Microsoft’s September Patch Tuesday arrived with 81 security fixes, two actively exploited zero‑day vulnerabilities, and a clear message: Windows 11 is the future, while Windows 10 enters its final maintenance phase. The updates—KB5065429 for Windows 10 and KB5065426 for Windows 11—include urgent patches for SMB relay attacks and a denial‑of‑service flaw in a widely used .NET library. At the same time, Windows 11 received a significant feature boost centered on AI experiences, leaving Windows 10 users with only security and reliability improvements.
A Heavy Security Load: 81 Fixes, Two Zero‑Days
The cumulative updates address a sweeping range of vulnerabilities across Windows components, Hyper‑V, Microsoft Office, and SQL Server. Two flaws stand out because they were publicly disclosed and actively targeted before the patches shipped.
CVE‑2025‑55234 attacks the Server Message Block (SMB) protocol. Improper authentication in the SMB server can allow an attacker to relay credentials and gain elevated privileges. Microsoft’s fix adds new audit capabilities to help administrators evaluate whether SMB hardening—signing and Extended Protection for Authentication—will break existing clients before they enforce it. Organizations with legacy systems should move quickly; this flaw puts file shares, domain controllers, and any internet‑facing SMB service at risk.
CVE‑2024‑21907 is a denial‑of‑service bug in the Newtonsoft.Json library, a widely used open‑source JSON parser. An attacker can craft input that triggers a StackOverflow exception, crashing affected services. Microsoft patched the component inside SQL Server and other products that bundle the vulnerable library. This serves as a stark reminder that third‑party libraries remain a persistent supply‑chain vector, and organizations must track not just OS patches but also the dependencies inside their applications.
Beyond the zero‑days, fixes cover graphics and imaging components, Windows Hyper‑V, and Microsoft Office. The sheer number—81 CVEs—makes this one of the heavier Patch Tuesdays in 2025, underlining the importance of rapid deployment.
Windows 10: The Penultimate Update and a Countdown to October 14
The September update for Windows 10 is a maintenance‑only release. No new features, no UI changes—just security fixes and quality improvements. This marks the operating system’s penultimate scheduled Patch Tuesday before end of support on October 14, 2025. After that date, Microsoft will stop providing free security updates, leaving millions of PCs vulnerable unless their owners take action.
Organizations and consumers have three paths:
- Upgrade to Windows 11: The preferred route, but it requires TPM 2.0, Secure Boot, a compatible CPU, and at least 4 GB of RAM. Microsoft’s hardware requirements have not softened, so many older but perfectly functional PCs cannot migrate.
- Purchase Extended Security Updates (ESU): Microsoft now offers an ESU program for consumers and businesses. The first year of extended patches will cost a fee, and the price escalates each subsequent year. ESU is a temporary bridge, not a long‑term strategy.
- Accept the risk or switch to an alternative OS: Running an unsupported Windows 10 machine after October 14 invites malware and data breaches. Some organizations are considering Linux or isolated networks for legacy workloads, but those carry their own operational headaches.
Mike Walters, President and Co‑founder of Action1, noted, “Organizations with hardware compatible with Windows 11 should strongly consider upgrading before the October deadline to take advantage of ongoing feature improvements. ESU should be viewed as a temporary bridge rather than a long‑term strategy, as costs rise in subsequent years.”
For home users, the choice is even starker. Consumer ESU pricing, while not yet publicly detailed by Microsoft, will likely not be cheap. Upgrading to Windows 11—or buying a new PC—is the most secure path. Check your hardware compatibility now; if your device can’t run Windows 11, budget for a replacement before the October cutoff.
Windows 11: AI Takes Center Stage, Alongside Polished UX
While Windows 10 users received only security fixes, Windows 11 got a substantial feature injection. KB5065426 bundles the same 81 patches plus several user‑facing improvements, most geared toward Copilot+ PCs—devices with dedicated neural processing units (NPUs) from Qualcomm, Intel, or AMD.
Recall gets a personalized home page. On Copilot+ PCs, Recall now opens to a dashboard showing recent activity, frequently used apps, and snapshots filtered by time or application. Microsoft added granular controls: users can choose which apps and websites are captured, and all snapshots remain encrypted behind Windows Hello authentication. The feature remains completely opt‑in, a design choice meant to blunt earlier privacy criticisms.
Click to Do evolves. The Click to Do overlay—which lets you act on text or images with commands like “summarize” or “remove background”—now starts with an interactive tutorial the first time you use it. It also supports new actions that hand off selected content to Microsoft 365 Copilot. Processing happens locally on the Copilot+ device, reducing cloud exposure.
Taskbar and notification center get long‑requested tweaks. Power users can finally enable a larger taskbar clock with seconds in the notification center—a simple change that many have requested for years. Search on the taskbar now shows visual progress indications and grid image results. File Explorer’s context menu adds dividers between top‑level icons for clearer differentiation.
