Microsoft shipped a targeted no‑restart security patch for Windows 11 Enterprise LTSC 2024 on August 12, 2025, advancing the operating system to OS Build 26100.4851 and plugging vulnerabilities without the mandatory reboot that enterprise administrators dread. KB5064010 is a hotpatch—a live patching mechanism that modifies in‑memory code paths—bundled with the latest Servicing Stack Update (SSU) KB5065381 to keep the servicing pipeline healthy. For organizations running Long‑Term Servicing Channel (LTSC) on mission‑critical endpoints, this release marks a significant evolution: stable, feature‑static Windows can now absorb urgent security fixes while industrial machines, medical devices, and ATMs stay online.
Hotpatching isn’t new to Microsoft’s datacenter platforms, but its arrival on the LTSC client signals a broader commitment to reducing operational friction across the entire Windows fleet. The model works on a quarterly baseline rhythm—one cumulative update that demands a restart, followed by two or three hotpatch months that apply only security‑hardening code changes live. When a device receives KB5064010, the update installs silently, protection takes effect immediately, and no restart prompt appears. For IT teams managing thousands of endpoints in 24/7 environments, that schedule eliminates the scramble to coordinate downtime windows for low‑risk patch months.
What’s inside KB5064010
Microsoft describes the payload with characteristic restraint: “miscellaneous security improvements to internal OS functionality.” No new features, no driver fixes, no documented quality‑of‑life changes outside the security scope. That wording is deliberate—it protects the specifics of kernel‑level hardening while signaling that the update matters. The SSU bundled alongside the hotpatch (KB5065381, version 26100.4933) improves the reliability of future updates, reducing the chance of servicing stack failures during rollouts. For Arm64 managed environments, the release continues the public preview path, with the same prerequisite steps required to keep hotpatch eligibility.
After installation, devices report OS Build 26100.4851. The package flows through Windows Update for automatic deployment, the Microsoft Update Catalog for manual download, and WSUS for managed fleets. No other functional fixes are listed, which aligns with the hotpatch philosophy: narrow, surgical security improvements that don’t perturb the user experience or application compatibility surface.
Why LTSC hotpatching matters to enterprise IT
LTSC editions are purpose‑built for stability. Manufacturers and healthcare providers rely on them to run unaided for years, often without internet connectivity. But that architectural conservatism also creates a security debt: endpoints that can’t take feature updates may still be exposed to privilege‑escalation or remote‑code‑execution bugs. KB5064010 closes that gap by delivering immediate fixes without altering the feature set, preserving LTSC’s value proposition.
The operational savings are concrete. A hospital with 5,000 nursing‑station PCs can avoid scheduling overnight restarts during a hotpatch month. A factory floor running SCADA on Windows 11 LTSC can stay fully productive while a kernel flaw is neutralized. Faster protection means the window between a CVE publication and full fleet coverage shrinks from days to hours, assuming eligibility and management are properly configured.
Prerequisites: what administrators must validate
Hotpatching doesn’t magically appear on every LTSC device. Microsoft gates it behind a strict set of requirements:
- Build and baseline: Devices must run Windows 11 Enterprise, version 24H2, build 26100.4929 or later, and already be on the current baseline cumulative update. Without that foundation, the hotpatch engine won’t engage.
- Management authority: Intune or Windows Autopatch is required. The hotpatch toggle lives inside a Windows quality update policy in Intune, where administrators set “When available, apply without restarting the device” to Allow. Devices managed by standalone Windows Update or Configuration Manager won’t receive hotpatches.
- Licensing: Eligible SKUs include Windows 11 Enterprise E3/E5, Microsoft 365 F3, Windows 11 Education A3/A5, Microsoft 365 Business Premium, and Windows 365 Enterprise. The licensing check is enforced client‑side.
- Virtualization‑based security (VBS): VBS must be enabled. This underpins the hypervisor‑protected code integrity that hotpatching uses to modify kernel structures safely.
- Arm64 special steps: Arm64 hotpatching remains in public preview and requires disabling Compiled Hybrid PE (CHPE). Administrators can push a CSP policy via Intune or set the registry key
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\HotPatchRestrictions = 1, followed by a one‑time restart. After that, the device stays eligible for successive hotpatches.
Enrollment and rollout best practices
Enrolling a device in the hotpatch program follows a few deliberate steps. First, create or edit a Windows quality update policy in Intune and enable hotpatch. Assign the policy to a pilot group of representative devices—ones that mirror the production mix of applications, drivers, and peripherals. Let the pilot soak for 7–14 days while monitoring Intune’s update health telemetry. Look for application crashes, driver resets, or unusual processor usage that might indicate a compatibility interaction with the in‑memory patch.
