Earlier this month, Microsoft rolled out the KB5062553 update for Windows, aimed at resolving various issues within the operating system. However, this update inadvertently introduced complications for Azure Virtual Machines, prompting the tech giant to issue an emergency patch.
Emergency Patch Released
The newly released KB5064489 update serves as an out-of-band fix, applicable to both Windows 11 and Windows Server 2025. Following the initial update on July 8, Microsoft acknowledged the challenges faced by a subset of Generation 2 Azure Virtual Machines (VMs) with Trusted Launch disabled. The release notes highlighted that these VMs might experience boot failures due to the update.
Azure VM with Trusted Launch disabled
Symptoms
A small subset of Generation 2 Azure Virtual Machines (VMs) with Trusted Launch disabled, and Virtualization-Based Security (VBS) enforced via registry key might be unable to boot after installing this update.
To check if your virtual machine might be impacted:
- Check if your VM is created as “Standard”.
- Check if VBS is enabled. Open System Information (msinfo32.exe) and confirm that Virtualization-based security is running and that the Hyper-V role is not installed in the VM.
Despite Microsoft’s efforts to mitigate concerns by outlining specific conditions that lead to these issues, the repercussions for affected users remain significant. Azure Virtual Machines are integral to various business, development, and enterprise operations, and any disruption can lead to substantial consequences.
In its announcement regarding the KB5064489 update, Microsoft stated:
This Out-of-band (OOB) update includes quality improvements. This update is cumulative and includes security fixes and improvements from the July 8, 2025, security update (KB5062553), in addition to the following:
- [Fix for Azure Virtual Machines with Trusted Launch disabled] This update addresses an issue that prevented some virtual machines (VMs) from starting when Virtualization-Based Security (VBS) was enabled. It affected VMs using version 8.0 (a non-default version) where VBS was offered by the host. In Azure, this applies to standard (non–Trusted Launch) General Enterprise (GE) VMs running on older VM SKUs. The problem was caused by a secure kernel initialization issue.
While this update rectifies a critical issue, it will not be automatically deployed to affected systems. Users experiencing difficulties with Azure Virtual Machines are encouraged to manually download the KB5064489 update.
The update is accessible via the Microsoft Update Catalog, though Microsoft cautions that it contains multiple MSU files that must be installed in a specific sequence. The company has outlined two methods for installation:
Method 1: Install all MSU files together
Download all MSU files for KB5064489 from the Microsoft Update Catalog and place them in a single folder (e.g., C:/Packages). Utilize Deployment Image Servicing and Management (DISM.exe) to install the target update. DISM will reference the specified folder to discover and install any prerequisite MSU files as necessary.
Updating Windows PC
To apply this update to a running Windows PC, execute the following command from an elevated Command Prompt:
| DISM /Online /Add-Package /PackagePath:c:packagesWindows11.0-KB5064489-x64.msu |
Alternatively, run the following command from an elevated Windows PowerShell prompt:
| Add-WindowsPackage -Online -PackagePath “c:packagesWindows11.0-KB5064489-x64.msu” |
Updating Windows Installation media
To apply this update to Windows Installation media, refer to Update Windows installation media with Dynamic Update.
Note: When downloading other Dynamic Update packages, ensure they correspond to the same month as this KB. If the SafeOS Dynamic Update or Setup Dynamic Update is unavailable for the same month as this KB, utilize the most recently published version of each.
To incorporate this update into a mounted image, execute the following command from an elevated Command Prompt:
| DISM /Image:mountdir /Add-Package /PackagePath:Windows11.0-KB5064489-x64.msu |
Or, run the following command from an elevated Windows PowerShell prompt:
| Add-WindowsPackage -Path “c:offline” -PackagePath “Windows11.0-KB5064489-x64.msu” -PreventPending |
Method 2: Install each MSU file individually in order
Download and install each MSU file individually using DISM or Windows Update Standalone Installer in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5064489-x64_6640d1a7a2a393bd2db6f97b7eb4fe3907806902.msu
Image credit: Davide Bonaldo / Dreamstime.com
