This May 2025 Patch Tuesday, Windows administrators, particularly those managing Windows 11 environments with Intune, face another round of critical updates and security advisories. This month sees a continued focus on enhancing Windows 11 security and functionality, with notable KBs addressing a range of issues, including the expanding hotpatch capability. We’ll break down the key updates from this month’s KB releases and the pressing vulnerabilities from recent security reports to help you prioritize your patching strategy, especially when leveraging Intune for deployment.

Key Concerns for May 2025:

  • Windows 11 & Server Hotpatching: The rollout of eligible Windows 11 Enterprise and Windows Server systems has been continued, emphasizing hotpatch updates to minimize reboots.
  • Actively Exploited Vulnerabilities: Multiple CVEs are reported as actively exploited, requiring immediate attention for your Windows 11 deployments.
  • Intune Management: Ensuring your Intune policies are optimized for efficient and timely deployment of these critical patches across your Windows 11 fleet.

KB Report Highlights: Focus on Windows 11 Stability, Hotpatch, and Intune Considerations

This month’s Knowledge Base updates include several important fixes and a few notable feature enhancements, emphasizing Windows 11 and the hot patch mechanism.

  • KB5058411 (OS Build 26100.4061) – Windows 11, version 24H2: 
    • Focus: This is a significant cumulative update for the latest Windows 11 version.
    • Details: This update addresses multiple security vulnerabilities (detailed in the Security Report below) and includes non-security improvements aimed at enhancing OS stability and performance on Windows 11. Intune admins must test and deploy this broadly.
    • Note: This build likely incorporates fixes from the April 2025 preview (KB5055627, OS Build 26100.3915).
  • KB5058405 (OS Builds 22621.5335 and 22631.5335) – Windows 11, versions 22H2/23H2: 
    • Focus: Cumulative update for older, but still widely used, versions of Windows 11.
    • Details: Includes security updates and quality improvements. Organizations managing mixed Windows 11 environments via Intune must ensure these versions are patched promptly.
    • Note: This build likely incorporates fixes from the April 2025 preview (KB5055629, OS 22621.5262 and 22631.5262).
  • KB5058497 (OS Build 26100.3981) – Hotpatch for Windows 11, version 24H2 Enterprise clients: 
    • Focus: This hotpatch update is critical for Windows 11 Enterprise 24H2 users.
    • Details: This delivers security improvements to internal OS functionality without requiring an immediate reboot for many systems. This is a key benefit for systems managed by Intune, where minimizing disruption is paramount. Admins should ensure devices are enrolled for hot patch updates via Intune policies.
    • Prerequisites: Requires the April 2025 baseline update and specific licensing (e.g., Windows 11 Enterprise E3/E5, Microsoft 365 F3/Business Premium, Windows 365 Enterprise). Intune admins can create a “Windows quality update policy” and enable the “Allow” option for “When available, apply without restarting the device (‘hotpatch’).”
  • KB5061096 – Security Update for Windows PowerShell: 
    • Focus: Addresses security vulnerabilities in Windows PowerShell.
    • Details: While the specific CVEs are not detailed in the provided snippets, PowerShell is a core component for administration and automation, often used in conjunction with Intune scripting. Patching this is vital across all supported Windows versions, including Windows 11.
  • KB5058500 (OS Build 20348.3630) – Hotpatch for Windows Server 2022 (Azure Edition mentioned, applicable to general hotpatching context): 
    • Focus: While specific to the server, it highlights Microsoft’s ongoing hotpatch initiative.
    • Details: This includes security improvements to internal OS functionality delivered as a hot patch. This reinforces the reboot-less patching strategy that also benefits Windows 11 Enterprise.

Intune Admin Considerations from KBs for Windows 11:

  • Windows 11 Feature Update Management: Be aware of potential issues where Windows 11 upgrades might be offered despite Intune policies. Microsoft has been working on fixes for such “latent code issues.” Consider pausing feature updates if necessary until the issue is resolved.
  • Hotpatch Policy in Intune: For eligible Windows 11 24H2 Enterprise devices, ensure you have configured quality update policies in Intune to “Allow” hotpatching. This will significantly reduce reboots for interim security updates.
  • Update Rings and Expedited Updates: Leverage Intune update rings for staged rollouts of these May KBs for all your Windows 11 devices. For critical vulnerabilities, use Intune‘s “expedite Windows quality updates” feature to override deferrals, particularly for the actively exploited CVEs.
  • New Intune Settings for Windows LAPS & Recall (AI Features): Note new settings available in Intune for Windows LAPS policy and managing upcoming AI features like Recall on Windows 11, such as disabling AI data analysis or denying specific apps/URIs for Recall.

