Microsoft releases emergency fix for Azure Virtual Machines issue caused by Windows 11 update
When Microsoft released the KB5062553 update for Windows earlier this month, it addressed a number of issues in the operating system. However, it also caused problems with Azure Virtual Machines.
As such, Microsoft has been forced to publish another emergency patch to fix a problem caused by one of its own software updates. This time around, the out-of-band fix is the KB5064489 update, and it is available for both Windows 11 and Windows Server 2025.
The KB5062553 update was released on Patch Tuesday earlier this month on July 8. The release notes for the mandatory security update lists the VM problems as a known issue:
Azure VM with Trusted Launch disabled
Symptoms
A small subset of Generation 2 Azure Virtual Machines (VMs) with Trusted Launch disabled, and Virtualization-Based Security (VBS) enforced via registry key might be unable to boot after installing this update.
To check if your virtual machine might be impacted:
- Check if your VM is created as “Standard”.
- Check if VBS is enabled. Open System Information (msinfo32.exe) and confirm that Virtualization-based security is running and that the Hyper-V role is not installed in the VM.
Although Microsoft tries to downplay the significance of the problem by pointing out the various conditions that need to be met in order to cause it, the impact for those affected remains. Azure Virtual Machines have myriad usage in business, development and enterprise environments, and any period of downtime, any issues that arise can have great ramifications.
Releasing the KB5064489 update as a fix, Microsoft says:
This Out-of-band (OOB) update includes quality improvements. This update is cumulative and includes security fixes and improvements from the July 8, 2025, security update (KB5062553), in addition to the following:
- [Fix for Azure Virtual Machines with Trusted Launch disabled] This update addresses an issue that prevented some virtual machines (VMs) from starting when Virtualization-Based Security (VBS) was enabled. It affected VMs using version 8.0 (a non-default version) where VBS was offered by the host. In Azure, this applies to standard (non–Trusted Launch) General Enterprise (GE) VMs running on older VM SKUs. The problem was caused by a secure kernel initialization issue.
Despite fixing a serious issue, this is not an update that is rolling out automatically to affected systems. Instead, anyone who has encountered issues with Azure Virtual Machines is invited to manually download the KB5064489 update.
The update can be downloaded from the Microsoft Update catalog, but Microsoft warns that “this KB contains one or more MSU files that require installation in a specific order”. The company provides details of two methods to follow:
Method 1: Install all MSU files together
Download all MSU files for KB5064489 from Microsoft Update Catalog and place them in the same folder (for example, C:/Packages). Use Deployment Image Servicing and Management (DISM.exe) to install the target update. DISM will use the folder specified in PackagePath to discover and install one or more prerequisite MSU files as needed.
Updating Windows PC
To apply this update to a running Windows PC, run the following command from an elevated Command Prompt:
| DISM /Online /Add-Package /PackagePath:c:\packages\Windows11.0-KB5064489-x64.msu |
Or, run the following command from an elevated Windows PowerShell prompt:
| Add-WindowsPackage -Online -PackagePath "c:\packages\Windows11.0-KB5064489-x64.msu" |
Updating Windows Installation media
To apply this update to Windows Installation media, see Update Windows installation media with Dynamic Update.
Note: When downloading other Dynamic Update packages, ensure they match the same month as this KB. If the SafeOS Dynamic Update or Setup Dynamic Update is not available for the same month as this KB, use the most recently published version of each.
To add this update to a mounted image, run the following command from an elevated Command Prompt:
| DISM /Image:mountdir /Add-Package /PackagePath:Windows11.0-KB5064489-x64.msu |
Or, run the following command from an elevated Windows PowerShell prompt:
| Add-WindowsPackage -Path "c:\offline" -PackagePath "Windows11.0-KB5064489-x64.msu" -PreventPending |
Method 2: Install each MSU file individually in order
Download and install each MSU file individually using DISM or Windows Update Standalone Installer in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5064489-x64_6640d1a7a2a393bd2db6f97b7eb4fe3907806902.msu
Image credit: Davide Bonaldo / Dreamstime.com