Microsoft pushed out a routine-looking but strategically pivotal hotpatch on August 12, 2025, for Windows 11 Enterprise LTSC 2024. KB5064010 bumps the operating system build to 26100.4851, bundles the latest servicing stack update (SSU) to harden installation reliability, and—for the first time—extends the reboot-reducing hotpatch model to eligible Arm64 devices. The catch: organizations that want their Arm64 endpoints to receive security fixes without a restart must first disable the Compiled Hybrid PE (CHPE) emulation optimization, a change that can alter x86 application performance and demands careful testing.
Hotpatching itself isn’t new, but its arrival on Arm64 marks a significant milestone for enterprises with heterogeneous fleets. The cadence is designed to slash forced monthly restarts from twelve to just four per year, with baseline updates falling in January, April, July, and October and hotpatch security updates shipping in the months between. With KB5064010, the August update slots neatly into that rhythm, delivering what Microsoft characterizes as “miscellaneous security improvements to internal OS functionality” without requiring users to stop work and reboot immediately.
What’s Inside KB5064010
The update is a combined package that includes the security hotpatch and the servicing stack update (KB5065381, SSU version 26100.4933). By marrying the SSU to the hotpatch, Microsoft reduces the risk of installation failures that can occur when an outdated servicing stack tries to process a new cumulative update. Devices that already have earlier updates will download only the delta, keeping network payloads light.
The official support document lists no new non-security fixes and no additional documented issues, signaling that this release is strictly a security refresh. For administrators, that means fewer regression variables to chase, but also no new functional changes to validate.
Arm64 Hotpatching Arrives—with a Critical Requirement
The expansion to 64-bit Arm architecture, announced in a separate Tech Community post, is the headline change. Until now, hotpatching was limited to x64/AMD64 endpoints. KB5064010 can now be deployed to Windows 11 Enterprise LTSC 2024 devices running on Arm64 hardware, provided the organization has the correct licensing (Windows 11 E3/E5, Microsoft 365 F3, Windows 11 Education A3/A5, Microsoft 365 Business Premium, or Windows 365 Enterprise) and is enrolled in Microsoft Intune or Windows Autopatch.
But there’s a technical gate: Compiled Hybrid PE (CHPE), a mechanism that accelerates x86 emulation on Arm devices, must be disabled. Microsoft explains that CHPE and hotpatching are incompatible, likely because the compiled hybrid binaries complicate in-memory patching of kernel code. Turning off CHPE enforces pure software emulation for x86 binaries, which can slow some legacy applications. The trade-off is not trivial—enterprises that rely on x86-only business apps on Arm64 hardware (such as the Surface Pro X, Surface Pro 11, or Snapdragon-powered Copilot+ PCs) may see a performance regression.
Administrators have two paths to disable CHPE. The first is a registry tweak:
- Set
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\HotPatchRestrictions = 1(DWORD) and reboot the device.
The second is via an upcoming Intune configuration service provider (CSP) called DisableCHPE, which will allow IT to push the setting through a device configuration profile once it becomes available. Either way, a restart is required after the change, and Microsoft strongly recommends piloting the configuration on a subset of devices before broad rollout. Teams should measure application load times and general responsiveness, particularly for x86 tools like older versions of Office, ERP clients, or vertical-market LOB apps.
Prerequisites and Enrollment Steps
Hotpatching isn’t a universal feature—it demands a curated estate. The full checklist:
- OS baseline: Devices must run Windows 11 Enterprise LTSC 2024 and have the latest quarterly baseline update installed. If a machine isn’t on the baseline, it won’t receive hotpatches.
- Licensing: An eligible Enterprise or Education subscription is mandatory. Pro or Pro for Workstations editions are not supported.
- Management: Intune or Windows Autopatch enrollment is required. The hotpatch toggle is controlled through a Windows quality update policy in Intune.
- Virtualization-based Security (VBS): VBS must be enabled. This hardware-assisted security feature relies on CPU virtualization extensions and may be unavailable on older PCs, certain VMs, or systems with incompatible firmware. Turning on VBS can also cause compatibility issues with some third-party drivers or security tools, so it’s another pilot-worthy step.
- Arm64 CHPE disable: As detailed above.
Once those boxes are checked, IT creates a Windows quality update policy in Intune, sets the hotpatch option to “Allow,” and assigns the policy to device groups. Windows Autopatch can handle this orchestration automatically for organizations already using it.
