5065474 broadly. If failures appear, the remedy is to update the out-of-sync side, not to uninstall the hotpatch.
Deployment Roadmap: From Pilot to Production
A disciplined deployment sequence minimizes the risk of PSDirect breakage and inventory confusion. The following plan draws from Microsoft’s recommendations and real-world operational experience.
Phase 1: Inventory and Eligibility (Days 0–3)
- Identify all Windows 11 Enterprise 24H2 and LTSC 2024 systems that are eligible for hotpatching. Use
winverorGet-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'to verify build. - Mark Hyper-V hosts and guest VMs that use PSDirect for management. Tag these as high-risk.
- Confirm that your update management tooling—Windows Update for Business, WSUS, or Microsoft Endpoint Configuration Manager—can deliver hotpatches. Microsoft primarily distributes hotpatches via Windows Update, so confirm availability in your channel.
Phase 2: Pilot and Validation (Days 3–10)
- Select a representative cross-section: different OEM models, Hyper-V host/guest pairs, and the application stacks most sensitive to the UAC fix (e.g., Office 2010, AutoCAD).
- Deploy KB5065474 via Windows Update or your managed channel. After installation, verify the build string (26100.6508) and confirm that MSI repair operations no longer trigger UAC prompts for non-admin accounts.
- Test PSDirect connectivity thoroughly: from a patched host to an unpatched guest, from a patched guest to an unpatched host, and between two patched machines. Log any failures and cross-check the Security event log for Event ID 4625.
Phase 3: Virtualization Parity (Days 10–20)
- If PSDirect issues appear, apply KB5066360 to hosts and guests that are out of sync. A recommended path is to update all Hyper-V hosts first, then sweep guest VMs immediately after, shrinking the window of mixed state.
- Consider using maintenance mode on clusters to drain VMs before host updates, then update guests as they come back online. This approach ensures that any PSDirect session opened post-update is between two fully patched endpoints.
Phase 4: Broad Rollout (Day 20+)
- After pilot validation, expand the deployment in rings, with continuous monitoring for the UAC fix and PSDirect. Establish rollback readiness: while hotpatch removals are possible, they may require a planned restart to fully revert in-memory changes. Consult the KB for exact uninstall steps.
- Update all asset inventory systems, CMDBs, and compliance dashboards to recognize build 26100.6508 as a patched state. Create alert suppression rules to avoid false compliance hits.
Secure Boot Certificate Expiration: A Ticking Clock
While KB5065474 itself does not directly address Secure Boot, the Windows community advisory attached to this release sounds a loud alarm: Secure Boot certificates used by countless Windows devices will begin expiring in June 2026. The expiration affects the DBX (revoked signatures) and KEK (Key Exchange Key) certificates that validate bootloaders and firmware. If firmware and OS updates aren’t coordinated, some devices may fail to boot, or they may lose the ability to apply future Secure Boot updates.
This is not a hotpatch-specific problem, but the KB’s timing makes it an urgent call to action. Microsoft has previously used hotpatch advisories to signal platform-level changes, and Secure Boot certificate expiration fits that pattern. The operational steps are clear:
- Inventory all devices that use Secure Boot and map them to OEM firmware release schedules.
- Reach out to hardware vendors now to confirm that updated Secure Boot certificates will be available well before June 2026.
- Test firmware updates in a dedicated pilot ring; some legacy platforms may require multi-stage firmware flashes or UEFI capsule updates.
- Factor in the time needed for large-scale firmware deployment—often measured in quarters, not weeks.
The Secure Boot expiration is a cross-team effort spanning security, operations, and procurement. Treat it as a separate program with its own milestones, not merely an item on this month’s patch checklist.
Troubleshooting and Rollback
Even with careful planning, issues can slip through. If PSDirect failures arise after partial rollout, isolate the affected host/guest pairs. Use Get-VM and Enter-PSSession with PSDirect flags to reproduce the failure. Check that KB5066360 is installed on both sides. If only one side has KB5065474, the safest path is to update the other side rather than roll back the hotpatch, because KB5066360 is designed to resolve the interop gap.
For UAC-related regressions—say a specific line-of-business app still prompts for elevation after the fix—first ensure the app is added to the new allowlist. The allowlist is a registry-based configuration; Microsoft’s documentation provides the exact keys and values. If that doesn’t help, enable MSI verbose logging (MsiEnableLog) and capture a log during the repair operation. Look for “Error 1721” or “Error 1601” entries that indicate the installer is still attempting an elevation-requiring action. Open a support case with Microsoft, including CBS logs and the MSI log, to get help tuning the allowlist or surfacing a deeper bug.
If a full rollback is unavoidable, plan for a restart. Hotpatches modify in-memory code, and while Microsoft provides removal instructions, the system typically needs a reboot to fully revert to the pre-hotpatch state. Coordinate with change management to secure a maintenance window that allows for the reversion and any subsequent re-testing.
What KB5065474 Means for the Enterprise
KB5065474 exemplifies the double-edged sword of hotpatching: it delivers rapid fixes without reboots but demands meticulous operational coordination. The UAC fix rightfully unblocks a painful regression that hamstrung non-admin users and generated helpdesk volume. At the same time, the PSDirect interoperability flaw reminds every IT team that patch parity across virtualized layers is non-negotiable. Add in the Secure Boot certificate cliff, and the message is clear: timely patching is not enough; comprehensive lifecycle management is the new baseline.
For organizations that have invested in Windows 11 Enterprise, hotpatching is a valuable capability when used with discipline. The build string 26100.6508 will appear in your inventories soon, and your dashboards should reflect that as a success indicator, not a compliance failure. The next steps are practical: pilot KB5065474, fix your PSDirect posture, and start your Secure Boot clock today. The September hotpatch is a small update that reveals the bigger picture of modern Windows servicing.