KB5072753 is a late‑November hotpatch aimed at Windows 11 Enterprise and Windows Server 2025 devices on the 26200.x build line. It is an out‑of‑band security and quality update that rides on top of the current hotpatch cycle, bumps systems to OS Build 26200.7093, and comes bundled with the existing servicing stack update so you don’t have to stage components in a specific order.
What KB5072753 actually is
KB5072753 is part of the hotpatch stream for:
- Windows 11 Enterprise, version 25H2 and 24H2, when enrolled for Hotpatch.
- Windows Server 2025 Datacenter Azure Edition and other hotpatch‑enabled Server 2025 SKUs aligned to the 26200.x client build family.
Key properties:
| Property | Details |
|---|---|
| KB ID | KB5072753 |
| OS build after install | 26200.7093 |
| Release type | Hotpatch, out‑of‑band (OOB) |
| Release date | November 20, 2025 |
| Servicing stack | KB5067035, version 26100.7010 (bundled) |
| Restart behavior | Designed to apply without a reboot on hotpatch‑enrolled devices |
| Delivery | Windows Update, managed update services, and Microsoft Update Catalog |
| Vendor status | No known issues listed at release time |
Unlike the regular Patch Tuesday hotpatch (KB5068966, 26200.7092), this package is positioned as a quick follow‑up to correct behavior that surfaced immediately after that November hotpatch roll‑out.
Why KB5072753 exists: the November hotpatch reoffer bug
After the November 11 hotpatch (KB5068966) landed, some Windows 11 version 25H2 devices started to see the same hotpatch offered again on subsequent Windows Update scans. The reinstall did not break anything, but it cluttered update history and created confusion about compliance.
The symptoms were:
- KB5068966 appeared successfully installed.
- A later scan triggered another download and installation of KB5068966.
- Only the recorded install time changed; functionality remained intact.
KB5072753 is the corrective hotpatch that fixes this reoffer behavior. Once 26200.7093 is installed, Windows Update stops repeatedly reinstalling the November hotpatch on affected 25H2 devices.
The package also continues the usual pattern of “miscellaneous security improvements to internal OS functionality” with no additional user‑visible fixes documented. In practice that means it carries security and reliability hardening on top of the October baseline and the November hotpatch, but without feature changes.
How KB5072753 fits into the hotpatch cycle
Hotpatching is built around quarterly “baselines” that require a reboot, followed by two monthly hotpatches that apply without restarting. For Windows 11 Enterprise and Server 2025 in late 2025:
- October 14, 2025: baseline update for 25H2 / 24H2 and Server 2025; reboot required.
- November 11, 2025: first hotpatch on top of that baseline (KB5068966, 26200.7092).
- November 20, 2025: out‑of‑band hotpatch (KB5072753, 26200.7093) to fix the reoffer quirk.
The servicing stack remains KB5067035 (26100.7010) for this cycle. That stack update has already been used for several October and November Windows 11 / Server 2025 releases, and KB5072753 simply reuses it instead of introducing a new servicing stack.
Note: Hotpatching only applies when devices are correctly enrolled, meet prerequisites, and are on the supported builds. Devices outside that track continue to receive standard cumulative updates with reboots.
Prerequisites for client hotpatch (Windows 11 25H2 / 24H2)
Client hotpatch is not a consumer feature; it is limited to specific enterprise SKUs and configurations. Before expecting KB5072753 to show up on Windows 11 client devices, the environment has to meet these conditions:
| Requirement | Minimum |
|---|---|
| Edition | Windows 11 Enterprise, version 25H2 or 24H2 |
| Build | 26100.4929 or later before enrolling for hotpatch |
| Licensing | Windows 11 Enterprise E3/E5, Microsoft 365 F3, Windows 11 Education A3/A5, Microsoft 365 Business Premium, or Windows 365 Enterprise |
| Management | Microsoft Intune with a Windows quality update policy that has hotpatch enabled |
| Security baseline | Virtualization-based security (VBS) enabled |
| CHPE setting (ARM64 only) | Compiled Hybrid PE (CHPE) disabled |
CHPE must be turned off on ARM64 clients because the compatibility layer conflicts with the way hotpatch instruments binaries in memory. There are two supported ways to disable it:
- Using the
DisableCHPEsetting in System Policy CSP via Intune or another MDM, then reboot once. - Setting the registry value
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\HotPatchRestrictions = 1and restarting the device.
Once CHPE is disabled and the device is on a supported build with the hotpatch baseline, Intune can enroll it in a hotpatch‑enabled quality update policy. In that policy, the critical setting is allowing “apply without restarting the device” for hotpatch‑eligible updates.
The official “prerequisites” and enrollment flows for client hotpatch are documented in the Windows Autopatch Hotpatch updates section on Microsoft Learn, and hotpatch release notes for Windows 11 Enterprise version 25H2 link out to those requirements.
How KB5072753 is packaged and delivered
KB5072753 uses combined servicing stack + hotpatch packaging. That means:
- Windows Update automatically includes SSU KB5067035 when offering the hotpatch if it is not already present.
- Admin tools that pull the MSU package from the Microsoft Update Catalog can either take the single combined package or, where separate SSU and LCU components exist for a SKU, must install the SSU first.
