Microsoft’s September 2025 Patch Tuesday cumulative update KB5065426 for Windows 11 24H2 finally puts an end to two month-long regressions that have plagued streamers and enterprise admins alike: unexpected User Account Control (UAC) prompts during MSI repairs and severe audio-video stutter in NDI-based streaming setups. The update, which also ships with companion packages for older Windows 11 versions, narrows a security hardening change from August’s patch that inadvertently broke workflows, while restoring stability to Network Device Interface (NDI) flows used by OBS Studio broadcasters.

The August Fallout: A Security Fix with Side Effects

Windows servicing in 2025 has followed a pattern of bundling security patches, reliability fixes, and staged feature enablements into cumulative updates (LCUs) that often include a Servicing Stack Update (SSU). The August 12, 2025 rollups—identified as KB5063878 for Windows 11—closed high-priority vulnerabilities but also triggered two high-impact regressions. First, a Windows Installer authentication weakness (CVE-2025-50173) was patched by tightening the conditions under which MSI flows could run without elevation. Second, an unexplained interaction in the networking stack broke NDI’s default Reliable UDP (RUDP) transport, causing severe stuttering for streamers using Display Capture in OBS.

Both issues hit real-world scenarios hard. Enterprise IT teams deploying line-of-business applications via MSI advertisements faced unexpected UAC prompts for standard users, while content creators and live producers saw their multi-PC NDI workflows become unusable overnight. Microsoft quickly acknowledged the problems via Release Health notifications and provided temporary workarounds, but a permanent fix was needed. KB5065426 delivers that fix, preserving the security gains while walking back the operational disruption.

UAC Prompts and MSI Repairs: When Security Locked Out Legitimate Users

What Broke

The August security update targeted a local privilege escalation vector by forcing Windows Installer to request administrator credentials in cases where it previously ran silently. The enforcement change aimed to close CVE-2025-50173, but it caught common MSI repair and advertising flows in the crossfire. Standard (non-admin) users suddenly saw UAC prompts when launching applications that needed self-repair—think Office Professional Plus 2010 or Autodesk installers—or encountered outright failures like Error 1730. ConfigMgr advertising and Active Setup scenarios were equally disrupted, leaving IT teams scrambling.

Short-Term Mitigations

Before KB5065426, Microsoft offered two stopgaps. For individual endpoints, running the affected application as administrator (right-click → Run as administrator) could bypass the prompt, but this was unmanageable at scale. For managed environments, a Known Issue Rollback (KIR) artifact—retrievable via Microsoft Support for Business—allowed IT to roll back the behavioral change on targeted devices. KIR is a temporary, supportable relaxation that preserves the security hardening elsewhere and must be time-boxed.

What KB5065426 Changes

KB5065426 does not roll back the CVE-2025-50173 fix. Instead, it narrows the UAC enforcement scope and introduces granular administrative controls. IT admins can now allowlist specific applications or workflows so they can perform MSI repairs without full elevation. This closes the most disruptive compatibility gap while keeping the privilege escalation vector mitigated. Microsoft advises that allowlisting and KIR should be treated as transitional measures—long-term policy models are expected in a future release. The update also signals that application vendors like Autodesk and Microsoft Office provisioning teams are working on updated installers that better align with the new security posture.

Operational Recommendations

  • Security trade-off: Any allowlisting widens the attack surface. Scope relaxations narrowly—by specific SIDs, devices, or application hashes—and document them as exceptions.
  • Vendor coordination: Contact ISVs for updated MSI packaging or explicit per-user installation guidance validated against the patched environment.
  • Testing before rollout: In staging rings, verify that common MSI repair flows complete silently under standard user accounts in VDI pools, student labs, and imaging testbeds.
  • Rollback complexity: Since the SSU is bundled with the LCU, uninstalling the update is non-trivial. Use DISM /Remove-Package for the LCU, but the SSU persists. Capture package names via DISM /online /get-packages before deployment.

NDI Stutter: Streaming’s Unexpected Enemy

The Symptom Set

After the August rollups, broadcasters using NDI to send video from OBS Studio to a second PC for encoding reported heavy stuttering, audio dropouts, and choppy video—particularly when using Display Capture as the source. The issue appeared even on low-congestion local area networks, ruling out simple bandwidth exhaustion. Microsoft’s Release Health tied the failure to NDI’s default RUDP transport protocol, which had apparently been affected by a networking stack change introduced by the security update.

RUDP vs. UDP vs. TCP: A Quick Primer

NDI normally uses RUDP (Reliable UDP), a hybrid protocol that adds sequencing and selective retransmission to UDP for low-latency, visually acceptable streaming. Alternatives include:
- UDP (Legacy): Pure datagrams with no reliability; fine on pristine LANs but sensitive to packet loss.
- Single TCP: A reliable byte stream that guarantees delivery but can introduce head-of-line blocking and higher latency under loss.

Field data showed that while RUDP connections failed catastrophically, switching to UDP or Single TCP restored basic functionality—confirming an OS-level scheduling/transport regression, not a general networking failure.

Emergency Workarounds

Streamers quickly adopted a configuration change using the NDI Access Manager (part of NDI Tools):
1. Open NDI Access Manager → Advanced tab.
2. Set Receive Mode to “Single TCP” or “UDP (Legacy)”.
3. Restart all NDI-receiving applications to apply the change.

This restored stability for most topologies without uninstalling the security update. Where reconfiguration was impossible, some teams rolled back the August LCU as a last resort, accepting security exposure compensated by stricter network segmentation and EDR policies.

