KB5064010: Windows 11 LTSC 2024 Hotpatch - Security-Only, Restart-Free Updates

Microsoft released KB5064010 on August 12, 2025 — a hotpatch that updates eligible Windows 11 Enterprise LTSC 2024 and certain Windows Server Azure Edition builds to OS Build 26100.4851, delivering narrowly scoped security hardening without the usual restart required by cumulative updates. (support.microsoft.com)

Background​

Hotpatching is Microsoft’s servicing innovation to reduce operational disruption while maintaining a rapid security posture for enterprise endpoints. Instead of a full Latest Cumulative Update (LCU) that replaces on-disk binaries and requires a restart, hotpatches deliver security-only fixes that can take effect immediately by patching running code paths when possible. Microsoft schedules baseline cumulative updates in the first month of each quarter and provides hotpatches in the two following months, limiting forced restarts to the quarterly baseline cadence. (learn.microsoft.com) (microsoft.com)
KB5064010 fits squarely into that model: it’s the August 2025 hotpatch release for the LTSC 2024 channel and is distributed as a combined package that includes the latest Servicing Stack Update (SSU) for the platform to improve installation reliability. Microsoft’s public KB describes the release as delivering “miscellaneous security improvements to internal OS functionality,” with no other documented issues on the KB page. (support.microsoft.com)

---

What KB5064010 actually is​

Key facts at a glance​

• Release date: August 12, 2025. (support.microsoft.com)
• KB number: KB5064010 (hotpatch). (support.microsoft.com)
• Target platform: Windows 11 Enterprise LTSC 2024 (and Windows Server 2025 Datacenter: Azure Edition in hotpatch-enabled configurations). (support.microsoft.com)
• Post-install OS build: 26100.4851. (support.microsoft.com)
• Public description: “miscellaneous security improvements to internal OS functionality.” Microsoft does not list discrete CVEs or granular fixes on the KB itself. This means the KB is security‑focused but intentionally terse in its public summary. (support.microsoft.com)

How this release relates to the August 2025 Patch Tuesday​

Microsoft’s hotpatches contain the security-only payload for eligible enterprise devices; for non-hotpatch channels Microsoft published the August 2025 LCUs (for example, KB5063878 for Windows 11 24H2). Independent coverage confirms that the hotpatch payload aligns with the broader August security release, while the LCU remains the baseline, restart-required package for general-purpose devices. (bleepingcomputer.com) (app.cloudscout.one)

---

Why this matters: benefits for enterprises​

Hotpatching changes the operational calculus for large fleets and appliances that need high availability.

• Reduced restarts: Hotpatch months can eliminate a forced restart for security fixes, which benefits productivity-sensitive and mission-critical systems. Microsoft’s calendar targets four restart-required baseline months per year (January, April, July, October) and hotpatch months in the intervening windows. (learn.microsoft.com)
• Faster effective protection: Hotpatches are designed to activate protection immediately on installation (in-memory patching), closing the window between publication and mitigation faster than restart-bound LCUs. (learn.microsoft.com)
• Smaller payloads and quicker installs: Hotpatch payloads are scoped to security fixes only, which generally reduces download sizes and deployment time. (microsoft.com)
• Bundled SSU reduces install failures: KB5064010 includes the latest SSU as part of the package to reduce servicing stack related errors during future updates. Microsoft explicitly notes the hotpatch is packaged with an SSU to improve reliability. (support.microsoft.com)

These benefits are particularly relevant to organizations that run LTSC images for stability (healthcare, industrial systems, ATMs, certain regulated environments) and also to managed cloud-connected server instances subscribed to hotpatching via Azure Arc/Azure Update Manager.

---

What Microsoft documents (and what it doesn’t)​

Microsoft’s KB entry is deliberately concise: it confirms the OS build change and states that the update “makes miscellaneous security improvements to internal OS functionality,” but it does not enumerate individual CVEs or affected components in the public-facing KB. When administrators need the mapping between hotpatch KBs and cumulative LCUs, Microsoft’s hotpatch release notes and the broader security update guidance fill in scheduling and eligibility details. (support.microsoft.com) (support.microsoft.com)
Unverifiable claim flag: Because the KB does not list granular CVE or component-level details, specific exploit mitigations or precise attack surface changes must be inferred from the broader August security advisories and the cumulative updates that contain the full patch notes. Administrators who must track CVEs for compliance should consult the Microsoft Security Update Guide or the MSRC advisory pages for CVE-level mapping instead of relying solely on a short hotpatch KB. (app.cloudscout.one)

---

Eligibility and prerequisites — what admins must verify​

Hotpatches are gated: devices must meet licensing, configuration and management requirements to receive hotpatch updates like KB5064010.

