Microsoft has issued an out-of-band update, KB5064489, to address a critical issue affecting specific Azure Virtual Machines (VMs) running Windows 11 version 24H2. This emergency patch resolves startup failures impacting VMs with certain configuration parameters and integrates previous security updates released earlier this month.
Background: VM Startup Failures After July Patch
Following the release of the July 2025 Patch Tuesday update (KB5062553), Microsoft received reports of Azure VMs failing to boot. The issue was traced to environments where:
- Trusted Launch was disabled,
- The host offered Virtualization-Based Security (VBS),
- And the VM was configured to use VBS version 8.0, which is not the default setting.
These circumstances, typically found in legacy or non-standard enterprise environments, led to a failure during secure kernel initialization, preventing affected VMs from launching properly in Azure.
About the KB5064489 Update
Released on July 13, 2025, KB5064489 is a non-security out-of-band update designed specifically to resolve this Azure VM startup issue. Microsoft recommends this update for organizations running affected configurations, particularly in enterprise and cloud environments that rely heavily on virtual infrastructure uptime.
Key Fixes and Improvements:
- Resolves boot failures in Azure VMs with Trusted Launch disabled and VBS version 8.0 enabled.
- Includes all security and quality updates originally provided in KB5062553 (July 8, 2025).
- Ships with the Servicing Stack Update (SSU) KB5063666, improving reliability during the update process.
- Brings the system to OS Build 26100.4656 following installation.
Availability and Installation
As an out-of-band release, KB5064489 is not delivered automatically via Windows Update. It must be manually downloaded and installed from the Microsoft Update Catalog, especially in environments where Azure VMs are managed manually or are in an isolated network.
Microsoft has provided guidance for offline installation using DISM or the Windows Update Standalone Installer (.msu), enabling IT administrators to deploy the patch in controlled enterprise settings.
No Known Issues
At the time of publication, Microsoft has not reported any known issues associated with KB5064489. However, organizations are advised to follow standard best practices, including system backups and testing in non-production environments prior to widespread deployment.
Implications for IT Administrators
This update underscores Microsoft’s commitment to maintaining service availability for enterprise cloud environments, particularly those relying on Azure-based infrastructure. IT teams managing legacy or customized VMs in Azure should prioritize patching affected instances to restore full VM operability.
Administrators who have not yet deployed KB5062553, or who are unaffected by the VBS configuration described, may not need this update. However, those encountering unexplained VM failures after the July Patch should review configurations immediately and apply KB5064489 as appropriate.
Summary of KB5064489
| Feature | Details |
|---|---|
| Release Date | July 13, 2025 |
| Applies To | Windows 11 Version 24H2 |
| OS Build | 26100.4656 |
| Main Fix | Resolves Azure VM boot issues with Trusted Launch disabled and VBS 8.0 |
| Includes | July Patch Tuesday (KB5062553) and SSU KB5063666 |
| Distribution | Manual installation via Update Catalog |
| Known Issues | None reported |
For more information and to download the update, visit the official Microsoft Update Catalog.
