March 13, 2026 — Microsoft issues KB5084597 hotpatch for RRAS RCEs: no-restart fix only for hotpatch‑enrolled Windows 11 Enterprise
Microsoft released out-of-band hotpatch KB5084597 on March 13, 2026, to fix three critical RRAS remote‑code‑execution flaws. The patch can install without rebooting, but only on enterprise devices that meet specific hotpatch enrollment and configuration requirements.
Details of the March 13 hotpatch and the vulnerabilities it fixes
KB5084597 addresses CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111—integer overflow and heap buffer issues in the Windows Routing and Remote Access Service (RRAS) management tool that could allow an authenticated domain user to execute code by connecting the RRAS Snap‑in to a malicious server. Microsoft released the hotpatch as an out‑of‑band update to reduce operational disruption in environments that cannot tolerate restarts.
The hotpatch advances affected devices to OS Build 26200.7982 for 25H2 and 26100.7982 for 24H2, and it includes the fixes shipped in the March 2026 Patch Tuesday. Microsoft has not confirmed active exploitation or published proof‑of‑concepts, but the networked management surface and high severity ratings make rapid remediation sensible for exposed RRAS installations.
Exactly which machines qualify for the no‑restart hotpatch
KB5084597 applies only to Windows 11 Enterprise 25H2, 24H2, and Enterprise LTSC 2024 devices that are enrolled in a hotpatch‑enabled Windows quality update policy. Enrollment is typically managed through Microsoft Intune or Windows Autopatch; simply running Windows 11 is not enough. Devices must also already have the baseline cumulative update installed before the hotpatch will apply.
Arm64 systems face an additional prerequisite: administrators must disable the Compiled Hybrid PE (CHPE) compatibility layer and enable virtualization‑based security (VBS) for the device to be eligible for hotpatching. Machines that do not meet enrollment or configuration requirements will receive the same fixes via the regular cumulative update channel, which does require a reboot.
How this release signals the hotpatch rollout and what to monitor
This release shows Microsoft moving hotpatching from a niche capability toward routine emergency delivery for managed fleets. The company has been smoothing the pipeline—most recently resolving a hotpatch install loop in November 2025 with KB5072753—so enterprises enabling hotpatch now are joining a growing early adopter cohort rather than an experimental pilot.
Operationally, expect a dual‑track reality for some months: hotpatch‑enrolled fleets get urgent, no‑restart fixes; all other managed devices get the cumulative update and a required restart. Track adoption by checking Intune or Windows Autopatch enrollment, monitor for Microsoft telemetry or advisory updates about exploitation attempts, and look for patch deployment metrics (build numbers advancing to 26200.7982 / 26100.7982) as signals of hotpatch acceptance across your estate.
Administration checklist and comparison table for decision points
Below is a compact comparison that helps decide whether and how devices in your environment will receive KB5084597, and what preparatory actions are required.
| Condition | Hotpatch (KB5084597) | Regular cumulative update |
|---|---|---|
| Eligible OS builds | Windows 11 Enterprise 25H2, 24H2, Enterprise LTSC 2024 | Same OS versions + broader SKUs via standard channels |
| Enrollment required | Yes — hotpatch‑enabled Windows quality update policy (Intune/Windows Autopatch) | No — delivered through normal Windows Update / WSUS |
| Restart required | No | Yes |
| Arm64 extra steps | Disable CHPE and enable VBS | No CHPE/VBS change required for applicability |
| Build advancement after install | 25H2 → 26200.7982; 24H2 → 26100.7982 | Patch Tuesday cumulative will apply same fixes, then require restart |
Action items for administrators: verify which devices are in hotpatch‑enabled policies in Intune/Windows Autopatch, confirm baseline cumulative updates are installed, and for any Arm64 hardware plan CHPE disablement and VBS deployment before expecting the hotpatch. If rapid, no‑restart remediation is required but a device is not eligible, schedule the cumulative update with a minimal maintenance window.
Short Q&A
How do I confirm a device will receive the hotpatch? Check enrollment in a hotpatch‑enabled Windows quality update policy in Intune or Windows Autopatch and verify the device has the required baseline cumulative update installed.
What if my Arm64 device still needs RRAS protection? If you cannot or will not disable CHPE and enable VBS, the device will get the cumulative update route and will require a restart; plan the reboot accordingly.
When should I expect telemetry about exploitation? Microsoft has not reported active exploitation as of the March 13 advisory; watch Microsoft Security Advisories and your own detection logs for any post‑patch indicators and monitor deployment metrics (build numbers) to know when your estate is protected.
