Windows KB5064489 emergency update fixes Azure VM launch issues

Microsoft has released an emergency update to fix a bug that prevents Azure virtual machines from launching when the Trusted Launch setting is disabled and Virtualization-Based Security (VBS) is enabled.

The bug impacted Windows Server 2025 and Windows 11 24H2 and was introduced during the July Patch Tuesday security updates.

“This update addresses an issue that prevented some virtual machines (VMs) from starting when Virtualization-Based Security (VBS) was enabled,” explains Microsoft.

“It affected VMs using version 8.0 (a non-default version) where VBS was offered by the host. In Azure, this applies to standard (non–Trusted Launch) General Enterprise (GE) VMs running on older VM SKUs.”

“The problem was caused by a secure kernel initialization issue.”

Trusted Launch is an Azure feature that uses Secure Boot and a virtual Trusted Platform Module (vTPM) to protect virtual machines against bootkits and other low-level threats.

On Sunday, Microsoft released the KB5064489 out-of-band update for Windows 11 24H2 and Windows Server 2025, which fixes the kernel initialization issue that prevented the VMs from launching.

Microsoft says that admins can determine if this bug would impact their VMs by performing these steps:

• ​Check if your VM is created as “Standard”.
• ​Check if VBS is enabled. Open System Information (msinfo32.exe) and confirm that Virtualization-based security is running and that the Hyper-V role is not installed in the VM.

If you are impacted, Microsoft recommends installing this out-of-band update instead of the July 8th KB5062553 Patch Tuesday update. The company also says you can prevent this issue by using the Trusted Launch security feature.

Microsoft has also updated the Windows Server 2025 VM images to include the newer cumulative update that fixes this bug.