Microsoft has released a late-November fix that many enterprise administrators won’t want to ignore. The new KB5072753 hotpatch targets Windows 11 Enterprise and Windows Server 2025 systems using the 26200.x build branch, resolving a problematic reoffer bug while delivering additional security hardening.
Unlike routine Patch Tuesday updates, this release is out-of-band (OOB) and applies without requiring a reboot on hotpatch-enrolled devices. It also arrives bundled with the existing servicing stack update (SSU) KB5067035, streamlining deployment and avoiding dependency issues.
What Is KB5072753?
KB5072753 is a special hotpatch issued on November 20, 2025, designed specifically for:
- Windows 11 Enterprise 25H2 and 24H2 (hotpatch-enrolled)
- Windows Server 2025 Datacenter Azure Edition and other compatible SKUs aligned to the 26200.x client build family
Key Technical Details
| Property | Details |
|---|---|
| KB ID | KB5072753 |
| Post-Install Build | 26200.7093 |
| Type | Out-of-band hotpatch (no reboot required) |
| Release Date | November 20, 2025 |
| Bundled SSU | KB5067035, version 26100.7010 |
| Delivery Channels | Windows Update, Intune/managed services, Microsoft Update Catalog |
| Vendor Notes | No known issues at release |
This hotpatch follows KB5068966 (26200.7092) from November 11, acting as a corrective release rather than introducing new visible features.
Why KB5072753 Was Released
After deployment of the November 11 hotpatch (KB5068966), some Windows 11 Enterprise 25H2 systems began seeing the same update offered repeatedly via Windows Update, even though it had already been installed.
Symptoms of the Reoffer Bug
- KB5068966 showed as successfully installed
- Windows Update continued reinstalling it
- Only the timestamp changed—no system behavior changed
KB5072753 fixes this reoffer loop, ensuring Windows Update does not repeatedly reinstall last month’s hotpatch.
Although the update doesn’t advertise user-visible improvements, it also includes additional security and reliability hardening, building on the October baseline.
Where KB5072753 Fits in the Hotpatch Lifecycle
Hotpatching follows a predictable cycle: a quarterly baseline that requires a reboot, followed by monthly hotpatches that install silently without restarts.
Timeline for Late 2025
| Date | Update |
|---|---|
| October 14, 2025 | Mandatory baseline for Windows 11 & Server 2025 |
| November 11, 2025 | Monthly hotpatch KB5068966 |
| November 20, 2025 | OOB hotpatch KB5072753 (reoffer fix) |
The servicing stack remains unchanged at KB5067035, already widely deployed.
Requirements for Hotpatch on Windows 11 Clients
Hotpatching is an enterprise-only capability, not meant for consumer editions. Before KB5072753 can deploy to client devices, the following must be in place:
| Requirement | Minimum Condition |
|---|---|
| Windows Edition | Windows 11 Enterprise 25H2 / 24H2 |
| Minimum Build | 26100.4929 |
| Licensing | Enterprise E3/E5, Education A3/A5, Business Premium, F3, Windows 365 Enterprise |
| Management | Intune policy with hotpatch enabled |
| Security | Virtualization-based security (VBS) on |
| ARM64 Only | CHPE (Compiled Hybrid PE) disabled |
Disabling CHPE on ARM64 Devices
Hotpatching can’t function with CHPE enabled. IT teams can disable it by:
- Using the DisableCHPE setting in Intune or another MDM and then rebooting, or
- Setting the registry key:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\HotPatchRestrictions = 1
Once CHPE is disabled and devices meet the baseline, they can be enrolled into a hotpatch policy configured to apply updates without rebooting.
How KB5072753 Is Distributed
The hotpatch uses a combined SSU + hotpatch package, ensuring the correct servicing stack is applied automatically.
Delivery Options
| Channel | Availability |
|---|---|
| Windows Update | Auto-delivery for enrolled devices |
| Intune/ConfigMgr/Autopatch | Managed approval and scheduling |
| Microsoft Update Catalog | Manual download for offline environments |
| WSUS | Available for supported Server 2025 hotpatch SKUs |
For manual deployment, Microsoft recommends placing all KB5072753 MSUs in one folder and letting DISM handle dependencies:
DISM /Online /Add-Package /PackagePath:C:\Packages\Windows11.0-KB5072753-x64.msu
The same applies for offline imaging using /Image or -Path.
Enterprise Deployment Checklist
Most organizations will deploy KB5072753 urgently, but with staged validation. A recommended workflow:
| Step | Task | Purpose |
|---|---|---|
| 1 | Inventory hotpatch-enrolled devices | Define patch scope |
| 2 | Verify SSU KB5067035 | Prevent servicing issues |
| 3 | Review WSUS metadata and approvals | Avoid mis-targeting |
| 4 | Pilot deployment | Detect anomalies early |
| 5 | Roll out broadly | Stabilize build consistency |
| 6 | Confirm OS build | Ensure device remains on hotpatch track |
Why Caution Matters
An earlier WSUS incident (CVE-2025-59287) caused Server 2025 systems to unintentionally leave the hotpatch track due to mis-targeted packages. Because of this history, KB5072753 should be approved with heightened scrutiny, even though it does not alter WSUS behavior directly.
Risks and Trade-Offs With Out-of-Band Hotpatching
Hotpatches save organizations time and reduce disruptive reboots, especially for:
- High-availability server clusters
- RDS/VDI environments
- Critical on-prem workloads
However, they introduce some challenges:
- Tight dependency on baselines
- Higher servicing complexity across channels
- Limited vendor transparency about impact scopes
KB5072753 is relatively clean in this regard—its primary function is to fix the update reoffer problem and reinforce security without changing servicing stacks or introducing a new baseline.
Final Thoughts
For organizations committed to Microsoft’s hotpatch model, KB5072753 is essential. It not only eliminates the November reoffer annoyance but also ensures a consistent 26200.7093 build across fleets, paving the way for a smooth transition to the next quarterly baseline.
By deploying this OOB hotpatch through controlled rings, enterprises can maintain uptime, reduce patch uncertainty, and keep update histories clean heading into 2026.
And if you'd like to go a step further in supporting us, you can treat us to a virtual coffee ☕️. Thank you for your support ❤️!
We do not support or promote any form of piracy, copyright infringement, or illegal use of software, video content, or digital resources.
Any mention of third-party sites, tools, or platforms is purely for informational purposes. It is the responsibility of each reader to comply with the laws in their country, as well as the terms of use of the services mentioned.
We strongly encourage the use of legal, open-source, or official solutions in a responsible manner.
Comments