On September 9, 2025, Microsoft quietly released KB5066360, a targeted hotpatch that patches a security vulnerability in PowerShell Direct (PSDirect) that was introduced by the September 2025 Windows updates. The update, which brings PowerShell assemblies to build 26100.6569, is designed to restore reliable host-to-guest communication in Hyper-V environments and close a brief window that could allow unauthorized, non-administrator access. For organizations relying on PSDirect for automation, disaster recovery, or routine management, this hotpatch is not just a security fix—it is an operational imperative that must be applied swiftly to both hosts and guest virtual machines.

Microsoft’s KB article is unusually brief, focusing on the fix and a short list of updated files. But community analysis and operational experience reveal a more nuanced picture: a regression in the September update cycle had broken PSDirect connectivity when hosts and guests were patched at different paces, and the resulting handshake failure opened a narrow privilege escalation vector alongside failed remote sessions. This article unpacks what KB5066360 does, why it matters, and how enterprises should deploy and verify the patch in mixed Hyper-V fleets.

What is KB5066360?

KB5066360 is a security hotpatch for Windows PowerShell. It was published on September 9, 2025, and targets devices that participate in Microsoft’s hotpatch program—typically Windows Server 2025 and Windows 11 Enterprise LTSC editions enrolled in Windows Update for Business with Virtualization-Based Security (VBS) enabled. The patch updates core PowerShell binaries, most notably System.Management.Automation.dll and Microsoft.PowerShell.ConsoleHost.dll, to version 10.0.26100.6569. When installed via Windows Update, the latest servicing stack update (SSU) is bundled automatically to improve installation reliability.

The KB entry explicitly states: “Fix for PSDirect connections failing in Hotpatch devices,” and it addresses an issue present in both the September 2025 Windows Hotpatch update and the September 2025 Windows security update. Microsoft frames the fix as a security improvement that “resolves a vulnerability that could allow unauthorized, non-administrator access during a brief window” while also improving the reliability of older PSDirect sessions that shutdown unexpectedly.

The PSDirect Vulnerability: A Host-to-Guest Handshake Breakdown

PowerShell Direct is a Hyper-V management channel that lets administrators run PowerShell commands against a virtual machine from the host without network connectivity. It operates across the host/guest boundary using a VMbus channel, making it incredibly useful for configuration, automation, and recovery tasks where no network stack is available. But because PSDirect bridges separate security contexts, any regression in that communication channel can have severe operational and security consequences.

The September 2025 update cycle introduced a subtle but dangerous edge case. When a patched guest virtual machine attempted to establish a PSDirect session with an unpatched host—or vice versa—the handshake would fail to fall back to the legacy protocol correctly. This failure often resulted in socket cleanup errors and logged Event ID 4625 in the Windows Security log, indicating a failed logon attempt. More critically, Microsoft’s description notes that under “very narrow conditions,” the bungled session teardown could expose a brief window where an unauthorized, non-administrator user might gain access between host and guest.

Community administrators quickly flagged the issue after September Patch Tuesday. In forums and support channels, they reported that automation scripts relying on PSDirect were breaking, backup and orchestration workflows were stalling, and strange authentication failures appeared in event logs. One common symptom: a PSDirect session from a host to a guest would initiate, hang for several seconds, and then terminate with an access-denied error, even though the same accounts worked before the update. Microsoft initially documented the interoperability problem in the September cumulative update release notes and promised a fix via hotpatch, which arrived as KB5066360.

Why Hotpatching? Speed over Reboots for Critical Fixes

Hotpatching is Microsoft’s mechanism to deliver security—and occasionally quality—fixes in-memory without requiring the immediate reboot that traditional cumulative updates demand. It is designed for managed enterprise estates where uptime is critical and reboots are disruptive. Devices must meet strict prerequisites: a baseline hotpatch build alignment, VBS enabled, Intune or Windows Autopatch enrollment, and specific licensing. When a hotpatch is applied, the updated code is loaded into memory directly, and the next scheduled reboot (usually months later with a baseline cumulative update) makes the changes permanent.

Microsoft chose hotpatch delivery for KB5066360 because the PSDirect flaw was both operationally urgent and security-sensitive. A normal cumulative update would have forced organizations to reboot all affected Hyper-V hosts and guests immediately, potentially disrupting virtualized workloads. By issuing a hotpatch, Microsoft allowed IT teams to patch the vulnerability and restore PSDirect reliability within hours, without taking down virtual machines. The trade-off is that hotpatches require more operational discipline: inventory systems must recognize hotpatch build numbers, compliance tools may not map them to standard KBs, and in-memory patching can occasionally trigger false positives in security software.

Technical Details and Build Verification

After applying KB5066360, the affected PowerShell components report file version 10.0.26100.6569. The official file list in the KB article shows timestamps of August 22, 2025, and typical file sizes. Administrators can verify the patch by checking the version of System.Management.Automation.dll in C:\Windows\System32\WindowsPowerShell\v1.0, or by running winver.exe to confirm the OS build string (though hotpatches only update specific binaries, not the full build number). The most reliable verification is to query the file version directly:

(Get-Item C:\Windows\System32\WindowsPowerShell\v1.0\System.Management.Automation.dll).VersionInfo.FileVersion

On a patched device, this should return 10.0.26100.6569. Note that the OS build number shown in winver may still display the base image build (e.g., 26100.1) because hotpatches are in-memory; the file version is the definitive indicator.

The hotpatch is delivered exclusively through Windows Update for eligible devices. There is no standalone download package on the Microsoft Update Catalog, and Server Update Services (WSUS) will not distribute it—hotpatch updates are pushed directly to enrolled endpoints. Microsoft also notes that if the guest virtual machine has already installed the September 2025 security update, applying this hotpatch is recommended.

