Microsoft on May 27 pushed out an out-of-band cumulative update, labeled KB5061977, to stamp out three critical bugs that had been plaguing Windows 11 24H2 users since the April security patch. The unscheduled release, which bumps the OS build to 26100.4066, targets Windows Hello authentication meltdowns, Remote Desktop session lockups, and a maddening Active Directory Group Policy display glitch that was driving admins crazy.
Unlike the routine Tuesday patches, out-of-band updates are a red flag—they signal that a problem is bad enough to risk a rushed fix outside the normal cadence. And judging by the symptoms, Microsoft had no choice. After installing the April 2025 update (KB5055523), enterprises relying on Windows Hello for Business in Key Trust environments suddenly couldn’t log in. Remote Desktop users watched as sessions froze seconds after connecting, with mouse and keyboard becoming completely unresponsive. Meanwhile, IT staff stared at local audit policies that looked disabled but were actually still running.
Here’s exactly what KB5061977 resolves, how to get it, and why the installation process is more complicated than a simple click on “Check for updates.”
Three showstopper bugs that forced Microsoft’s hand
The April 2025 Patch Tuesday release (KB5055523) was intended to close security loopholes, but it inadvertently opened a trio of disruptive doors. The most glaring issue hit Windows Hello authentication, specifically in environments using Key Trust—a deployment model where the private key for Windows Hello for Business is stored in software rather than on a TPM. When users tried to sign in with a PIN or biometrics after applying the April patch, the mechanism would break. Authentications simply failed, locking them out of their own devices. For organizations that mandate passwordless access, this was a productivity-killing mess. Help desks were flooded with password reset requests as employees were forced back to traditional credentials.
Simultaneously, Remote Desktop Protocol (RDP) sessions became a gamble. Within moments of connecting to a remote machine, the session would hang—mouse cursor stuck, keystrokes ignored. The only way out was a hard disconnect. In an era of hybrid work, this bug crippled admins who manage servers remotely, support technicians helping end users, and any professional whose workflow depends on a stable remote link.
Less visible but equally frustrating was a discrepancy in Group Policy auditing. The April update caused the local security policy console to show that audit logon/logoff events were disabled, even though the auditing engine was still logging them correctly. “The lights were on but nobody was home,” is how one frustrated administrator described the phantom setting. When compliance and monitoring depend on accurate policy displays, such a cosmetic failure can trigger unnecessary escalations and lost trust in reporting tools.
All three issues were confirmed by Microsoft as regressions introduced by KB5055523. The company acknowledged them swiftly and committed to a fix, but the May 13 Patch Tuesday came and went without a solution, forcing a rare out-of-band release just two weeks later. That timing underscores the severity: leaving Windows Hello broken for another month wasn’t an option.
What’s inside KB5061977
KB5061977 is a cumulative update for Windows 11 version 24H2, and it arrives as OS Build 26100.4066. The payload is available through Windows Update, Windows Update for Business, and the Microsoft Update Catalog. Because it’s cumulative, it includes all previous quality improvements, but its headline act is the trio of fixes:
- Windows Hello for Business authentication when using Key Trust is restored. The update corrects the underlying failure so that PIN and biometric logins work reliably again.
- Remote Desktop session freezing is resolved. The patch addresses the component that was misbehaving post-April, ensuring input devices remain responsive throughout the session.
- Active Directory Group Policy audit display bug is fixed. The local policy console now accurately reflects the enabled/disabled state of audit logon/logoff events, matching the actual auditing behavior.
The update does not introduce any other new features or change the OS’s major functionality beyond these targeted corrections. Microsoft also notes that the fixes are included in the May 2025 optional non-security preview update and will roll into the June 2025 security update automatically, but the separate out-of-band release was deemed necessary for immediate relief.
The installation catch: this patch comes with a prerequisite
For average users checking Windows Update and seeing KB5061977 offered straight away, the installation is straightforward—click “Download and install” and reboot. But the deeper story lies in the Microsoft Update Catalog, where manual downloaders and enterprise deployers will discover that the update actually contains multiple .msu files that must be applied in a specific order.
According to the official support article, the required packages are:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu (the prerequisite)
- windows11.0-kb5061977-x64_72be6406594d4df1d8d066263c13388c758dc69f.msu (the main update)
KB5043080 must be installed before KB5061977, or the process will fail. Microsoft provides two methods:
Method 1 – Batch install: Place both .msu files in the same folder and use DISM with the /Add-Package parameter pointing to the main update file. DISM will automatically discover and install the prerequisite from that folder. The command is:
DISM /Online /Add-Package /PackagePath:c:\packages\windows11.0-kb5061977-x64_72be6406594d4df1d8d066263c13388c758dc69f.msu
Method 2 – Install individually: Deploy each .msu file in order, either using DISM or the Windows Update Standalone Installer (wusa.exe). First install the KB5043080 MSU, then the KB5061977 MSU. This method gives more control but requires two reboots.
That prerequisite, KB5043080, is unknown from the public documentation—it is not a previously released standalone update but appears to be a servicing stack update or a component specific to this fix. Its inclusion signals that the correction touches core platform components that must be updated in tandem. For IT pros managing large fleets via ConfigMgr or WSUS, this adds a layer of complexity: the update cannot be packaged as a single file without bundling both MSUs and scripting the install order.
