Microsoft has fixed the aggravating NDI and OBS streaming stutter that plagued content creators for weeks, rolling the remedy into its September 9 cumulative update for Windows 11, version 24H2. KB5065426 (OS Build 26100.6584) is a combined security and quality rollup that also clears a cascade of installer-triggered UAC prompts and MSI repair failures introduced by the previous month’s security hardening. The update bundles a servicing stack update (SSU) and refreshes AI components for Copilot+ devices, but administrators must navigate a critical known issue with PowerShell Direct on hotpatched virtual machines and a deliberately permanent SSU that complicates rollbacks.
The 26100 build series has endured a punishing August–September servicing cycle. August’s security rollup (KB5063878, Build 26100.4946) slammed the door on a privilege escalation vector (CVE-2025-50173) but inadvertently disrupted multi-PC streaming workflows and broke MSI repair operations for standard users. KB5065426 is Microsoft’s corrective follow-through: it preserves the security hardening while defusing the most acute side effects. The release also follows Microsoft’s now-familiar pattern of shipping a combined SSU+LCU package and relying on server-side feature gating, making it operationally critical for IT teams to test thoroughly.
NDI/OBS streaming: stutter silenced
The August update altered transport behavior that wrecked Network Device Interface (NDI) workflows—especially when Display Capture was active—producing severe stuttering and choppy audio/video for multi-PC streaming rigs. Affected users scrambled to apply temporary mitigations published by NDI’s vendor and echoed across streaming forums: change NDI Receive Mode from RUDP (Reliable UDP) to Single TCP or UDP (Legacy). KB5065426 directly addresses the underlying transport change, restoring reliable streaming on patched systems. The fix arrives in tandem with independent verification from outlets like BleepingComputer and the NDI knowledge base, which documented the regression and the short-term workaround while Microsoft developed the permanent correction. Streaming professionals should validate that their setups now operate smoothly without the fallback mode, but early reports indicate the stutter is eliminated.
Installer hardening and the MSI repair fiasco
The same August security push closed CVE-2025-50173 by enforcing stricter UAC flows for certain MSI install and repair scenarios. The unintended consequence was immediate: standard (non-admin) users attempting application repairs or running advertising-based installer features saw UAC dialogs or outright Error 1730 failures. KB5065426 refines how the system handles these MSI custom actions and introduces administrative controls to allowlist specific applications. A Known Issue Rollback (KIR) policy provides a temporary escape hatch for organizations that cannot immediately adapt their deployment workflows, though Microsoft stresses that KIR is a stopgap and not a long-term veto of the security improvement. The fix also resolves input method scenarios that could cause app unresponsiveness and addresses a prior bug where IIS Manager modules disappeared from the UI—two smaller but real productivity blockers.
Additional fixes and feature updates
- SMB auditing and security: The update enables enhanced auditing for SMB client compatibility with SMB Server signing and Extended Protection for Authentication (EPA). This lets administrators assess their environments before enforcing stricter signing or authentication policies, avoiding sudden disconnections for legacy devices.
- AI component refresh: For Copilot+ devices, the update ships AI binaries (Image Search, Content Extraction, Semantic Analysis, Settings Model) versioned 1.2508.906.0. Systems without compatible hardware will see no change, but eligible devices gain incremental quality improvements.
- Security updates: The package addresses multiple CVEs beyond the installer hardening. As always, Microsoft’s Security Update Guide and the MSRC portal list the complete set of resolved vulnerabilities.
The servicing stack permanence trap
KB5065426 arrives as a combined package containing a servicing stack update. The official support page (dated September 9, 2025) indicates that the update comprises multiple MSU files that must be installed in a specific order. Method 1—the recommended approach—downloads all MSU files for KB5065426 into a single folder and uses DISM to handle internal dependencies automatically. The command is straightforward:
DISM /Online /Add-Package /PackagePath:C:\packages\windows11.0-kb5065426-x64_32b5f85e0f4f08e5d6eabec6586014a02d3b6224.msu
Method 2, for environments that require granular control, lists two MSU files to install sequentially:
windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msuwindows11.0-kb5065426-x64_32b5f85e0f4f08e5d6eabec6586014a02d3b6224.msu
The first MSU is a servicing stack package. Because SSUs become effectively permanent once applied, traditional rollback via wusa /uninstall will not remove the servicing stack. Administrators can use DISM to remove only the LCU portion if absolutely necessary, but the SSU remains. This design reduces sequencing errors in future updates but forces organizations to treat each cumulative update as a near-irreversible change to the OS servicing layer. Rollout rings, thorough piloting, and tested system image backups are no longer optional.
