Microsoft has released KB5064010, a hotpatch for Windows 11 Enterprise LTSC 2024 that delivers critical security fixes without requiring a system restart. The update, issued on August 12, 2025, brings the OS build to 26100.4851 and marks another step in the company’s drive to minimize downtime for enterprise customers who depend on the Long-Term Servicing Channel (LTSC). Unlike traditional cumulative updates that demand a reboot to replace on-disk binaries, this hotpatch applies fixes in-memory, shrinking the window between patch publication and active protection.

How Hotpatching Rewrites the Patch Cycle

Hotpatching isn’t a new idea—Microsoft has used it for years on Windows Server Azure Edition—but extending it to Windows 11 Enterprise LTSC fundamentally changes how IT admins handle security updates. The model splits the year into quarters. Each quarter begins with a baseline cumulative update (an LCU plus servicing stack update) that requires a restart. The two following months then bring hotpatches: lightweight, reboot-free, security-only updates. That means eligible devices that used to reboot twelve times a year for patches now do so only four times.

KB5064010 is the hotpatch for August 2025, falling between a June baseline and the next baseline due in September. It contains no feature changes or cumulative reliability improvements—those remain the job of the baseline. Hotpatches are a pragmatic compromise: get security fixes onto machines immediately, and let the larger code and feature rollups wait for a scheduled window. For an LTSC system running a factory floor automation controller or a 24/7 healthcare monitoring station, skipping a reboot can prevent costly interruptions.

KB5064010 at a Glance

  • KB number: KB5064010 (hotpatch release)
  • Target platform: Windows 11 Enterprise LTSC 2024 (24H2 lineage)
  • Post-install build: 26100.4851
  • What it does: Applies security fixes that take effect without a restart, provided the device meets hotpatch prerequisites
  • Release date: August 12, 2025

The official Microsoft support article lists no known issues, but community forums and past cumulative update troubles remind admins that any code change, especially one touching kernel-mode paths, deserves scrutiny. Several Windows 11 24H2 baseline updates have triggered boot loops on specific hardware configurations, according to anecdotal Reddit threads. While those reports aren’t directly tied to hotpatching, they underscore why even a reboot-free patch needs a careful pilot.

Who Can Use It? Strict Eligibility Rules

Hotpatching isn’t available to every Windows 11 device. Microsoft ties it to enterprise-grade licensing and cloud-based management.

Licensing
- Windows 11 Enterprise E3 or E5
- Windows 11 Education A3 or A5
- Microsoft 365 Business Premium
- Windows 365 Enterprise

Consumer, Pro, and standard Enterprise LTSC (non-24H2) editions aren’t on the list. LTSC 2024 is the first LTSC release to receive hotpatch support, and even then, only the Enterprise SKU.

Operating System Baseline
Devices must be on Windows 11 Enterprise, version 24H2, build 26100.2033 or later. KB5064010 itself updates the build to 26100.4851, but the initial hotpatch enrollment generally demands that earlier 2033 baseline. If your devices are stuck on an older cumulative update, you’ll first need to apply a baseline CU—with a restart—before hotpatches flow.

Management
Hotpatch delivery relies on Microsoft Intune and a hotpatch-enabled Windows quality update policy. Windows Autopatch can simplify setup; organizations without Intune or Autopatch won’t see the hotpatch option in Windows Update for Business or WSUS. The policy must explicitly allow “When available, apply without restarting the device.”

Virtualization-Based Security (VBS)
VBS is a documented prerequisite. Systems without VBS enabled may not be offered hotpatches. Microsoft hasn’t detailed every technical reason, but VBS isolates key security components that hotpatching likely manipulates.