Why Windows Hello for Business took the hardest hit
Windows Hello for Business is the enterprise-grade version of Windows Hello, supporting certificate-based or key-based authentication. In Key Trust deployments, the private key is protected by software and bound to the user’s PIN. After the April update, something in the authentication stack corrupted that binding, causing the key to become unusable. The only workaround was to either fall back to password (defeating the purpose of passwordless) or re-enroll Windows Hello, which often required a reset of the PIN container—an unspeakable hassle for end users.
The out-of-band fix does not require re-enrollment; once applied, the existing keys should work again. However, users who already re-enrolled during the outage might have duplicate or orphaned keys, so IT admins are advised to monitor help desk calls for any lingering anomalies.
It’s a stark reminder that even “mandatory” security updates can break foundational authentication features. Many organizations delay patches by up to 30 days specifically to catch such regressions, but April’s KB5055523 carried fixes for actively exploited vulnerabilities, forcing a quicker rollout. The stress is now on Microsoft’s testing pipelines: three high-impact regressions slipping through is a black eye for quality assurance.
Remote Desktop frozen: more than an inconvenience
The Remote Desktop freezing bug was especially insidious because it didn’t always manifest immediately. A session could function for a minute or two before seizing up. Input was dead, but the screen still updated—creating confusion. The issue affected all Remote Desktop clients connecting to a Windows 11 24H2 host, including the built-in Remote Desktop Connection app and the Windows App (formerly Microsoft Remote Desktop).
KB5061977 isolates the problem to a misbehaving graphics component that was inadvertently altered by the April servicing change. Once patched, sessions remain stable. For businesses that rely on RDP for daily operations—call centers, field support, remote development—this fix eliminates an unpredictable productivity killer.
The vanishing policy: AD auditing’s identity crisis
Active Directory administrators prize audit policies because they underpin security monitoring and compliance. When the local policy console flipped the “Audit logon events” setting to “Disabled” visually, many assumed that a malicious GPO or an update had turned off auditing. In reality, the events were still being captured; just the UI was wrong. But the visual cue prompted frantic troubleshooting, unnecessary policy changes, and in some cases, a rollback of the April update.
KB5061977 realigns the UI with the actual audit engine state, restoring confidence. Microsoft hasn’t explained the root cause, but it likely stems from a change in how policy values are retrieved from the Security Configuration Manager (SCM) after a subsystem update. Regardless, the fix is straightforward and requires no administrative reconfiguration.
What IT admins should do now
- Test the patch immediately in a sandbox environment that mirrors your production deployment, especially if you use Key Trust Windows Hello for Business or rely on RDP. The prerequisite KB5043080 may introduce its own dependencies; validate the install sequence.
- Plan a fast-follow deployment if your organization was affected. Because this is out-of-band, treat it as an emergency change, but don’t skip smoke tests.
- Check Windows Hello trust models. If you’ve been considering moving from Key Trust to Certificate Trust or TPM-backed keys, now is a good time to re-evaluate. Key Trust, while convenient, has historically been more fragile after servicing updates.
- Audit your RDP environments to confirm that client machines are updated. The host must receive the patch to stop freezing, but clients benefit from staying current as well.
- Correct any policy misconfigurations that may have occurred while the display bug was active. Ensure that audit policies are set as intended, now that the console reflects truth.
For consumers and small businesses, Windows Update will offer KB5061977 automatically if you haven’t paused updates. Installing it resolves the Hello and RDP issues without additional steps.
The broader picture: out-of-band patches are a symptom of pressure
Out-of-band releases are not a sign of diligence alone; they’re a fire alarm. Microsoft rarely breaks its monthly cadence unless a security hole is being exploited in the wild or a reliability bug is so severe that customers are screaming. In this case, it’s the latter. The fact that the company waited two weeks after the May Patch Tuesday to deliver the fix suggests internal debate about whether the issues warranted the disruption of signing and distributing an emergency package. Ultimately, the volume of enterprise complaints forced the issue.
This incident also highlights the peril of cumulative updates. Because every patch rolls up all prior fixes, a single regression in one component can drag an entire system down. The Windows Hello fix, for example, may have required changes to the same binaries that handle user profile loading, making isolation difficult. It’s a design that simplifies maintenance but magnifies the blast radius of any bug.
Looking ahead
Microsoft has added KB5061977 to the Windows 11 24H2 update history and published a comprehensive support note, but the post-mortem will be watched closely. Enterprise customers expect a detailed root cause analysis and commitments to improve testing. For Windows Hello in particular, the Key Trust model has been a persistent source of post-update friction; some admins are calling for its deprecation.
The June 2025 Patch Tuesday will roll up all these fixes automatically, so even organizations that don’t install the out-of-band patch will eventually get the corrections. But for those still limping along with broken logins and frozen RDP sessions, KB5061977 is the light at the end of a very long tunnel. Grab it from Windows Update or the Microsoft Update Catalog, mind the prerequisite package, and restore your Windows 11 systems to stable ground.