Rollback and Recovery Considerations
The “no restart” promise has limits. While hotpatches don’t force an immediate reboot upon installation—they patch running code in memory—uninstalling a hotpatch does require a restart. That’s a critical operational note: if a hotpatch causes an unforeseen issue, remediation comes with user disruption. Microsoft’s guidance: uninstall the hotpatch, then manually install the standard Latest Cumulative Update (LCU) and restart again to return to a known state. That’s a two-restart process, so testing rollback procedures in a lab before production is non-negotiable.
Automated rollback is not supported for hotpatch updates. In the event of a failure, the device simply won’t apply the hotpatch, and IT will need to diagnose. Reports in Intune/Autopatch can flag these failures for proactive response.
Secure Boot Certificate Expiration: A Separate but Urgent Advisory
KB5064010’s public page includes a notable warning: Secure Boot certificates will begin expiring in June 2026. This firmware-level issue isn’t directly caused by the hotpatch, but Microsoft is using the release notes to remind enterprises that they must update certificate trust stores (KEK, DB, and DBX) to avoid devices failing to boot or losing the ability to apply future updates. The timeline may seem distant, but the operational lift—inventorying affected devices, coordinating firmware updates with OEMs, and testing—can take months. It’s a parallel workstream that IT teams should slot into their patch calendar now, not later.
Where Hotpatching Still Falls Short
Despite the aggressive push, hotpatching has clear boundaries. It’s designed exclusively for security fixes. Non-security fixes, .NET updates, driver updates, and firmware updates are outside its scope and will continue to require baseline or out-of-band restarts. Some kernel-level changes are simply too invasive to patch in memory; those will always ship as baseline updates. Enterprises should not expect a completely restart-free future—just a much quieter one.
Additionally, not every environment will qualify. VBS requirements and Arm64 CHPE disablement will leave some devices stranded on the standard LCU cycle. Those devices still get all security fixes, just with the usual restart cadence. The hotpatch fast lane is a privilege of a modern, well-managed estate, not a universal entitlement.
Community and Industry Reaction
Early adopters and IT community threads have been buzzing with validation exercises. Windows Forum discussions highlight active testing around CHPE impacts on file-system operations and backup software interoperability. Backup vendors, in particular, often sit close to the kernel via volume snapshot drivers or VSS, and community members are recommending that organizations coordinate with ISVs before disabling CHPE on production Arm64 devices.
One forum comment noted that “pre-release fixes [from backup vendors] are rolling out” in response to hotpatch compatibility concerns. Administrators planning to adopt KB5064010 should cross-reference vendor support matrices and, if possible, test in a dedicated ring that mirrors production workloads.
Practical Rollout Plan for KB5064010
For teams ready to move, here’s a distilled execution plan:
- Inventory and eligibility sweep – Confirm Windows 11 Enterprise LTSC 2024 with latest baseline. Validate licenses and Intune/Autopatch enrollment. Check VBS status and hardware/firmware support.
- Arm64 pilot prep – For Arm64 devices, configure the HotPatchRestrictions registry value or wait for the DisableCHPE CSP. Restart and run representative workloads to gauge performance. Flag any applications that degrade beyond acceptable thresholds.
- Pilot ring – Create an Intune quality update policy with hotpatch enabled, assigned to a small, non-critical group. Monitor installation success, error reports, and user feedback. Validate uninstall/rollback procedures on test devices—remember, uninstall needs a restart.
- Staged rollout – After a successful pilot, expand the policy to broader rings. Keep an eye on Secure Boot certificate readiness as a separate project.
- Monitor and adjust – Use Intune reports to track hotpatch compliance. If application compatibility issues surface, especially from CHPE disablement on Arm64, consider holding devices on the standard LCU cycle until ISV fixes arrive.
The Bottom Line
KB5064010 is more than a routine security update; it’s a proof point that Microsoft’s hotpatching vision is scaling to new architectures and deeper into the enterprise. For organizations with a modern Windows 11 footprint and the required management stack, it promises real operational gains: fewer disruptions, faster security posture improvement, and smaller update payloads. The SSU bundling is a quiet but welcome reliability boost.
The Arm64 expansion, however, comes with a trade-off that will force IT shops to weigh reboot reduction against x86 emulation performance. Disabling CHPE is a blunt instrument, and until Microsoft and ISVs refine the compatibility story, Arm64 hotpatching will be a deliberate choice, not an automatic win. Coupled with enduring prerequisites like VBS and baseline alignment, the hotpatch model remains a “managed estate” feature—demanding the discipline of a well-governed endpoint fleet.
For enterprises that can meet those demands, KB5064010 is the next step in a journey toward fewer reboots and faster security response. For everyone else, it’s a clear signal that the standard cumulative update cadence isn’t going away, and that the path to hotpatching runs through a modern, Intune-managed architecture.