• Licensing and enrollment
• Eligible SKUs typically include enterprise and certain education subscriptions (Windows 11 Enterprise SKUs, Microsoft 365 licensing tiers, etc.) and require device enrollment in Microsoft management services such as Intune or Windows Autopatch (or Azure Update Manager/Azure Arc for the server Azure Edition). (learn.microsoft.com)
• Baseline alignment
• Devices must be on supported baselines aligned to Microsoft’s hotpatch calendar. A baseline cumulative update is still required every quarter — hotpatches are designed to complement, not replace, those baseline LCUs. (support.microsoft.com)
• Virtualization‑based Security (VBS)
• Microsoft’s hotpatch eligibility often requires certain security features like VBS to be enabled; older hardware and some virtual machine configurations may not meet that requirement without configuration changes. Verify VBS status before expecting hotpatch delivery.
• Arm64-specific constraints
• Hotpatching support for Arm64 devices has been delivered under public preview and requires a one-time configuration change: disabling CHPE (Compiled Hybrid PE) to enroll for hotpatch acceptance. This change is executed via a registry key or an Intune CSP and requires a one-time restart; after that, future hotpatches can install without restarts. Administrators must weigh CHPE impacts on x86 emulation workloads before making this change.
• Servicing stack
• KB5064010 is packaged with an SSU — administrators should ensure systems are ready to accept the packaged SSU; including it reduces the chance of servicing stack related failures. (support.microsoft.com)

---

Deployment guidance and practical steps​

For teams planning a staged rollout of KB5064010, follow a measured approach that balances speed (hotpatch benefit) with safety.

• Inventory and baseline verification
• Confirm devices run Windows 11 Enterprise LTSC 2024 and identify those already on the required baseline cumulative update. Devices off the baseline may not be eligible to receive hotpatches. (support.microsoft.com)
• Management enrollment
• Verify enrollment in Intune/Windows Autopatch or Azure Update Manager. Devices managed via Windows Update for Business without the necessary enrolment may not receive hotpatches. (learn.microsoft.com)
• Configure prerequisites
• Ensure VBS is enabled where required, and for Arm64 fleets consider the CHPE change plan (test x86 emulation workloads after disabling CHPE).
• Pilot ring
• Deploy KB5064010 to a small pilot ring (representative hardware and software combinations) and monitor for issues for 24–72 hours. Because hotpatches are applied live, close monitoring of application compatibility and driver behavior is essential.
• Phased rollout
• Move from pilot to broader rings using Intune rollouts or standard deployment tools, leveraging the bundled SSU to minimize servicing stack related failures. (support.microsoft.com)
• Verification
• After installation, verify OS Build 26100.4851 on devices that received the hotpatch (use winver, systeminfo, or Windows Update history) to confirm successful application. (support.microsoft.com)

---

Troubleshooting: what to watch for​

• Update visibility and history
• Hotpatches may show different KB metadata than LCUs in update histories; use Windows Update logs and Inventory tools (Intune reports, Windows Update for Business reporting) to verify deployment status.
• Servicing stack issues
• If installation fails, the bundled SSU reduces but does not eliminate servicing stack related errors. Collect WindowsUpdate.log, CBS logs, and SSU error codes to troubleshoot. (support.microsoft.com)
• Arm64 and CHPE side effects
• After disabling CHPE, validate performance and compatibility of x86-emulated workloads on Arm64; some applications that relied on CHPE optimizations may behave differently.
• Rollback and remediation
• Hotpatches are designed to be minimally invasive, but if a hotpatch causes a critical issue, plan for a rollback path (uninstall via Windows Update history or targeted management tools). Test rollback procedures in pilot before broad rollout.

---

Detection and validation (security operations)​

Because hotpatching changes how fixes are applied, SOC and endpoint teams must update detection and validation processes.

