Microsoft released a targeted security hotpatch, KB5066360, for Windows 11 Enterprise LTSC 2024 on September 9, 2025, addressing a critical vulnerability in PowerShell Direct (PSDirect) that could allow unauthorized non-administrator access between host and guest virtual machines. The update, which bumps the OS build to 26100.6569, takes effect without a system reboot—a capability reserved for devices enrolled in Microsoft’s hotpatch program. Administrators managing virtualized environments where PowerShell remoting into VMs is routine should prioritize testing and deployment.
The hotpatch model has been Microsoft’s increasingly relied-upon mechanism to deliver narrow security fixes that activate immediately, sidestepping the disruptive restart cycles of cumulative updates. For mission-critical LTSC endpoints—medical systems, industrial controllers, banking servers—that cannot tolerate downtime, a no-reboot fix is not a luxury; it’s a requirement. This article breaks down what KB5066360 delivers, who gets it, the exact vulnerability it closes, and how to roll it out safely while navigating the hotpatch program’s prerequisites and a looming Secure Boot certificate expiration.
The vulnerability: PSDirect connection failures
PowerShell Direct, or PSDirect, enables administrators to run PowerShell commands inside a virtual machine from the Hyper-V host without network connectivity. It’s a staple of local VM management and automation. The flaw patched by KB5066360 was introduced by the September 2025 hotpatch and September 2025 security updates. Microsoft describes it as “a vulnerability in the interaction between the host operating system and a guest virtual machine that could allow unauthorized, non-administrator access during a brief window.” In practice, an attacker or malicious process on a guest might exploit a timing weakness during PSDirect session establishment to gain privileges on the host—or vice versa—without proper authentication.
The fix also improves reliability for older sessions that “shut down unexpectedly,” suggesting that some environments may have seen PSDirect connections drop or fail without warning. Microsoft recommends applying this update to any host whose guest VMs have received the September 2025 security update, closing the exposure gap for mixed environments where guests are patched before hosts.
What KB5066360 actually installs
The hotpatch package updates core PowerShell assemblies: System.Management.Automation.dll, Microsoft.PowerShell.ConsoleHost.dll, and associated resource DLLs, all versioned at 10.0.26100.6569 and timestamped August 22, 2025. It is delivered exclusively through Windows Update for eligible devices; the Microsoft Update Catalog and WSUS are not listed as distribution channels for this specific hotpatch. The update also bundles the latest servicing stack update (SSU) to reduce installation failures on Windows Update–serviced devices.
Critically, because this is a hotpatch, no immediate restart is required on devices that meet all eligibility prerequisites. The fix takes effect in memory the moment it is applied, which slashes the exposure window from days or weeks (while waiting for a maintenance window) to near zero.
Hotpatch eligibility: not for every enterprise
Hotpatching comes with a stringent set of requirements. To receive KB5066360 automatically, a device must:
- Run Windows 11 Enterprise LTSC 2024 on a supported baseline build.
- Be enrolled in Microsoft Intune (or Windows Autopatch) with an appropriate license (Windows Enterprise E3/E5, Microsoft 365 Business Premium, Windows 365 Enterprise, etc.).
- Have Virtualization-Based Security (VBS) enabled.
- For Arm64 devices, disable Compiled Hybrid Portable Executable (CHPE) via DisableCHPE CSP or registry before enrollment; this requires a one-time reboot.
Devices that don’t meet these criteria—unmanaged machines, those on legacy licensing, or those with VBS turned off—will not see the hotpatch and must rely on the next cumulative update, which will include the fix but require a full restart cycle.
This split servicing model means that mixed estates will have devices on two different patching cadences. Inventory tools must distinguish between hotpatched builds (26100.6569) and baseline cumulative update builds to avoid false “unpatched” alerts. Compliance dashboards that map patch status solely by LCU KB numbers will need an update.
The Secure Boot certificate time bomb
KB5066360’s release notes carry an explicit advisory that is easy to miss but carries 2026 operational consequences: Secure Boot certificates used by Windows devices will begin expiring in June 2026. Microsoft urges admins to start preparing now to avoid disruption to pre-boot trust and updateability. This is a separate, cross-domain program that requires coordination with OEMs, firmware teams, and Windows Update management. The advisory is a not‑so‑gentle reminder that while this hotpatch fixes a here‑and‑now PSDirect bug, the next big certificate rollover will demand months of planning and testing.
Rollout playbook for enterprise admins
Administrators who manage eligible LTSC 2024 fleets should follow a disciplined deployment sequence.
