On June 9, 2026, Microsoft broke its silence—and its routine. Instead of delivering the usual reboot-free hotpatch for Windows 11 Enterprise LTSC 2024, the company pushed a full baseline update that forces a restart. The reason: CVE-2026-45585, a publicly disclosed security feature bypass that left BitLocker-protected devices exposed. The update, tracked as KB5094126, arrived with a blunt message: install it now, reboot your machines, and don’t expect the rhythm to continue unbroken.
This is the first time Microsoft has swapped a scheduled hotpatch month for an unplanned baseline since hotpatching debuted for LTSC. For administrators who had grown comfortable with the promise of fewer reboots, June 9 became a cold lesson in the limits of reboot-free patching.
What just changed: a hotpatch month turned baseline
Hotpatching on Windows 11 Enterprise LTSC follows a strict quarterly cycle. Every three months, devices download a comprehensive baseline update that requires a restart. In the two months between baselines, Microsoft ships smaller, targeted security updates that install without rebooting. June was supposed to be that second hotpatch month—a quiet, no-reboot patch drop after April’s baseline. Instead, Microsoft rescheduled it as a baseline month.
The official support document is terse: “The June 2026 Windows security update is delivered as a baseline update instead of a hotpatch update to help protect devices as quickly as possible after the public disclosure of a security vulnerability outside the typical coordinated disclosure best practices (CVE-2026-45585).” Translation: the risk escalated too fast for a narrow hotpatch. A full cumulative reset was deemed the only safe vehicle.
CVE-2026-45585, publicly nicknamed YellowKey, has been described in external reports as a Windows BitLocker security feature bypass. BitLocker is the encryption bedrock for enterprise laptops and workstations. A flaw that undermines it—especially after details became public—triggered a decision to override the calendar. Devices must now restart to reach a protected state.
What this means for you (and why you probably need to reboot)
If you’re running Windows 11 Home or Pro, this doesn’t affect you. Hotpatching is exclusive to Windows 11 Enterprise LTSC 2024, a specialized edition used in manufacturing, healthcare, digital signage, and other fixed-function systems. So unless your IT department has specifically deployed LTSC with hotpatch enrollment, you can stop reading—or keep reading to understand what your colleagues are dealing with.
For enterprise administrators, the impact is immediate. Any fleet that relies on LTSC hotpatching must now plan, communicate, and execute a restart cycle that wasn’t on the Q2 calendar. Worse, this June baseline doesn’t cancel July’s. The hotpatch cadence dictates that July is already a baseline month. That means many organizations face two consecutive months of forced reboots—a double hit that can erode user trust and strain maintenance windows.
Devices that don’t reboot remain vulnerable, even if the update appears “downloaded” in management consoles. Patch compliance dashboards must measure success after the restart, not just after installation. A device with a pending restart is a device with an open door.
For IT leaders, this event is a stress test for how the organization has communicated hotpatching. If you promised users “no more reboots for security updates,” you now have a broken promise. If you pitched hotpatching as “reboot reduction with occasional exceptions,” you can salvage the narrative. The difference might determine how many help-desk tickets you field this week.
How we got here: the promise and the fine print
Hotpatching arrived in Windows 11 Enterprise LTSC 2024 as a headline feature: fewer maintenance windows, lower user disruption, faster compliance checks. Microsoft’s documentation carefully outlined a quarterly baseline cadence with two hotpatch months in between. It also included escape clauses. The company reserved the right to ship extra baseline updates “for security reasons.”
That fine print became reality when researchers publicly disclosed CVE-2026-45585. According to Microsoft, the vulnerability was made public “outside typical coordinated disclosure best practices.” Security researchers often debate the ethics of immediate disclosure versus giving vendors time to patch. YellowKey appears to have emerged in that gray zone—publicly detailed while Microsoft was still working on a fix.
The timeline remains murky. External reporting has linked YellowKey to a BitLocker bypass, potentially allowing attackers with physical access to extract encryption keys. While no active attacks have been confirmed at scale, the risk calculus shifted the moment exploit concepts began circulating. Microsoft decided it couldn’t wait for the next planned baseline in July.
This isn’t the first time a disclosure dispute has forced a vendor’s hand, but it’s the first to break Windows hotpatching’s rhythm. It reveals a tension between the disciplined cadence of modern servicing and the messy reality of public vulnerability disclosure.
What to do now: an immediate checklist
For administrators managing LTSC fleets, here’s a pragmatic six-step response plan:
-
Inventory your eligible devices. Confirm which machines run Windows 11 Enterprise LTSC 2024 with hotpatch enrollment. The update only applies to that specific configuration.
-
Push the June baseline immediately. Use Microsoft Intune, Windows Autopatch, or your management tool of choice to deploy KB5094126. Prioritize devices in high-risk roles or those with physical access exposure.
-
Schedule and communicate the restart. Don’t assume devices will reboot automatically overnight. For critical systems, negotiate a maintenance window. For users, explain that this is a rare security exception, not a new normal.
-
Verify compliance post-reboot. Check update reports for “pending restart” status. A device that hasn’t rebooted isn’t protected.
-
Prepare for July’s baseline. July remains a planned restart-required update under the normal cadence. Warn stakeholders now that another reboot may be coming in a few weeks.
-
Review your internal messaging about hotpatching. Update documentation, communication templates, and user training to reflect that hotpatching reduces—but does not eliminate—security restarts. Include language about exceptional baselines.
Beyond these steps, audit your endpoint monitoring tools. Do they distinguish between “update installed” and “update activated by restart”? The gap matters. In healthcare or manufacturing, a device showing as “compliant” before reboot could create a false sense of security.
Outlook: hotpatching survives, but trust needs rebuilding
The long-term verdict on hotpatching hasn’t changed. For most months, it will still spare enterprises from dozens of routines reboots. June 2026 is an exception, not a repeal. Microsoft has engineered a model that balances convenience with security—and when security screamed louder, the model bent.
What will matter next is reliability. If the June baseline installs smoothly, if devices reboot without incident, and if hotpatching resumes in August as expected, the event becomes a historical footnote. If confusion, failed installs, or compliance drift follow, trust will erode.
Watch for Microsoft’s post-mortem communication. Will they clarify how the disclosure timeline forced their hand? Will they update their hotpatch documentation to better set expectations? The more transparent they are, the faster administrators can rebuild confidence in the cadence.
For now, the lesson is clear: hotpatching is a powerful tool, but it’s not a magic wand. The threat landscape doesn’t care about your quarterly schedule. And sometimes, the only answer is to reboot and move on.