Known issue: PSDirect breaks on hotpatched VMs
KB5065426 carries a notable unresolved edge case affecting PowerShell Direct (PSDirect). When a host or virtual machine runs a hotpatched version that is not in sync with the other side—for example, host updated to KB5065426 but guest still on a non-hotpatched August build—the PSDirect handshake can fail due to a socket cleanup bug. The symptom is connection failure and repeated Event ID 4625 entries. Microsoft has published a follow-up update, KB5066360, specifically to address this, and recommends updating both host and guest VMs to the same patch level in a coordinated maintenance window. Environments that rely on PSDirect for Hyper-V automation or nested labs must schedule synchronized patching and validate connectivity afterward.
What IT professionals must do now
The combination of a bundled SSU, a delicate security-usability trade-off, and a virtualization-specific known issue demands a disciplined deployment plan.
- Inventory Windows 11 24H2 devices. Confirm current OS builds before patching. Use
winveror your endpoint management tool. - Pilot on representative hardware. The pilot ring must include:
- A host and guest VM pair to verify PSDirect functionality.
- Any machine used for NDI/OBS streaming.
- Workstations with line-of-business MSI installers (Office, Autodesk, etc.). - Validate streaming and installer mitigations. For NDI, test stream stability post-patch; keep the Single TCP/UDP fallback in your back pocket. For MSI repair issues, evaluate whether the KIR policy is acceptable until allowlisting can be configured.
- Plan for rollback, even if you hope not to use it. Export system images and document the DISM package name (
windows11.0-kb5065426-x64...) so you can attempt LCU removal if a critical failure emerges. Accept that the SSU will linger. - Communicate to end users. Streaming producers should be briefed on NDI settings; non-admin users who frequently run older installers should know that re-running as administrator may be necessary until KIR is applied.
- Address the PSDirect hotpatch trap. If your environment uses hotpatching, schedule host and guest updates in the same maintenance window. For production Hyper-V clusters, test the KB5066360 follow-up before broad rollout.
Analysis: a pragmatic release in a brittle servicing model
KB5065426 succeeds at its primary mission: restoring usability for streamers and non-admin users without weakening the security posture achieved in August. The rapid involvement of vendors like NDI and the publication of temporary workarounds while Microsoft prepared the official fix signal a maturing patch ecosystem. Yet the update also exposes the brittleness of Windows 11’s servicing model in 2025.
Bundled SSU+LCU packages are now the norm, and their rollback complexity punishes organizations that skip pilot rings. Staged feature enablement—where identical OS builds behave differently depending on server-side flags—introduces non-determinism that QA teams must account for, especially when validating Copilot and AI features. The PSDirect hotpatch issue is a small but telling example: mixing hotpatched and non-hotpatched hosts/guests creates a fragile state that only a coordinated update can resolve. As Microsoft leans further into hotpatch semantics for critical servers, admins must treat VM update synchronization as a first-class operational requirement.
For home users and small businesses, installing KB5065426 through Windows Update is a straightforward recommendation: it returns important fixes and improves hygiene. For enterprises, the calculus is more nuanced. The update is a net positive, but its deployment demands the same rigor as any feature update. Pilot early, test the specific workflows described here, and have recovery images ready.
Microsoft’s official release notes remain the authoritative resource for command-line installation options, MSU file names, and security vulnerability details. The community-driven workarounds and vendor documentation for NDI and MSI behaviors provide practical depth that rounds out the operational picture. Together, they form a clear, if cautious, path to patching—one that navigates the unavoidable tension between security, usability, and recoverability.