Step 1: Confirm eligibility and inventory
Verify that target devices are on a hotpatch‑compatible baseline build. Use Intune, SCCM, or winver to capture current OS builds. Check licensing and Intune enrollment; verify VBS is enabled in firmware and Hyper‑V configuration. For Arm64 devices, perform the one‑time CHPE disablement and reboot before expecting the hotpatch.
Step 2: Pilot ring testing
Create a pilot device group in Intune and enable a Windows quality update policy with Hotpatch set to “Allow.” Deploy KB5066360 and monitor for at least 7–14 days. Pay special attention to:
- PSDirect and PSRemoting functionality, since the patch alters PowerShell remoting surfaces.
- EDR and antivirus telemetry—hotpatches modify in‑memory code paths and can trigger false positives from security tools.
- Third‑party virtualization plugins, backup agents, or kernel drivers that interact with session subsystems.
Step 3: Staged rollout
Promote the update through early adopter rings (excluding critical services) before broad deployment. Keep rollback procedures tested: uninstalling a hotpatch requires a restart and may leave the device at a different servicing state that forces a follow‑on cumulative update.
Step 4: Post‑deployment verification
Confirm that winver or inventory queries report build 26100.6569. Update CMDB and compliance tooling to equate this build number with “patched.” Adjust any rules that expect traditional LCU KB identifiers.
Monitoring focus
After deployment, watch for PSDirect handshake errors in Hyper‑V logs, session teardown anomalies, and any spike in EDR alerts correlated with the hotpatch install event. Baseline telemetry prior to deployment will help distinguish legitimate alerts from noise.
Risks, caveats, and what’s missing
KB5066360 is a narrowly scoped fix, which reduces regression risk, but enterprises must weigh several caveats.
- Missing CVE identifiers: The public KB entry describes the vulnerability functionally but does not assign CVE numbers. Compliance and risk scoring teams that require CVE mapping will need to consult Microsoft’s Security Update Guide or open a support case. For audit‑heavy organizations, this is a documentation gap that must be resolved.
- Third‑party agent compatibility: EDR, backup, and virtualization products that hook into PowerShell or Hyper‑V sessions can exhibit unexpected behavior after a hotpatch because in‑memory structures change without a full process restart. Vendors rarely test against hotpatches as thoroughly as they do cumulative updates; plan for vendor‑specific testing.
- Rollback complexity: “No restart” does not mean “no rollback cost.” Uninstalling a hotpatch forces a reboot and may place the device in an intermediate servicing state. Exercise and document the rollback path in a lab.
- Mixed servicing estates: Devices that cannot meet hotpatch prerequisites will stay on a traditional LCU cadence. This creates a two‑track fleet where patch compliance metrics must track both build numbers and KB numbers simultaneously.
- Secure Boot certificate expiration: While unrelated to the PowerShell fix, the advisory included in the KB notes that Secure Boot certificates expire starting June 2026. This is a separate, high‑priority program that demands firmware updates and testing well before the deadline.
The bigger picture: hotpatching as the new normal
KB5066360 is not an isolated event. It represents Microsoft’s accelerating shift toward a “patch fast, reboot later” model for enterprise Windows. Hotpatches first appeared in Windows Server and have slowly migrated to Windows 11 Enterprise for heavily managed devices. For LTSC customers—often in tightly controlled, high‑availability environments—this update is a test case for broader hotpatch adoption. If your organization can successfully receive, deploy, and verify a hotpatch without operational hiccups, you’ll be well‑positioned for future security fixes that arrive the same way.
However, hotpatching does not replace baseline cumulative updates. Those quarterly LCUs reset the hotpatch baseline and include changes that cannot be applied in‑memory. Organizations must continue to schedule maintenance windows for LCU deployment, even as they take advantage of no‑reboot hotpatches for interim fixes.
Bottom line
Apply KB5066360 to eligible Windows 11 Enterprise LTSC 2024 hosts as a priority stage‑2 update (after pilot validation) if your environment meets the hotpatch prerequisites. The fix directly closes a host‑to‑guest PSDirect privilege gap that could be exploited rapidly, and it does so without a reboot—ideal for uptime‑sensitive workloads. If your devices cannot receive the hotpatch, ensure the next cumulative update is scheduled promptly. For compliance teams, escalate the missing CVE identifiers to Microsoft and adjust inventory tooling to recognize build 26100.6569 as patched. And let the Secure Boot certificate advisory in this KB serve as the catalyst for a formal project plan: June 2026 is closer than it seems, and certificate rollovers require months of preparation.
Hotpatching is no longer experimental. KB5066360 delivered a vital security fix through that channel, and how well your organization handles it will set the template for dozens of similar updates to come.