KB5084597: Windows 11 25H2/24H2 March 13, 2026 Hotpatch Out-of-Band (OS Builds 26200.7982 and 26100.7982)

Summary

This is an out-of-band hotpatch security update for Windows 11, versions 25H2 and 24H2, released on March 13, 2026, resulting in OS Builds 26200.7982 and 26100.7982. It targets hotpatch-enabled devices and installs without requiring a restart. The update addresses security vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool. See Microsoft Support for full details.

Improvements and fixes

• [Networking] Resolves a security vulnerability in the Windows Routing and Remote Access Service (RRAS) management tool. A connection to a malicious remote server could allow an attacker to crash the tool or execute arbitrary code on the affected device. The fix covers three CVEs: CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111.

Note: This hotpatch update is offered only to hotpatch-enabled devices. Devices receiving standard Windows updates require no action. The update installs and takes effect without a device restart.

Known issues

Signing in with a Microsoft account might fail for Teams Free and other apps

Symptom: After installing this update, sign-in to apps that use a Microsoft account may fail. Even on devices with a working internet connection, an error message indicating no internet connection can appear, blocking access to services such as Microsoft Teams Free and OneDrive. Other affected applications include, but are not limited to, Microsoft Edge, Excel, Word, and Microsoft 365 Copilot - any time a feature in those apps requires signing in with a Microsoft account. Note: only Microsoft account sign-ins are affected; organizations using Microsoft Entra ID for app authentication are not impacted.

Workaround: This issue is addressed in KB5085518.

How to get this update

Before you install: Microsoft bundles the latest servicing stack update (SSU) with this hotpatch. If you are using Windows Update, the SSU installs automatically alongside this update. The SSU for this release is KB5083532, version 26100.8035.

Installation channels:

• Windows Update - The update downloads and installs automatically.
• Microsoft Update Catalog - Available for manual download.
• Server Update Services (WSUS) - Available through this channel as well.

Arm64-specific prerequisite steps: Hotpatch is now generally available for Windows 11, version 25H2 and 24H2 on Arm64 devices. To use it, devices must meet these requirements:

• Windows 11 Enterprise, version 25H2 or 24H2 (Build 26100.4929 or later) with the current baseline update installed.
• Microsoft Intune with a Hotpatch-enabled Windows quality update policy.
• An eligible license: Windows 11 Enterprise E3 or E5, Microsoft 365 F3, Windows 11 Education A3 or A5, Microsoft 365 Business Premium, or Windows 365 Enterprise.
• Virtualization-based security (VBS) enabled.
• Compiled Hybrid PE (CHPE) disabled.

To disable CHPE, apply the CSP setting ./Device/Vendor/MSFT/Policy/Config/Hotpatch/DisableCHPE = 1 via Intune or Group Policy, or set the registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\HotPatchRestrictions = 1, then restart the device once. After that, enroll devices by creating or editing a Windows quality update policy in the Intune admin center and setting the automatic update deployment option "When available, apply without restarting the device" to Allow.

Frequently asked questions

Does this hotpatch require a restart to take effect?

No. This hotpatch installs and takes effect without requiring a device restart, which is the core benefit of the hotpatch mechanism. Standard update recipients - those not enrolled in a hotpatch policy - are unaffected by this release and do not need to take any action.

Which devices receive this hotpatch update?

Only hotpatch-enabled devices receive KB5084597. Eligibility requires Windows 11 Enterprise version 25H2 or 24H2, a supported license such as Windows 11 Enterprise E3 or E5, VBS enabled, CHPE disabled, and enrollment in a Hotpatch-enabled quality update policy through Microsoft Intune.

What security issues does this update fix?

The update fixes three security vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool, tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111. Exploitation requires a connection to a malicious remote server, after which an attacker could crash the tool or run code on the device.

How do I fix the Microsoft account sign-in failure introduced by this update?

Install KB5085518, which directly addresses the known sign-in issue. The problem affects Microsoft account-based authentication in apps such as Teams Free, OneDrive, Edge, Excel, Word, and Microsoft 365 Copilot. Organizations using Microsoft Entra ID for authentication are not affected by this issue.