Microsoft’s September 2025 Patch Tuesday for Windows 11 version 24H2 is live. The cumulative update KB5065426 advances systems to OS Build 26100.6584 and folds in security fixes plus quality improvements from the late-August preview. It also refreshes on-device AI components for Copilot+ hardware.

Why this update matters

  • Security-first release. KB5065426 is a cumulative security update that also carries forward non-security fixes shipped in August’s optional preview.
  • Secure Boot deadlines are on the horizon. Certificates used by most Windows devices begin expiring in June 2026. Microsoft recommends preparing now; the guidance and steps are outlined in the company’s advisory.
  • AI components update (Copilot+ PCs only). Image Search, Content Extraction, Semantic Analysis, and the Settings Model are updated (v1.2508.906.0). These are included in the LCU but only apply on Copilot+ devices.

What KB5065426 changes

Microsoft calls out the following fixes and changes in the release notes:

  • MSI repairs and UAC prompts. Fixes unexpected User Account Control prompts seen by non-admin users during Windows Installer (MSI) repair scenarios that use custom actions. The change also enables IT to allowlist specific apps to suppress UAC during MSI repairs. Details and mitigation options are in Microsoft’s support article.
  • SMB readiness auditing. Adds auditing to assess SMB client compatibility for SMB Server signing and Extended Protection for Authentication (EPA) ahead of hardening. Guidance is tied to CVE‑2025‑55234.
  • Input reliability. Resolves app hangs in some input method scenarios.
  • IIS Manager modules. Fixes missing Internet Information Services modules in IIS Manager that blocked configuration through the UI.
  • NDI audio stutter. Addresses audio issues in apps using Network Device Interface (e.g., OBS Studio with Display Capture) introduced after the August update.

Under the hood, KB5065426 also includes the servicing stack update (SSU) KB5064531 (build 26100.5074) to keep the update engine reliable.

Features you may see rolling out

Alongside the fixes above, Microsoft is continuing a staged rollout of several Windows 11 24H2 features. Availability varies by region, hardware, and feature flighting:

  • A larger clock with seconds in the Notification Center.
  • Lock screen widget selection and reordering.
  • Image results in a grid view in Windows Search.
  • Widgets board updates with multiple dashboards.
  • Refreshed Windows Hello sign-in visuals.
  • A new Recall homepage on Copilot+ PCs, plus an in-app tutorial for Click to Do.

Tip: New experiences often arrive behind server-side controls. If you don’t see them immediately after installing the update, that’s expected.

Known issue: PSDirect fails on some hotpatched setups

Microsoft has an edge-case interaction for devices using Hotpatch: PowerShell Direct connections may intermittently fail when the host and guest VMs are not both fully updated, leaving sockets uncleared and logging Security Event ID 4625. The workaround is to install a follow-on security update on both host and guest. Microsoft directs impacted customers to KB5066360 and to update both sides before retrying PSDirect.

How to install KB5065426

The update is available through Windows Update, Windows Update for Business, and WSUS. If you need the offline package or must control install order on media or images, use the Update Catalog and DISM.

  • Windows Update: Settings > Windows Update > Check for updates (installs automatically).
  • Update Catalog: Download the package from the Microsoft Update Catalog.

Install on a running PC (elevated prompt):

DISM /Online /Add-Package /PackagePath:C:\Packages\Windows11.0-KB5065426-x64.msu

Add to an offline image:

DISM /Image:C:\mountdir /Add-Package /PackagePath:C:\Packages\Windows11.0-KB5065426-x64.msu

When multiple MSUs are required: if you are installing individually, Microsoft specifies the order on the release page. For this LCU, install the prerequisite then KB5065426:

windows11.0-kb5043080-x64_*.msu
windows11.0-kb5065426-x64_*.msu

If you prefer the Windows Update Standalone Installer, see Microsoft’s wusa documentation.

Can you uninstall it?

You can remove the latest cumulative update (LCU) using DISM by targeting the LCU package name, but you cannot remove the SSU once installed. Running wusa.exe /uninstall against the combined package won’t work because SSUs are non-removable. To enumerate package names:

DISM /Online /Get-Packages
DISM /Online /Remove-Package /PackageName:Package_for_RollupFix~31bf3856ad364e35~amd64~~26100.6584.1.x

If the update won’t install

Most devices will take the update normally. If you hit a generic installation error, these system repair steps are safe to try:

  • Ensure you have adequate free disk space and avoid interrupting the first reboot after install.
  • If repeated attempts fail, use Windows 11’s in-place repair with “Fix problems using Windows Update,” which keeps apps and files. Microsoft documents the process under “reinstalling the current version of Windows”.

Run component repair and file integrity checks:

DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow

Note: Some features arrive via controlled rollouts and may not appear immediately after a successful install.

Enterprise and Windows Server 2025 notes

The same KB number applies to Windows Server 2025, raising it to build 26100.6584. In addition to the security and SMB changes above, the server release includes admin‑facing updates—like a taskbar policy to prevent repinning specific apps, accessibility tweaks to mouse settings, and fixes for BitLocker on removable media, domain controller networking profiles, and a USB reconnect issue after sleep. Microsoft also reiterates that PowerShell 2.0 is no longer included. The full server changelog is in Microsoft’s support article.

Security release details

For CVE listings, severity, and exploitability notes, Microsoft publishes the monthly release at the Security Update Guide. KB5065426 also consolidates fixes from the 24H2 optional preview KB5064081.

Install KB5065426 promptly for its security content and targeted reliability fixes—from quieter MSI repair prompts to NDI audio behavior and IIS Manager visibility. If you manage SMB hardening or Hotpatch environments, use the new auditing to assess client readiness and apply the PSDirect workaround where applicable. And if you’re expecting UI flourishes or Recall updates, remember those features are on a staggered flighting schedule and may take time to reach your device.