Once the pilot succeeds, roll out KB5064010 in phased rings, increasing scope each day. Because the SSU is bundled, installation failures should be rare, but firmware incompatibilities can still surface. Coordinate with OEMs to ensure the device firmware is current before relying on hotpatch‑only cycles. Maintain a documented rollback plan: know how to uninstall cumulative updates or apply a recovery image if a device becomes unstable. Administrators should also verify Secure Boot certificate readiness—a separate but urgent task Microsoft highlights in the KB.
The opaque security payload: what Microsoft doesn’t say
“Miscellaneous security improvements” is a phrase that frustrates auditors and breeds uncertainty. But it’s standard for hotpatch releases that bundle multiple low‑profile fixes without tying them to public CVEs. The intent is to minimize attacker awareness while delivering protection rapidly. For compliance teams, that means cross‑referencing with the monthly Security Update Guide for CVE‑level mapping. If a specific fix must be documented for regulatory reasons, open a case with Microsoft support to request detailed information.
That opaqueness doesn’t signal insignificance. Past hotpatches have closed privilege‑escalation paths in the kernel, patched flaws in cryptographic subsystems, and mitigated side‑channel attacks. Administrators should treat KB5064010 as operationally important and prioritize deployment to internet‑facing or sensitive endpoints.
The Secure Boot clock is ticking
KB5064010’s release notes carry a stark advisory: Secure Boot certificates used by most Windows devices begin expiring in June 2026. When the 2011 CA family lapses, endpoints still presenting those certificates will lose the ability to install certain pre‑boot security updates and, in extreme cases, may fail to boot under current policies. The remedy is to update the KEK and DB certificates with the 2023 CA family before the expiration date.
Microsoft recommends allowing Windows Update to handle the certificate refresh for connected devices. For air‑gapped or firmware‑locked systems, administrators must follow manual procedures—often in coordination with OEMs—to push the new certificates. The work crosses organizational silos: OS admins, security teams, and hardware vendors must align on deployment staging. Even hotpatch‑ready endpoints aren’t exempt; the KB explicitly reminds everyone to include them in the readiness assessment.
Risks and pitfalls to watch
No update is risk‑free, and KB5064010 carries its own set of cautions:
- Kernel‑mode driver conflicts: Third‑party endpoint detection and response (EDR) tools, antivirus filters, and custom drivers that hook kernel code may behave unpredictably when a hotpatch alters the same code paths. Require vendor validation before broad deployment.
- Arm64 preview maturity: Arm64 hotpatching remains in public preview. The requirement to disable CHPE adds a configuration step that can be missed, and the overall reliability is less proven than on x64. Conservative organizations should hold Arm64 devices to a longer pilot phase.
- Complacency about restarts: Hotpatch months reduce reboots significantly, but they don’t eliminate them forever. Feature updates, firmware, and some cumulative fixes still require a restart. Maintain regular maintenance windows and avoid indefinite deferral.
- Secure Boot oversight: The 2026 certificate expiry is an organizational imperative. Ignore it, and devices could lose pre‑boot updateability and boot trust. The remediation lead time is long, but the coordination effort is considerable; start now.
Verification and cross‑checks
Microsoft’s KB page for KB5064010 is the authoritative source for build numbers, SSU linkage, and distribution channels. The TechCommunity hotpatch blog and independent outlets like BleepingComputer confirm the operational mechanics and enrollment prerequisites. Cross‑referencing these sources provides confidence in the release model and helps administrators validate their Intune configuration. For precise CVE mapping, consult the Security Update Guide.
If compliance or audit requirements demand identifiable CVE associations, escalate to Microsoft support. The hotpatch documentation intentionally abstracts those details, but support can provide them under NDA where necessary.
Conclusion
KB5064010 is a milestone for Windows servicing: a security‑hardening update that lands silently on LTSC and keeps critical systems running without a restart. For enterprises that chose LTSC precisely to avoid change, this patch proves that security and stability aren’t in opposition. IT teams should treat the release as high‑priority—validate prerequisites, pilot carefully, and use Intune policies to orchestrate the rollout. Simultaneously, accelerate Secure Boot certificate readiness planning. The hotpatch model shifts operational responsibility: administrators must ensure their fleet is eligible, compatible, and firmware‑ready before trusting no‑reboot updates at scale. Done right, KB5064010 reduces downtime, tightens security, and sets a new baseline for what Windows servicing can achieve.