Delivery channels look like this:
| Channel | Availability for KB5072753 | Typical use |
|---|---|---|
| Windows Update / Microsoft Update | Offered automatically to eligible hotpatch‑enrolled devices | Most cloud‑managed clients and Azure‑connected servers |
| Managed services (Intune, ConfigMgr, Autopatch) | Surfaced as a quality update that can be approved or scheduled | Enterprise desktops and Virtual Desktop Infrastructure (VDI) |
| Microsoft Update Catalog | Standalone MSU/CAB for manual deployment and offline media | Disconnected networks, gold image servicing |
| WSUS | Available where hotpatch streams are supported for the product | On‑premises server fleets, including Windows Server 2025 Datacenter Azure Edition |
For catalog downloads, admins search for “KB5072753” on the Microsoft Update Catalog site. When multiple MSU files appear for a given product, the recommended approach is to download all KB5072753 MSUs for that product into a single folder and let DISM discover and apply prerequisites automatically:
DISM /Online /Add-Package /PackagePath:C:\Packages\Windows11.0-KB5072753-x64.msuOn offline images, the same pattern applies with the /Image or -Path switch pointing to the mount directory. This approach lines up with how other recent out‑of‑band fixes such as KB5070773 are deployed to Windows 11 and Windows Server 2025 images.
Enterprise deployment checklist for KB5072753
Most organizations will treat KB5072753 as a targeted emergency fix with a fast but controlled ring‑based rollout. A straightforward sequence looks like this:
| Step | Action | Why it matters |
|---|---|---|
| 1. Inventory | List all hotpatch‑enrolled Windows 11 and Server 2025 devices on the 26200.x build family. | Defines the scope of systems that should see KB5072753. |
| 2. Confirm stack | Verify presence of SSU KB5067035 (26100.7010) or allow Windows Update to deliver it with the hotpatch. | Prevents servicing failures caused by outdated stack components. |
| 3. WSUS and update infrastructure | Update WSUS catalogs and confirm KB metadata and targeting groups before wide approval. | Avoids mis‑targeting problems that previously knocked some hosts off the hotpatch cadence. |
| 4. Pilot ring | Deploy KB5072753 to a small, representative set of devices (mix of hardware and workloads) and monitor for 24–72 hours. | Gives early warning of any app‑ or workload‑specific issues. |
| 5. Broad deployment | Roll out to the rest of the hotpatch fleet in phases, prioritizing critical infrastructure and high‑availability systems. | Closes the reoffer bug and brings all devices to a consistent 26200.7093 build. |
| 6. Validate state | Use winver or dism /online /get-packages to confirm OS build and KB5072753 presence. |
Ensures that the update completed and the device remains on the hotpatch stream. |
For Windows Server 2025 and WSUS specifically, recent history is relevant. An earlier WSUS out‑of‑band security fix (CVE‑2025‑59287) briefly shipped with incorrect targeting and caused a set of Server 2025 hosts to switch off the hotpatch track by installing the wrong package. The remediation then required pause/unpause steps and future baseline re‑enrollment to restore hotpatch eligibility. That incident turned WSUS into a “crown jewel” asset from a servicing perspective: it needs strict hardening, tight approval workflows, and careful metadata checks whenever an OOB cumulative or hotpatch appears.
KB5072753 does not itself change WSUS behavior, but its out‑of‑band nature means update administrators should treat targeting with the same caution they now apply to WSUS‑related hotpatches and OOB packages.
Risks and trade‑offs with out‑of‑band hotpatches
Hotpatching is attractive because it removes many reboots from the calendar, particularly for:
- High‑availability clusters and backend services.
- Remote Desktop Session Hosts and VDI farms.
- Critical on‑premises workloads where restart windows are expensive.
But the same mechanisms that enable restart‑free delivery also introduce fragility in a few ways:
- Servicing state stickiness. Hotpatch enrollment is tied to specific baselines and update identities. Installing the wrong cumulative at the wrong time can switch a device off the hotpatch track and back onto standard monthly LCUs with reboots.
- Channel complexity. Baselines, LCUs, SSUs, hotpatch streams, and out‑of‑band updates now all interact. Administrators have to decide not only what to deploy, but when and through which channel.
- Opaque impact statements. Vendor language such as “a very limited number of hosts” is not enough for large fleets; enterprises still need their own telemetry to know exactly which devices are affected by anomalies or mis‑targeted packages.
Within that context, KB5072753 is a relatively straightforward update: it fixes a specific annoyance in the hotpatch reoffer logic, carries additional internal security hardening, and retains the known servicing stack that has been used across multiple recent releases. The main operational challenge is less about the content of the patch and more about preserving hotpatch eligibility and avoiding mis‑targeting when deploying yet another out‑of‑band package.
For organizations already committed to hotpatch on Windows 11 and Windows Server 2025, KB5072753 is the clean‑up step that stabilizes the November wave. Once it is piloted and deployed through the normal rings, fleet operators regain a quiet update history, a consistent 26200.7093 build across hotpatch devices, and a smoother runway into the next quarterly baseline.
via: Microsoft