Windows Hello and passkeys look cleaner. The authentication screen sports a more modern design with a distinct emphasis on passkey setup and usage. Microsoft says the workflow for creating and using passkeys is now smoother, part of a broader push to eliminate passwords.
Settings surfaces AI usage and gets smarter. A new “Text and Image Generation” page under Privacy & security lets users see which third‑party apps have recently tapped Windows‑provided generative AI models. Additionally, the Settings agent—previously limited to Snapdragon‑powered Copilot+ PCs—now runs on Intel and AMD Copilot+ devices, letting users quickly find and change settings via natural language.
These features collectively show Microsoft’s roadmap: AI is no longer a side experiment but a core pillar of the Windows experience, and it will run increasingly on‑device to address privacy and latency concerns. However, the Copilot+ hardware requirement creates a sharp divide. Users on older Windows 11 PCs won’t see Recall, Click to Do, or the Settings agent, effectively leaving them out of the innovation curve.
Strengths, Trade‑offs, and the Fragmentation Reality
The September updates underscore Microsoft’s dual strategy of fixing the past while building the future, but that duality brings real tensions.
Strengths:
- Security‑first, innovation‑forward: By pairing critical patches with feature rollouts, Microsoft keeps enterprises protected today while giving consumers a reason to stay on Windows 11.
- Local AI execution: Recall and Click to Do rely on device‑side processing and Windows Hello gating, addressing earlier fears about cloud‑based surveillance. Opt‑in requirements and transparency controls help, though they don’t eliminate the fundamental concern of snapshot‑taking.
- Granular SMB hardening guidance: The audit tooling for CVE‑2025‑55234 lets admins test hardening incrementally, avoiding the blanket enforcement that can cripple legacy clients overnight.
Trade‑offs:
- Feature gating by hardware: The splashiest AI features are locked to Copilot+ PCs, which most businesses don’t yet own. This splits the Windows 11 user base into tiers and complicates internal communications: two employees running the same OS may have entirely different capabilities.
- Privacy remains sensitive: Even with local processing, Recall’s screen capture behavior will make compliance‑focused organizations uneasy. Many IT departments will disable it outright until they can complete formal risk assessments.
- Operational burden for admins: SMB hardening, ESU cost projections, and hardware refresh cycles all demand careful planning. A rushed migration to Windows 11 risks compatibility issues; a delayed one risks security gaps.
Walters captured the sentiment: “Windows 10 updates this cycle focus solely on security fixes and bug resolutions… In contrast, Windows 11 updates include the same security patches along with major feature enhancements. This contrast underscores Microsoft’s focus on Windows 11 as its platform for innovation, while Windows 10 shifts into maintenance mode.”
What to Do Now: A Practical Checklist
Whether you manage a corporate fleet or just your own PC, here’s how to respond:
For home users:
- Run Windows Update now. Install KB5065429 (Windows 10) or KB5065426 (Windows 11) and reboot.
- Check for updates inside any third‑party software that might embed Newtonsoft.Json (e.g., SQL Server Express, certain .NET applications) and apply vendor patches.
- Back up important files before any major system changes.
- If you’re on Windows 10, run Microsoft’s PC Health Check tool to see if your device can upgrade. If not, start planning for a new PC or budget for ESU.
For enterprise IT teams:
- Prioritize patching servers and any endpoint exposed to the internet. Use maintenance windows and have rollback plans ready.
- Deploy Microsoft’s new SMB audit tools to identify clients that would break under forced signing and extended protection. Plan a phased enforcement schedule.
- Evaluate Recall and Click to Do in a pilot ring. Decide whether to enable them fleet‑wide based on privacy and compliance needs. Update employee consent flows accordingly.
- Build a Windows 10 migration roadmap: inventory hardware against Windows 11 requirements, identify incompatible devices, and calculate ESU costs if migration cannot happen by October 14. Start hardware refreshes for high‑risk systems first.
The Road Ahead
September’s Patch Tuesday solidifies a trend that has been building all year: Windows 11 is the main stage for Microsoft’s ambitions, while Windows 10 quietly exits. With the October end‑of‑support date now only weeks away, the window for procrastination is closing. Install this month’s updates immediately—both zero‑days are serious and likely already being exploited—and make a concrete plan for your Windows 10 machines. ESU can buy time, but it’s not a substitute for a modern, actively supported operating system.
For Windows 11 users, the new AI features offer a glimpse of a more context‑aware, assistive PC. The hardware lock‑in is frustrating, but it also reflects a bet that local AI processing is the key to balancing capability with privacy. Whether that bet pays off will depend on how quickly Copilot+ hardware reaches the mainstream and how transparently Microsoft handles the data flowing through its on‑device models.
One thing is certain: the countdown to October 14 continues, and each Patch Tuesday will only sharpen the divide between those who have moved forward and those who are left behind.