Deployment Guidance: A Phased Approach for Production Estates

Because hotpatches skip the reboot step, they can be deployed rapidly, but organizations must still validate the patch in a controlled manner. The following rollout plan addresses the specific risks of PSDirect regression and the unique characteristics of hotpatch servicing.

Step 1: Inventory and Eligibility Check

First, identify all hosts and guests that use PowerShell Direct. Not all devices will be eligible for hotpatch delivery; confirm that each machine meets Microsoft’s prerequisites: VBS enabled, proper licensing (Windows Server 2025 Datacenter or Standard, or Windows 11 Enterprise LTSC), and active enrollment in Windows Update for Business or Windows Autopatch with hotpatch policies enabled. Use your device management tool to query for hotpatch eligibility status.

Step 2: Pilot Testing on Representative Systems

Select a small, representative group of Hyper-V hosts and their associated guest VMs that cover critical workloads and different hardware vendors. Apply the hotpatch to this pilot group via Windows Update. Immediately after installation, test PSDirect connectivity across all host/guest pairs in the pilot. Run a simple command like Invoke-Command -VMName <guest> -ScriptBlock { hostname }. Validate that no Event ID 4625 failures appear in the Security log, and monitor the System log for any socket teardown warnings.

Step 3: Expand in Phases

Once the pilot succeeds, expand to a broader early-adopter ring, then to general production. Because the vulnerability and the operational fix both depend on matching host/guest patch levels, try to update hosts and their VMs within the same maintenance window. If a staggered rollout is unavoidable (e.g., updating hosts first, then guests), be prepared for temporary PSDirect failures until both sides are patched. Automation and monitoring should be adjusted to handle these transient errors gracefully.

Step 4: Post-Deployment Verification

After each wave, verify the file versions and conduct smoke tests. Update your patch management system and CMDB to record that build 26100.6569 is applied specifically via hotpatch KB5066360. Many compliance scanners do not natively equate hotpatch build numbers to a fully patched state, so you may need to create custom rules or audit evidence packages.

Known Issues, Caveats, and Compatibility Risks

Even though Microsoft states it is “not currently aware of any issues with this update,” hotpatches inherently introduce a few operational challenges.

Hotpatch eligibility gaps. If a Hyper-V host or guest does not meet hotpatch prerequisites, it must be updated through the standard cumulative update channel, which will require a reboot. This means that mixed-hotpatch environments will have a period where some endpoints are patched and others are not, potentially prolonging the PSDirect interoperability bug. In such cases, manual validation and possibly temporary workarounds (like fallback network-based PowerShell remoting) may be necessary.

Vendor software compatibility. In-memory patches can confuse endpoint detection and response (EDR) tools, backup agents, and virtualization management suites. For example, a real-time scanner might flag the updated PowerShell process as anomalous, or a backup product that injects into PowerShell might crash. Testing with critical third-party applications before mass deployment is essential.

Audit and compliance friction. The KB article does not list CVE identifiers in its narrative (though Microsoft’s Security Update Guide may map them). Organizations that require explicit CVE numbers for vulnerability management reporting should cross-reference the Microsoft Security Response Center (MSRC) advisory or contact Microsoft support. The absence of CVEs in the KB entry is a known documentation gap that can cause false audit findings.

Secure Boot Certificate Rollover Reminder. While unrelated to this hotpatch, Microsoft’s September release notes also reminded enterprises of upcoming Secure Boot certificate expirations beginning in June 2026. This program affects pre-boot trust and firmware updateability; it should be on every IT roadmap even though it is separate from the PowerShell fix.

Verification and Monitoring Checklist

After deploying KB5066360, perform the following checks to confirm proper installation and to detect any anomalies:

  • File version: Verify System.Management.Automation.dll version 10.0.26100.6569 on all patched hosts and guests.
  • PSDirect smoke test: Execute a cross-host/guest Invoke-Command session via PSDirect. The command should complete promptly without authentication errors.
  • Event logs: In the Security log, filter for Event ID 4625 (failed logon). Before patching, you may see these during handshake failures; after patching, the rate should drop to zero for PSDirect connections.
  • System logs: Look for WinRM or socket cleanup errors (source: WinRM, Microsoft-Windows-PowerShell). Unexpected restarts of the Windows Remote Management service (WinRM) might indicate residual issues.
  • EDR baselining: Compare PowerShell process behaviors before and after the hotpatch. Tune alert thresholds if your EDR solution generates false positives due to in-memory code changes.

For organizations with a SIEM, enable the following alert patterns:

  1. Repeated Event ID 4625 from PSDirect sessions (correlate by process name wsmprovhost.exe or powershell.exe with -VMName).
  2. Abnormal socket teardown sequences originating from PowerShell processes.
  3. Firewall rule changes or MpsSvc service restarts coinciding with patch installation—unlikely but worth monitoring.

Conclusion

KB5066360 is a narrowly scoped but operationally vital hotpatch that restores PSDirect connectivity and closes a privilege escalation window left open by the September 2025 updates. For any organization using Hyper-V with PowerShell Direct, this patch must be prioritized. It exemplifies the promise of hotpatching—fast, low-impact remediation—but also highlights the operational rigor required to manage a hotpatch fleet: precise inventory, vendor testing, and audit alignment.

Apply the patch to pilot devices immediately where possible, validate all PSDirect workflows, and update your patching tools to recognize build 26100.6569 as a compliant state. Where compliance requires CVE references, obtain them from Microsoft’s Security Update Guide. With the fix in place, PSDirect returns to its role as a reliable, secure management channel—without the hidden handshake fragility that September’s updates introduced.