• Detection of applied hotpatches
• Check OS build metadata (OS Build 26100.4851) and Windows Update history for KB5064010 entries on endpoints. Use centralized inventory tools to collect build numbers across fleets. (support.microsoft.com)
• Event logging to monitor for anomalies
• Monitor standard Windows Update events in the Event Viewer, and watch for unexpected driver faults or application crashes after hotpatch application. Correlate with EDR signals to detect regressions or exploit attempts.
• Validate mitigation of specific CVEs
• Because the KB summary is terse, map the hotpatch to the equivalent LCU CVE list (Patch Tuesday advisories) if your compliance program requires per‑CVE validation. Third-party advisories and the MSRC Security Update Guide can help reconcile CVEs. (bleepingcomputer.com)

---

Comparison: hotpatch vs. baseline cumulative update (what you gain and what you don’t)​

• What hotpatches provide
• Immediate, security-only protection with no restart in hotpatch months for eligible devices. Reduced downtime and smaller, faster installs. (learn.microsoft.com)
• What hotpatches do not provide
• Feature updates, non-security bug fixes, and comprehensive rollups remain part of baseline cumulative updates and still require restarts. Hotpatches are not a full substitute for quarterly LCUs. (microsoft.com)

---

Risks, limitations and open questions​

• Limited public detail
• Microsoft’s public KB entry for KB5064010 is intentionally brief. The absence of granular CVE listings on the hotpatch KB makes exact forensic verification of individual mitigations more laborious — security teams should cross-reference Patch Tuesday advisories and MSRC feeds for CVE mapping. Flagged as unverifiable from the KB alone. (support.microsoft.com) (app.cloudscout.one)
• Eligibility complexity
• Hotpatch eligibility depends on licensing, management, baseline status, VBS settings and (for Arm64) CHPE configuration. Large, heterogeneous fleets can require significant work to bring devices into an eligible state. (learn.microsoft.com)
• Preview features on Arm64
• Arm64 hotpatch support carried a public preview designation; the one-time CHPE change to enroll devices introduces operational risk and compatibility testing requirements for emulated workloads.
• Secure Boot certificate expiration
• Microsoft’s hotpatch KB also highlights a separate but important operational timeline: Secure Boot certificate updates are required before the certificate expiration window beginning June 2026, and administrators must review guidance to avoid startup disruption. This is an independent operational task that must be considered during servicing planning. (support.microsoft.com)

---

Cross‑checks and independent corroboration​

• Microsoft’s KB page confirms the release and the OS build target for KB5064010 and notes the inclusion of the latest SSU in the package. Administrators should treat the KB as the official distribution notice. (support.microsoft.com)
• Microsoft Learn and Hotpatch release notes document the hotpatch cadence and eligibility model, which explains why KB5064010 appears as a hotpatch rather than a standard LCU for eligible enterprise endpoints. (learn.microsoft.com)
• Independent reporting on the August 2025 security updates verifies that the hotpatch payload corresponds to the broader Patch Tuesday fixes for eligible channels — for example, coverage indicates that non-hotpatch channels received LCUs like KB5063878 while hotpatch-enabled Enterprise LTSC systems saw KB5064010 as the restart‑free equivalent. This corroboration is useful when reconciling CVE lists and LCU content. (bleepingcomputer.com) (app.cloudscout.one)

---

Recommendations — an action checklist for IT teams​

• Audit and inventory: Confirm which devices are Windows 11 Enterprise LTSC 2024 and note their current OS builds. (support.microsoft.com)
• Confirm management enrollment: Ensure devices are enrolled in Intune/Windows Autopatch or Azure Update Manager as required. (learn.microsoft.com)
• Validate prerequisites: Check VBS status and plan CHPE adjustments for Arm64 devices only after compatibility testing.
• Pilot first: Deploy KB5064010 to a small, representative pilot ring and validate application compatibility, performance, and telemetry.
• Map CVEs: Use the MSRC Security Update Guide and Patch Tuesday LCU notes to reconcile which CVEs the hotpatch addresses for compliance and reporting. (app.cloudscout.one)
• Monitor and verify: After installation, confirm OS Build 26100.4851 on updated endpoints and monitor logs, EDR telemetry, and user reports for anomalies. (support.microsoft.com)

---

Conclusion​

KB5064010 is a practical example of Microsoft’s hotpatch model applied to Windows 11 Enterprise LTSC 2024 and Azure‑connected server variants: targeted, security-only, and restart-free for eligible systems, while being intentionally compact in public documentation. For organizations that can meet the eligibility requirements, hotpatching delivers real operational benefits — fewer forced reboots, faster exposure closure, and smaller payloads — but it also requires careful prerequisite work, coordination with management tooling, and validation against compliance requirements that depend on CVE-level detail.
Administrators should treat KB5064010 as a rapid-response security layer and continue to plan for baseline LCUs in the quarterly restart windows. Where detailed CVE mapping is required, use the MSRC advisory and Patch Tuesday LCU notes to reconcile the hotpatch content, and run controlled pilots before wide deployment. (support.microsoft.com) (learn.microsoft.com) (bleepingcomputer.com)

---

---

Source: Microsoft Support August 12, 2025—Hotpatch KB5064010 (OS Build 26100.4851) - Microsoft Support