Microsoft has pushed out a new Windows 11 update called KB5084597, and it’s a little different from the typical monthly Patch Tuesday bundle. This is an out-of-band hotpatch aimed at closing a specific security hole, and it’s designed to install quietly in the background without forcing a reboot. The update was published on March 13, 2026, and it moves eligible devices to Windows 11 OS Build 26200.7982 (version 25H2) and 26100.7982 (version 24H2).
What KB5084597 fixes: an RRAS security vulnerability
KB5084597 targets a security issue in the Windows Routing and Remote Access Service (RRAS) management tool. Microsoft warns that if a user connects to a malicious remote server, an attacker could potentially disrupt the RRAS management tool or execute code on the affected device.
The hotpatch addresses vulnerabilities tracked as CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111. Because Microsoft’s changelog focuses only on this networking-related security fix, it’s clear this release is meant to shut down the RRAS issue quickly rather than introduce additional non-security changes.
This Windows 11 hotpatch won’t appear on most home PCs
Even though it’s an important security fix, KB5084597 isn’t being delivered as a universal consumer update. Microsoft says it’s offered only to hotpatch-enabled devices. If your PC receives Windows updates the standard way, you don’t need to do anything—this hotpatch isn’t intended for that path.
On qualifying systems, the update installs automatically through Windows Update and, importantly, it applies without requiring a restart. That’s one of the key reasons hotpatch exists: it reduces downtime and helps organizations roll out security fixes with less disruption.
Hotpatch is built for managed enterprise environments
Microsoft positions hotpatch as a monthly security update approach that avoids reboots to improve update compliance while minimizing interruptions. However, it comes with requirements. Hotpatch requires Windows Autopatch and is intended for managed devices enrolled under the right quality update policy—so it’s mainly designed for enterprise and organizational IT environments.
Hotpatch expansion: more support for Arm64 Windows 11 devices
In the same update notes, Microsoft also states that hotpatch is now generally available for Windows 11 25H2 and 24H2 on Arm64 devices, but only for systems that meet specific prerequisites. For Arm64 hardware, Microsoft lists requirements that include Windows 11 Enterprise, Intune with a hotpatch-enabled policy, an eligible license, virtualization-based security enabled, and compiled hybrid PE disabled.
In practical terms, that means this update matters most to IT administrators managing fleets of Windows 11 devices—especially those prioritizing fast security response without interrupting employees with reboots.
No known issues reported so far
At the time of release, Microsoft reports no known issues with KB5084597. That’s notable for an out-of-band Windows security update, particularly one that touches networking and remote access components—areas where organizations are often cautious about unexpected side effects.
If problems do show up during deployment, Microsoft notes that issues can be reported through the Windows Feedback Hub.