Arm64 Adds a CHPE Twist

Arm64 devices get hotpatch support, but with an asterisk. The CHPE (Compiled Hybrid Portable Executable) compatibility layer, which enables x86 emulation on Arm64 Windows, must be disabled. This requires setting the DisableCHPE CSP or tweaking the HotPatchRestrictions registry key, followed by a one-time reboot. After that change, hotpatches can install without restarts. IT teams must weigh the impact on x86 workloads—if a critical line-of-business app depends on CHPE for emulation, disabling it could degrade performance or break compatibility. Test this thoroughly in a pilot before rolling out.

How It Feels on the Desktop: Instant Protection, Same Look

When a hotpatch arrives, the Windows Update UI may still show “pending restart” for a brief moment, but the underlying code change is active. The system doesn’t actually need a reboot; the prompt disappears once the servicing stack recalibrates. Security software that hooks into kernel APIs will see the patched state immediately. That immediacy is the hotpatch’s power: from the moment the update installs, the vulnerability is closed. Compare that to a standard CU, where the vulnerable binary sits on disk (replaced but not yet loaded) until the next restart, leaving a gap of minutes to days.

Hotpatches don’t touch files that require a restart to be loaded, such as firmware updates, bootloaders, or certain critical system DLLs. If a security flaw resides in those components, Microsoft will issue a baseline update that still requires a restart. Admins should not assume that a hotpatch covers every vulnerability—check the monthly security release notes for gaps.

Deploying KB5064010: A Six-Step Battle Plan

A methodical rollout prevents surprises. Here’s a pragmatic approach tailored to the LTSC 2024 hotpatch.

1. Inventory and Baseline Check

Run winver or query via Intune/SCCM to confirm every target is Windows 11 Enterprise LTSC 2024, build 26100.2033 or higher. Devices on older builds must take a cumulative update first—schedule that maintenance window.

2. Licensing and Management Audit

Ensure you have the right subscription (E3/E5 or equivalent) and that devices are enrolled in Intune. If using Autopatch, verify that the tenant is onboarded for hotpatch. Check the Windows quality update policy; the “apply without restarting” setting must be enabled.

3. Prepare Arm64 Devices

For any Arm64 fleet, disable CHPE via policy once you’ve tested x86 emulation impact. Reboot once. Document this change in CMDB—future hotpatches won’t require a restart, but forgetting the CHPE disablement means you’ll never get them.

4. Pilot Group Testing

Create a ring of 1–2% of devices that mirror production variety: different hardware vendors, disk encryption methods, EDR agents, and virtualization platforms. Deploy KB5064010 to this pilot. Monitor for application crashes, driver failures, and anomalous behavior. Check event logs for hotpatch installation events. Let the pilot run for at least 48 hours.

5. Gradual Broadening

Move to an early adopter ring (10–15%) and then broad deployment. Watch telemetry for any uptick in bugs. If a showstopper appears, Microsoft’s guidance suggests uninstalling the hotpatch or falling back to the baseline CU. Uninstall behavior isn’t guaranteed for every hotpatch, so verify uninstallability in the pilot.

6. Compliance and Post-Deployment Verification

After the rollout, validate that devices report build 26100.4851. Update vulnerability scanners and CMDB records; otherwise, dashboards may flag these devices as unpatched because they don’t recognize the hotpatch build number. Coordinate with your SOC to ensure EDR products reflect the patched state.

Operational Advantages That Matter

The business case for hotpatching goes beyond fewer reboots.

  • Shorter exposure: Vulnerabilities are neutralized the moment the update installs, not the next time someone restarts. For a zero-day under active exploit, that speed matters.
  • Uptime gains: Critical systems—ATMs, industrial control PCs, medical devices—stay online. Even for knowledge workers, avoiding a forced restart can preserve open work and reduce helpdesk calls.
  • Smaller payloads: Hotpatches are typically a few hundred megabytes, not the multi-gigabyte CUs. For branch offices with constrained WAN links, the download and installation overhead is lower.

The Risks and Unknowns You Can’t Ignore

No patch mechanism is flawless. Hotpatching swaps running code; that inherently interacts with anything that has its hooks in the kernel.

