Microsoft shipped the September 2025 hotpatch—KB5065474—for Windows 11 Enterprise 24H2 and LTSC 2024 on September 9, updating eligible devices to OS Build 26100.6508. The release eliminates an unexpected User Account Control (UAC) prompt that plagued non-administrative users during certain MSI repair and configuration operations. But alongside this fix, the update carries a pair of operational alerts that demand immediate attention from IT and virtualization teams: a PowerShell Direct (PSDirect) interoperability gap when hotpatch states differ between Hyper-V hosts and guests, and a forward-looking warning about Secure Boot certificate expirations starting in mid-2026.

A Closer Look at the Update’s Contents

KB5065474 is delivered as a hotpatch, Microsoft’s low-disruption servicing model that patches in-memory code paths without forcing a restart on eligible endpoints. It bundles a servicing stack update (SSU)—KB5064531—to improve installation reliability. After successful installation, systems report build 26100.6508, a fingerprint administrators must teach their inventory tools to recognize.

The public KB page highlights one concrete fix: a correction for an issue where non-admin users encountered uninvited UAC elevation prompts when MSI installers performed certain custom actions, such as repair or configuration tasks that run in the foreground or background. The problem, introduced by the August 2025 Windows security update, affected applications ranging from Office Professional Plus 2010 to Autodesk’s AutoCAD and could block necessary app maintenance. Now, the scope of UAC prompts for MSI repairs is narrowed, and IT admins can optionally disable them for specific applications via an allowlist.

The KB text also references “quality and security improvements,” but Microsoft’s hotpatch entries intentionally avoid enumerating CVE identifiers. Organizations that require CVE-to-KB mapping for compliance must cross-reference the Security Update Guide or open a Microsoft support case.

What the UAC Change Means for End Users and IT

For everyday users at managed enterprises, the fix is a quiet but significant quality-of-life improvement. Repairs, configuration tweaks, and even background maintenance tasks that triggered disruptive UAC pop-ups will now proceed smoothly, reducing help-desk tickets and user frustration. IT pros get an additional lever: the ability to whitelist specific apps so that known‐safe repair operations never throw a UAC prompt, a useful option for tightly controlled line-of-business software.

Admins should note that the fix does not remove UAC entirely; it merely scales back the situations that demand elevation during MSI repairs and grants configuration control. It is wise to test the new behavior with a representative sample of your corporate apps before a broad deployment, especially those that bundle custom actions or older installer technologies.

When Hotpatching Meets PowerShell Direct: the PSDirect Puzzle

KB5065474 officially flags a known issue that can trip up virtualized environments: PowerShell Direct (PSDirect) connections may fail intermittently when a host and guest VM are running different hotpatch states. If one side has the September hotpatch and the other does not, the expected fallback to a legacy handshake can break, leaving behind socket cleanup problems and authentication failures. Security logs may record Event ID 4625, and automation scripts that depend on PSDirect—common in Hyper-V management, lab automation, and nested virtualization—can stall.

The vendor guidance is clear: apply the corrective hotpatch KB5066360 to both the host and guest where recommended, or ensure that hosts and guests are updated together during the same maintenance window. For environments where simultaneous patching isn’t possible, switch to network‐based PowerShell Remoting over secure channels as a workaround until parity is achieved. Pay special attention to monitoring; a sudden spike in Event ID 4625 or PSDirect failures after deploying KB5065474 is a strong signal that host-guest patching is out of sync.

The Secure Boot Countdown: Planning for Certificate Expiry

Tucked into the advisory is a reminder that some Secure Boot certificates used in device firmware will begin expiring in mid-2026. This is a firmware-layer concern, not something an OS update alone can remediate. Pre-boot trust, Secure Boot validation, and even the ability to install future updates or boot the device could be affected if firmware or certificate updates from OEMs aren’t applied in time.

IT operations and security teams must start cross-functional planning now. That means inventorying devices, identifying hardware that carries the expiring certificates, and engaging device manufacturers for firmware updates. Older or specialized hardware may require extra lead time, and testing firmware updates in a controlled lab before mass deployment is essential.

How We Got Here: A Timeline of Service and the MSI/UAC Regression

The hotpatching program itself is a response to enterprise demand for minimizing reboot disruptions on mission-critical systems. Under this model, Microsoft ships restart-requiring baseline cumulative updates (LCU plus SSU) periodically, then fills the gaps with restart-free hotpatches like KB5065474 to deliver urgent fixes and security hardening. The cadence allows financial trading floors, healthcare devices, and industrial controllers to stay protected without the downtime of a full update cycle.

The UAC/MSI regression surfaced after the August 2025 security update. At that time, Microsoft documented unexpected prompts and provided guidance for an interim workaround while engineering the proper fix that now ships in KB5065474. The hotpatch approach meant the correction could reach production systems quickly without imposing a reboot window.

KB5065474 itself builds on those lessons. By delivering a targeted code change in memory, it reduces exposure while buying time for the next full cumulative update to incorporate the same fix on disk. However, the no-reboot model also introduces the risk of patch-state fragmentation, which is exactly why the PSDirect edge case materialized.

Action Plan: Staged Rollout, Monitoring, and Hardening

A disciplined, phased deployment will minimize surprises. Here’s a practical sequence:

1. Inventory and eligibility check
- Confirm target OS: Windows 11 Enterprise 24H2 / LTSC 2024 and hotpatch prerequisites.
- Collect CurrentBuild and UBR across your estate to baseline patch levels and identify devices already at 26100.6508.
- Document all Hyper-V host-guest pairs that rely on PSDirect, mapping their relationships for coordinated updates.

2. Pilot ring
- Assemble a small group that includes Hyper-V hosts with their guest VMs, Arm64 endpoints (hotpatch behavior may differ), and systems running kernel-level integrations like EDR or VPN drivers.
- Validate functional and security telemetry for 7–14 days. Pay attention to MSI repair flows, PSDirect sessions between patched host and guest, and any unexpected UAC prompts.
- Monitor Security logs for Event ID 4625 and EDR alerts for unusual privilege patterns.

3. Early adopter expansion
- Extend the hotpatch to a larger ring while maintaining host-guest simultaneous update where PSDirect is used.
- Verify that compliance scanners and asset-management tools correctly interpret OS Build 26100.6508 as a patched state. Update those tools if they rely on KB numbers alone.

4. Broad deployment
- Roll out in waves, staggering ring sizes to keep support load manageable.
- Enforce host-guest parity for all virtualization hosts. Apply KB5066360 on both sides when Microsoft recommends it.

5. Post-deployment hardening
- Harden local accounts and reduce local administrator membership during the rollout window.
- Automate checks that correlate build numbers with hotpatch states to avoid false noncompliance flags.
- Launch Secure Boot remediation work: open tickets with OEMs, identify firmware update requirements, and prioritize legacy hardware for testing.

What’s Next: Baseline Months and Firmware Updates

KB5065474 is not a replacement for the regular cumulative update cadence; the next restart-requiring baseline will absorb the fixes permanently. In the meantime, organizations that depend on PSDirect must pay close attention to the corrective patch and maintain discipline around host-guest update coordination.

On the Secure Boot front, the clock is ticking. Firmware and certificate refreshes require OEM participation, and those conversations are best started before the calendar forces a crisis. As the 2026 expiry window nears, expect more specific guidance from Microsoft and hardware vendors.

For now, apply KB5065474 where hotpatching is supported, monitor your Hyper-V fabric, and add the Secure Boot planning item to your next change advisory board meeting. The no-reboot delivery is a real operational advantage, but it works best when paired with careful inventory and cross-team communication.