Microsoft has released an urgent out-of-band (OOB) update KB5064489, for Windows 11, bringing the operating system to OS Build 26100.4656 as of July 13, 2025.
This cumulative update addresses critical virtualization issues and includes security improvements from the previous July 8, 2025, security update (KB5062553), while also delivering an important warning about upcoming Secure Boot certificate expiration.
Critical Azure VM Fix Addresses Boot Issues
The primary focus of this OOB update centers on resolving a significant issue affecting Azure Virtual Machines with Trusted Launch disabled.
The problem prevented certain virtual machines from starting when Virtualization-Based Security (VBS) was enabled, specifically impacting VMs using the non-default version 8.0 configuration where VBS was offered by the host environment.
This critical fix particularly affects standard (non-Trusted Launch) General Enterprise (GE) VMs running on older VM SKUs within Microsoft’s Azure cloud platform.
The root cause was identified as a secure kernel initialization issue that disrupted the boot process for affected virtual machines.
System administrators managing Azure deployments should prioritize this update to ensure continued VM functionality and prevent potential service disruptions.
Secure Boot Certificate Expiration Warning
Microsoft has issued a crucial advisory regarding Windows Secure Boot certificates used by most Windows devices, which are scheduled to expire starting in June 2026.
This expiration could significantly impact the ability of both personal and business devices to boot securely if certificates are not updated in advance.
The company strongly recommends that IT administrators and users review the guidance documentation titled “Windows Secure Boot certificate expiration and CA updates” to understand the preparation steps required.
Proactive certificate management will be essential to avoid widespread boot failures across Windows deployments when the expiration date approaches.
Installation and Servicing Stack Updates
The update package combines the latest Servicing Stack Update (SSU) KB5063666 with version 26100.4651, ensuring robust and reliable servicing stack functionality for future Windows updates.
This combined approach streamlines the update process while maintaining system stability.
Installation is available through multiple channels, including Windows Update, Business Catalog, and Server Update Services.
For enterprise environments requiring update removal, administrators can use the DISM/Remove-Package command line option with the LCU package name as the argument.
However, the Windows Update Standalone Installer (wusa.exe) with the /uninstall switch will not work on the combined package due to SSU integration.
Microsoft reports no known issues with this update, making it a safe deployment for production environments.
The cumulative nature ensures that all previous security fixes and improvements remain intact while addressing the critical virtualization problems identified in Azure environments.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=This cumulative update addresses critical virtualization issues and includes security improvements from the previous July 8, 2025, security update (KB5062553),){kind=link}