Third-Party Driver and EDR Friction

Kernel-mode drivers and endpoint detection and response (EDR) agents routinely intercept system calls. A hotpatch can alter code paths that a driver or EDR expects to find in a particular state. History shows that such conflicts can lead to blue screens or degraded detection. Vendors like CrowdStrike, SentinelOne, and others have had to release compatibility updates after past Windows servicing changes. While no specific issues are tied to KB5064010 yet, the prudent move is to confirm your security vendor supports hotpatching on Windows 11 LTSC 2024 and to include those agents in your pilot.

Gap Between Hotpatch and Full Protection

Some vulnerabilities require on-disk binary replacement because the flawed code is loaded so early that hotpatching can’t intercept it. These remain reliant on baseline CUs. Don’t let the hotpatch cadence lull you into skipping quarterly baselines—they’re still mandatory for full coverage and for servicing stack updates.

Audit and Visibility Blind Spots

Patch compliance tools often scan for specific KBs or build numbers. A hotpatch’s unique KB and build may confuse scanners accustomed to the regular cumulative update pattern. Without updating your scanning logic, you could see false positives, with machines flagged as vulnerable even though hotpatched. Work with your security team to update SIEM rules and reporting before deployment.

Arm64 Side Effects

Disabling CHPE is not a trivial switch. Many Arm64 Windows devices rely on CHPE for x86 application compatibility. Testing must confirm that no business-critical application breaks or slows unacceptably. The one-time reboot is minor, but the decision to disable a core emulation component should involve application owners.

Monitoring Checklist for IT Teams

Use this quick reference to audit your hotpatch readiness and KB5064010 deployment:

  • [x] Target device runs Windows 11 Enterprise LTSC 2024
  • [x] Baseline is at least build 26100.2033
  • [x] Subscription licensing confirmed (E3/E5, Business Premium, etc.)
  • [x] Device enrolled in Intune with a hotpatch-enabled policy
  • [x] VBS enabled
  • [x] For Arm64: CHPE disabled, reboot applied once, and x86 workloads tested
  • [x] Pilot completed with EDR and driver compatibility validated
  • [x] Post-install build reports as 26100.4851
  • [x] Compliance tools updated to recognize hotpatch state

Best Practices to Get It Right

  • Preserve quarterly baselines: Treat hotpatches as a complement, not a replacement. Schedule baseline months for deep maintenance that can include firmware updates.
  • Test drivers and firmware separately: Hotpatching won’t fix firmware flaws. Maintain a separate, reboot-based cadence for those updates.
  • Document the build number shift: Operational runbooks should note that hotpatch months have distinct build numbers. This avoids confusion when comparing devices.
  • Automate eligibility checks: Use Intune proactive remediations or a script to validate VBS, baseline version, licensing status, and Arm64 CHPE settings before hotpatch day.
  • Watch community feedback: While anecdotal, forums like r/WindowsLTSC and sysadmin communities can surface early warning signs. Cross-reference any reported issues with your pilot telemetry.

Microsoft’s official KB article for KB5064010, the Windows IT Pro blog on hotpatch for client, and BleepingComputer’s analysis all confirm the technical details and prerequisites outlined here. These sources, together with the company’s licensing documentation, form the backbone of the guidance.

Hotpatching on Windows 11 Enterprise LTSC 2024 isn’t just a convenience; it’s a structural shift in how security reaches endpoints. KB5064010 proves the model works for LTSC—a channel historically slow to adopt new servicing innovations. By cutting reboots from monthly to quarterly, organizations can keep critical systems safer and more available. That payoff, however, requires upfront work: verifying licensing, enabling VBS, testing third-party compatibility, and adjusting compliance tooling. Ignore those steps, and the promise of reboot-free security becomes a source of chaos. Done right, hotpatches like KB5064010 help enterprises walk the tightrope between airtight security and nonstop operations.