Full Report
Microsoft has released an emergency update to fix a bug that prevents Azure virtual machines from launching when the Trusted Launch setting is disabled and Virtualization-Based Security (VBS) is enabled. [...]
Analysis Summary
# Vulnerability: Azure VM Launch Failure Due to Kernel Initialization Issue
## CVE Details
- CVE ID: N/A (This article describes a bug fixed by an out-of-band update, not a publicly assigned CVE.)
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- Products: Windows 11 (Version 24H2), Windows Server 2025
- Versions: Undefined specific patch levels prior to KB5064489 installation.
- Configurations: Virtual Machines (VMs) created as "Standard" where Virtualization-based security (VBS) is enabled (and the Hyper-V role is *not* installed within the VM).
## Vulnerability Description
An undisclosed kernel initialization issue caused certain newly created Azure Virtual Machines (VMs) to fail to launch. This issue specifically affects deployments using standard VMs configured with Virtualization-based security (VBS).
## Exploitation
- Status: Not mentioned as exploited. The focus is on a service disruption/launch failure.
- Complexity: Not specified, as it relates to VM configuration/provisioning failure rather than traditional exploitation.
- Attack Vector: N/A (Service disruption)
## Impact
- Confidentiality: Not explicitly mentioned, but operational impact is high.
- Integrity: Not explicitly mentioned.
- Availability: High impact on the availability of newly provisioned Azure VMs under specific configurations.
## Remediation
### Patches
- **KB5064489 (Out-of-Band Update):** This update fixes the kernel initialization issue preventing the VMs from launching.
- For Windows 11 24H2 and Windows Server 2025.
- Existing Windows Server 2025 VM images have been updated to include this fix.
### Workarounds
- Install KB5064489 instead of the July 8th KB5062553 Patch Tuesday update if impacted.
- **Prevention:** Use the Trusted Launch security feature when creating VMs to prevent this issue.
## Detection
- **Symptoms:** VMs created under the affected configuration fail to launch.
- **Detection Method (To confirm if bug impacts environment):**
1. Check if the VM is created as "Standard".
2. Check if VBS is enabled (Open `msinfo32.exe` and confirm Virtualization-based security is running).
3. Confirm the Hyper-V role is *not* installed inside the VM.
## References
- Vendor Advisories:
- KB5064489 Support Link: support.microsoft.com/en-us/topic/july-13-2025-kb5064489-os-build-26100-4656-out-of-band-14a82ab2-100f-4dd4-8141-f490ec90c8f4
- Windows Server 2025 VM Images Update: support.microsoft.com/en-us/topic/windows-server-images-for-july-2025-82d24d8c-7932-4886-876d-79c962b8f345#id0ebbbbd=2025
- Trusted Launch Documentation: learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2