What KB5065426 Delivers

The September update includes engineering changes that directly address the RUDP transport interaction, restoring the default NDI behavior for most configurations. Microsoft has confirmed that the fix removes the need for the Receive Mode workaround in typical setups. However, streamers should still validate their specific capture stacks—GPU drivers, OBS versions, virtual audio routing, and NIC offloading settings can still introduce performance quirks. A short validation checklist:

  • Before deploying KB5065426, rehearse a full stream on a test machine using Display Capture → NDI → receive host.
  • If currently affected, keep the Single TCP/UDP fallback active until the update is installed and verified.
  • After updating, switch back to RUDP and monitor for stutter during a staged pilot; keep the fallback as a contingency.
  • Maintain up-to-date NDI Tools, OBS, and NIC drivers per vendor recommendations.

Enterprise Impacts Beyond the Headline Fixes

KB5065426 is more than a bugfix rollup. It bundles a Servicing Stack Update (SSU) and introduces several forward-looking capabilities that IT administrators must factor into their patch management.

SSU Bundling and Rollback Complexity

Like many modern cumulative updates, KB5065426 includes a combined SSU+LCU package. The SSU improves update reliability but cannot be removed with wusa.exe. Only the LCU component can be uninstalled via DISM /Remove-Package. This permanence raises the stakes for pilot testing and backup imaging. Administrators should:
- Export a known-good system image before deployment.
- Document exact LCU package names using DISM /online /get-packages.
- Prepare rollback playbooks that use DISM, not the legacy uninstall switch.

SMB Auditing and Compatibility Assessments

The update enables server-side SMB auditing hooks that let admins discover clients that would break under stricter SMB signing or Extended Protection for Authentication (EPA) policies. This audit-first approach provides visibility before hard enforcement, allowing organizations to map legacy NAS devices, embedded appliances, and third-party systems that need firmware updates or exceptions. The goal is to close relay and tampering vectors without surprise outages.

Kerberos Certificate Mapping Deadline

Microsoft’s multi-year Kerberos hardening campaign is reaching a critical milestone. Compatibility workarounds for weak certificate mappings will be removed for updates released on or after early September 2025. Administrators using certificate-based authentication must verify their PKI, reissue certificates with the required strong mapping attributes, and update domain controllers before the hard cutoff to avoid authentication failures. This timeline is operationally urgent and should be prioritized in IT roadmaps.

Secure Boot Certificate Advisory

The KB and its release notes also remind enterprises about looming Secure Boot certificate expirations. Devices relying on older certificate chains will need firmware/UEFI updates from OEMs before Microsoft’s certificates expire. Inventory device firmware now and coordinate with hardware vendors to prevent boot-time trust failures.

Deployment Guidance: A Pragmatic Checklist

  • Inventory endpoints: Use winver or patch management tools to identify Windows 11 24H2/23H2/22H2 machines.
  • Build a representative pilot ring that includes:
  • Virtualization hosts/guests (for Potential Service Disruption scenarios)
  • NDI/OBS streaming hosts
  • Machines running line-of-business MSI installers (AutoCAD, legacy Office)
  • Domain controllers for Kerberos/PKI testing
  • Validate before broad rollout:
  • Test MSI repair flows under standard user accounts—UAC prompts should be gone or controlled by allowlist.
  • Verify NDI RUDP, Single TCP, and UDP behavior with realistic scenes and audio; check latency and lip-sync.
  • Prepare rollback plans: Record DISM package names; remember the SSU is persistent.
  • Communicate with stakeholders: Notify content creators about the NDI Receive Mode fallback and document emergency steps for live events.
  • Monitor post-rollout: Watch SMB audit logs, Kerberos authentication failures, MSI-related Event IDs, and streaming telemetry for regressions.

Strengths of the Update and Remaining Risks

Strengths:
- Surgically focused: Microsoft preserved the critical CVE-2025-50173 mitigation while restoring compatibility—no blanket rollback.
- Operational stopgaps: KIR for enterprises and NDI configuration guidance for streamers allowed continuity without sacrificing security posture.
- Proactive auditing: SMB auditing and telemetry give IT teams a head start on upcoming security hardening deadlines.

Remaining Risks:
- SSU permanence: Complicates emergency rollback; requires DISM expertise and robust imaging.
- Environmental variance in NDI fixes: Although the RUDP regression is resolved for most users, offloads, virtual NICs, and third-party filters may still cause edge failures. Treat the update as necessary but not universally sufficient—site-specific tuning may be needed.
- KIR overreach: Overly broad allowlisting defeats the security purpose. Keep KIR scopes tight, time-boxed, and tracked in change control systems.
- Build number discrepancies: Early community reports and final Microsoft notes sometimes differ on exact LCU/SSU version strings. Always verify local package names; if they conflict with vendor guidance, open a support case.

The Bottom Line

KB5065426 is a measured course correction that keeps the security hardening of August’s patches intact while restoring broken workflows. For streamers, it reclaims smooth NDI streaming without forcing an insecure rollback. For IT administrators, it narrows UAC enforcement to a manageable level and provides a temporary but controlled escape hatch via KIR. But the update’s SSU bundling and the enduring need for environmental validation mean careful piloting, tight exception scoping, and thorough post-deployment monitoring are not optional. Enterprises that follow a disciplined patch management cycle and leverage the new SMB auditing capabilities will not only recover from these regressions but also gear up for the Kerberos and Secure Boot deadlines that now loom on the near horizon.