Security Report Highlights: Actively Exploited Flaws Threaten Windows 11

This month’s security landscape is particularly concerning due to several actively exploited zero-day vulnerabilities impacting Windows 11. Intune administrators must prioritize these patches.

Actively Exploited Zero-Day Vulnerabilities (All require Windows OS update deployment):

  • CVE-2025-30400 – Microsoft DWM Core Library Elevation of Privilege Vulnerability: 
    • Impact: Allows an authorized attacker to elevate privileges locally to SYSTEM.
    • Affected: Windows 10, Server 2016 and later, including Windows 11.
    • Action: Critical to patch immediately using Intune.
  • CVE-2025-32701 & CVE-2025-32706 – Windows Common Log File System Driver Elevation of Privilege Vulnerability: 
    • Impact: Allows an authorized attacker to elevate privileges locally to SYSTEM.
    • Affected: All Windows OS versions, including Windows 11.
    • Action: Critical to patch immediately across all Windows 11 devices via Intune.
  • CVE-2025-32709 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability: 
    • Impact: Allows an attacker to elevate privileges locally to gain administrator privileges.
    • Affected: Windows Server 2012 and later, impacting Windows 11 as well.
    • Action: Urgent patching is required for Windows 11 through Intune.
  • CVE-2025-30397 – Scripting Engine Memory Corruption Vulnerability: 
    • Impact: Allows an unauthenticated attacker to execute code over a network, typically by tricking a user into clicking a specially crafted link in Edge or Internet Explorer.
    • Affected: All Windows OS versions, a significant threat to Windows 11 users.
    • Action: Prioritize patching for all Windows 11 systems using Intune.

Other Critical/Important Vulnerabilities:

  • CVE-2025-26685 – Microsoft Defender for Identity Spoofing Vulnerability (Publicly Disclosed):
    • Impact: Allows an unauthenticated attacker with LAN access to perform spoofing.
    • Action: Review and apply updates, relevant for environments utilizing Defender for Identity with their Windows 11 endpoints.
  • Remote Code Execution in Visual Studio (CVE-2025-30397 – Note: same CVE as Scripting Engine, but listed separately for Visual Studio context in one source):
    • Impact: Local code execution.
    • Action: If Visual Studio is present on any Windows 11 developer machines managed by Intune, ensure this is addressed.

Intune Admin Patching Strategy for Windows 11 Security:

  1. Prioritize Zero-Days: The five actively exploited vulnerabilities (CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709, CVE-2025-30397) are your absolute top priority for all Windows 11 devices. Utilize Intune to expedite these updates.
  2. Windows OS Updates are Key: Deploying the latest Windows OS updates (KB5058411 for 24H2, KB5058405 for 22H2/23H2) resolves all five zero-days.
  3. Consider Windows Autopatch: For organizations struggling with the operational overhead of patching Windows 11, Windows Autopatch (managed via Intune) can shift the responsibility of update deployment to Microsoft, ensuring devices are kept up-to-date.
  4. Test and Stage: Even with critical updates, use Intune‘s deployment rings to test on a pilot group of Windows 11 devices before broad deployment to mitigate unforeseen issues.
  5. Monitor Compliance: After deployment, closely monitor update compliance through the Intune portal to ensure all targeted Windows 11 devices have successfully installed the patches.

Conclusion: Proactive Patching of Windows 11 with Intune is Non-Negotiable

The May 2025 Patch Tuesday brings many critical fixes, especially for Windows 11, with several actively exploited vulnerabilities demanding immediate attention. The increasing prevalence of hotpatch technology for Windows 11 Enterprise offers a welcome reduction in reboots, but diligent management through Intune is key to leveraging this benefit.

Windows administrators must leverage Intune to its full potential for swiftly assessing, prioritizing, testing, and deploying these updates across their Windows 11 estates. Stay vigilant, test thoroughly, and patch promptly to protect your organization.

More Information: The Full Reports

View the KB report for the latest articles and patches for Windows 10 and 11:
PortalFuse Weekly KB Update Report – 2025-05-13 23:59:59.254000+00:00

Check out the full CVE report for details on vulnerabilities:
PortalFuse Weekly Security Update Report – (Windows and Edge Edition)