Microsoft has taken the proactive step of issuing an unscheduled update for Windows 11, designated as KB5068221. This update primarily addresses complications users have encountered with Microsoft Office applications operating in virtualized environments. For those affected, the resolution offered by this update serves as a compelling reason to proceed with its installation.
Details of the Update
Beyond rectifying the Office-related issues, Microsoft has utilized this update as an opportunity to provide insights into a workaround for a problem associated with the Server Message Block (SMB) v1 protocol. The KB5068221 update is cumulative, incorporating all security fixes and enhancements from the earlier KB5065426 update released earlier this month. In the release notes, Microsoft describes this out-of-band update as encompassing “quality improvements.”
Delving deeper into the specifics, Microsoft outlines the particular issue addressed by the update:
[Virtualization and platform compatibility] Fixed: This update addresses an issue that affects Microsoft Office applications running in Microsoft Application Virtualization (App-V) environments. The failure occurred due to a double handle closure in the AppVEntSubsystems32 or AppVEntSubsystems64 system component.
While the Office complications are significant, they are not the sole challenges introduced by the September updates for Windows 11. Another notable issue pertains to the SMB v1 protocol on NetBIOS over TCP/IP. Although this protocol is considered deprecated, it continues to be utilized by many, and the resulting disruptions have not gone unnoticed. Although a definitive fix is still forthcoming, Microsoft has shared valuable guidance in the release notes for the KB5068221 update.
The company elaborates on the connectivity issues with the SMBv1 protocol:
Symptoms
After installing this Windows update released on or after September 9, 2025, you might fail to connect to shared files and folders using the Server Message Block (SMB) v1 protocol on NetBIOS over TCP/IP (NetBT). This issue can occur if either the SMB client or the SMB server has the September 2025 security update installed.Note: The SMBv1 protocol is deprecated and no longer installed by default in modern versions of Windows and Windows Server. Deployments that use newer versions of the protocol, SMBv2 or SMBv3, are not affected by this problem.
To mitigate the connectivity issues, Microsoft suggests a workaround:
You can work around this issue by allowing network traffic on TCP port 445. By doing so, the Windows SMB connection will automatically switch to using TCP instead of NetBT, allowing the connection to resume successfully.
While a timeline for a comprehensive fix remains unspecified, Microsoft assures users that a resolution is in development. The company states, “We are working on a resolution in a future Windows update and will provide more information when it is available.”
For those looking to obtain the KB5068221 update, it is available for download from the Microsoft Update Catalog. It is important to note that the update comprises one or more MSU files that require installation in a specific sequence. Microsoft has provided the following instructions:
Method 1: Install all MSU files together
Download all MSU files for KB5068221 from Microsoft Update Catalog and place them in the same folder (for example, C:/Packages). Use Deployment Image Servicing and Management (DISM.exe) to install the target update. DISM will use the folder specified in PackagePath to discover and install one or more prerequisite MSU files as needed.Updating Windows PC
To apply this update to a running Windows PC, run the following command from an elevated Command Prompt:
DISM /Online /Add-Package /PackagePath:c:packagesWindows11.0-KB5068221-x64.msu Or, run the following command from an elevated Windows PowerShell prompt:
Add-WindowsPackage -Online -PackagePath “c:packagesWindows11.0-KB5068221-x64.msu” Updating Windows Installation media
To apply this update to Windows Installation media, see Update Windows installation media with Dynamic Update.Note: When downloading other Dynamic Update packages, ensure they match the same month as this KB. If the SafeOS Dynamic Update or Setup Dynamic Update is not available for the same month as this KB, use the most recently published version of each.
To add this update to a mounted image, run the following command from an elevated Command Prompt:
DISM /Image:mountdir /Add-Package /PackagePath:Windows11.0-KB5068221-x64.msu Or, run the following command from an elevated Windows PowerShell prompt:
Add-WindowsPackage -Path “c:offline” -PackagePath “Windows11.0-KB5068221-x64.msu” -PreventPending Method 2: Install each MSU file individually in order
Download and install each MSU file individually using DISM or Windows Update Standalone Installer in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5068221-x64_6640d1a7a2a393bd2db6f97b7eb4fe3907806902.msu
