KB5089466: Windows 11 May 2026 Hotpatch (OS Builds 26200.8390 and 26100.8390)

Summary

This is a hotpatch security update for Windows 11, versions 25H2 and 24H2, releasing on May 12, 2026 and producing OS builds 26200.8390 and 26100.8390. It applies to Windows 11 Enterprise LTSC 2024 and includes security and quality improvements. Full details are available from Microsoft Support.

Highlights

• A connectivity reliability fix for Simple Service Discovery Protocol (SSDP) notifications.
• A rendering fix for the Remote Desktop Connection security warning dialog in multi-monitor configurations with different display scaling.

Improvements and fixes

• Connectivity: The update improves the reliability of SSDP notifications to help prevent the SSDP service from becoming unresponsive.
• Remote Desktop: The update resolves a problem with the Remote Desktop Connection security warning dialog, which could display incorrectly in multi-monitor setups where the monitors used different scaling settings.

Note: Hotpatch is now generally available for Windows 11, version 25H2 and 24H2 on Arm64 devices. To get started, verify prerequisites, disable Compiled Hybrid PE (CHPE), and enroll devices in a quality update policy with Hotpatch enabled.

Known issues

Microsoft lists no known issues for this update at the time of writing.

How to get this update

Before installing

Microsoft bundles the latest servicing stack update (SSU) for your operating system together with this hotpatch update. If you are using Windows Update, the latest SSU installs automatically alongside this update. The associated SSU is KB5092762, version 26100.8456.

Installation channels

• Windows Update / Microsoft Update: The update downloads and installs automatically. No manual steps are required.
• Microsoft Update Catalog: Available for manual download. Select "See the other options" from the release channel table on the support page.
• Windows Server Update Services (WSUS): Available for manual deployment. Select "See the other options" from the release channel table on the support page.

Arm64 prerequisites

To use hotpatch updates on Arm64 devices, the following requirements must be met:

• Windows 11 Enterprise, version 25H2 or 24H2 (build 26100.4929 or later) with the current baseline update installed.
• Microsoft Intune with a Hotpatch-enabled Windows quality update policy.
• An eligible license: Windows 11 Enterprise E3 or E5, Microsoft 365 F3, Windows 11 Education A3 or A5, Microsoft 365 Business Premium, or Windows 365 Enterprise.
• Virtualization-based security (VBS) enabled.
• Compiled Hybrid PE (CHPE) disabled.

To disable CHPE, apply the CSP setting ./Device/Vendor/MSFT/Policy/Config/Hotpatch/DisableCHPE = 1 via Microsoft Intune or Group Policy, or set the registry value HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\HotPatchRestrictions = 1, then restart the device once.

Secure Boot certificate notice

Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices. Devices that have not yet received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. Microsoft will continue to push the newer certificates via Windows Update in the coming months. IT administrators should follow the guidance in the Secure Boot Playbook for Windows clients and Windows Server.

Frequently asked questions

What is a hotpatch update and how does it differ from a standard cumulative update?

A hotpatch update delivers security fixes without requiring an immediate device restart. The patches apply to in-memory code on a running system. Microsoft releases hotpatch updates on a defined cycle alongside standard baseline updates, which do require a restart and establish the code base that future hotpatches build on.

Do I need to install the servicing stack update separately before applying KB5089466?

No. Microsoft bundles the latest SSU (KB5092762, version 26100.8456) with this hotpatch update. If you install through Windows Update, the SSU applies automatically. For catalog or WSUS deployments, verify the file information listed on the support page to confirm SSU inclusion.

Which devices and license types are eligible to receive hotpatch updates on Arm64?

Arm64 devices must run Windows 11 Enterprise version 25H2 or 24H2 at build 26100.4929 or later, have VBS enabled, have CHPE disabled, and be enrolled via Microsoft Intune with a Hotpatch-enabled quality update policy. Eligible licenses include Windows 11 Enterprise E3 or E5, Microsoft 365 F3, Windows 11 Education A3 or A5, Microsoft 365 Business Premium, and Windows 365 Enterprise.

Should I be concerned about the upcoming Secure Boot certificate expiration in June 2026?

For most environments, Microsoft is handling certificate renewal automatically through Windows Update. Devices that have not yet received the updated certificates will still start and operate normally. IT administrators managing enterprise or server environments should consult the Secure Boot Playbook for Windows clients and Windows Server and check device status through the Windows Security app.