[German]The security updates for the July 2025 patchday lead to problems in virtual machines. Virtualized instances of Windows Server 2025 and Windows 11 24H2 may no longer start under Hyper-V or VMware ESXi. The same applies to Windows 11 24H or Windows Server 2025 on Azure VMs – where there is now an out-of-band update KB5064489.
Advertising
Hyper-V: Windows Server 2025 VMs hangs
In the context of the July 2025 Patchday (July 8, 2025), I received reports from blog readers about isseus with Windows Server 2025 in virtual machines that no longer started under Hyper-V.
Reader reports about the VM problems
Shortly after the release of the security updates for July 2025, there was initial feedback on the German blog post Patchday: Windows Server-Updates (8. Juli 2025) that Windows Server 2025 could no longer boot as a VM under Hyper-V.
In this German comment, Carsten referred to a German forum thread Windows Server 2025 VM startet nicht nach Patchday CU20250 (says Windows Server 2025 VM does not start after Patchday CU20250), where a user complains that a virtual machine with Windows Server 2025 can no longer boot after installing the July 2025 security updates. Hyper-V under Windows Server 2016 is presumably used there.
A second forum thread linked by Carsten can be found on reddit.com. There, several users report that the virtual machines with Windows Server 2025 under Hyper-V no longer boots after the installation of the July 2025 update following the reboot.
German blog reader Thomas also reports in this German comment that on of his VMs with Windows Server no longer boots. German blog reader it_hamburg says in this comment : "A Windows Server 2025 VM got stuck after starting" and he had to restore it from the recovery console with the command:
Advertising
dism.exe /image:C:\ /cleanup-image /revertpendingactions
The July 2025 update was removed with the above command. The reason for this behaviour is Virtualization-Based Security (VBS), which leads to boot problems with some VMs.
Workaround for the VM boot problem with Server 2025
German blog reader it_hamburg provides the explanation in this comment: His VMs are still in Hyper-V configuration 8.0, as they were set up under Windows Server 2016 and then updated to Windows Server 2025. With a current version of 12.0, the 2025-07 update runs through with the same VHDX and boots up again.
Microsoft describes the different Hyper-V configuration versions in this support article.
Windows Server 2025 hangs on ESXi 7.0
The other day I came across the post Windows Server 2025 Standard VM Freezing on ESXi 7 with Consistent 21% CPU Usage After Updates [KB5062553] on 10 July 2025 [Temporary FIX] at Microsoft Answers, where a similar behavior is described. On a virtual machine (VM) running Windows Server 2025 Standard Edition on VMware ESXi 7, the VM frequently freezes and becomes unresponsive once the Windows updates are installed on July 10, 2025.
Fix through out-of-band update KB5064489
Microsoft has now acknowledged the problem for both Windows 11 24H2 and Windows Server 2025 and provided an out-of-band update KB5064489 on July 13, 2025 (Bolko mentioned it here). The description of the fix states:
- [Fix for Azure Virtual Machines with Trusted Launch disabled] This update addresses an issue that prevented some virtual machines (VMs) from starting when Virtualization-Based Security (VBS) was enabled. It affected VMs using version 8.0 (a non-default version) where VBS was offered by the host. In Azure, this applies to standard (non–Trusted Launch) General Enterprise (GE) VMs running on older VM SKUs. The problem was caused by a secure kernel initialization issue.
Microsoft has noticed that with the July 2025 updates, virtual machines in Azure no longer boot when Virtualization-Based Security (VBS) is enabled (or Trusted Launch is disabled) and the machine is used with Hyper-V configuration 8.0. Although the description refers to Azure VMs, the error pattern corresponds to what I have outlined above for Hyper-V. The problem is caused by a change in the secure kernel initialization. The support article or out-of-band update in question was published for Windows 11 24H2 and Windows Server 2025 (24H2).
To resolve these boot problems, Microsoft has released the out-of-band update KB5064489 for both Windows 11 24H2 (clients) and Windows Server 2025. The update is currently only available in the Microsoft Update Catalog for the relevant Windows versions and must be downloaded manually by administrators and then installed on the affected VMs.
Similar articles:
Microsoft Security Update Summary (July 8, 2025)
Patchday: Windows 10/11 Updates (July 8, 2025)
Patchday: Windows Server-Updates (July 8, 2025)
Windows 10/11: Preview Updates June 2025
Windows 11 24H2: Azure Virtual Desktop (AVD) App Attach fails
Windows 11 24H2 June 2025 update issues: KB5060842 with wrong timestamp and Print to PDF
Windows 11 24H2: June 2025 Preview Update KB5060829 triggers Firewall Events
WSUS hat Synchronisationsprobleme (9. Juli 2025)
Advertising
Joking here but…it's almost as if the only articles about Windows Updates should be "Windows Update KB9804127 didn't break or brick anything".