You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: azure-local/security-update/security-update.md
+29-5Lines changed: 29 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Security updates for Azure Local
3
3
description: Security updates for Azure Local.
4
4
author: alkohli
5
5
ms.topic: conceptual
6
-
ms.date: 07/08/2025
6
+
ms.date: 07/11/2025
7
7
ms.author: alkohli
8
8
ms.reviewer: alkohli
9
9
---
@@ -42,7 +42,9 @@ This security update includes quality improvements. Below is a summary of the ke
42
42
43
43
-**[Performance]** Fixed: This update addresses an issue that prevented the complete removal of unused language packs and Feature on Demand packages, which previously led to unnecessary storage use and longer Windows Update installation times.
44
44
45
-
-**[Security]** Fixed: This update upgrades the curl tool in Windows to version 8.13.0 to help protect against potential security risks, including unauthorized access to data or service disruptions.
45
+
-**[Security]** Fixed: This update upgrades the curl tool in Windows to version 8.13.0 to help protect against potential security risks, including unauthorized access to data or service disruptions.
46
+
47
+
-**[Microsoft RPC Netlogon protocol]** Fixed: This update includes a security hardening change to the Microsoft RPC Netlogon protocol. This change improves security by tightening access checks for a set of remote procedure call (RPC) requests. After this update is installed, Active Directory domain controllers will no longer allow anonymous clients to invoke some RPC requests through the Netlogon RPC server. These requests are typically related to domain controller location. Certain file and print service software can be affected, including Samba. If your organization uses Samba, please refer to the [Samba release notes](https://www.samba.org/samba/history/samba-4.22.3.html).
46
48
47
49
For more information about security vulnerabilities, see the [Security Update Guide](https://portal.msrc.microsoft.com/security-guidance) and the [July 2025 Security Updates](https://msrc.microsoft.com/update-guide/releaseNote/2025-July).
48
50
@@ -79,13 +81,35 @@ For more information about security vulnerabilities, see the [Security Update Gu
79
81
80
82
## Known issues
81
83
82
-
The following is a known issue with this update.
84
+
The following are known issues with this update:
85
+
86
+
### Azure Local VM with Trusted Launch disabled
87
+
88
+
**Symptom**
89
+
90
+
A small subset of Generation 2 Azure Virtual Machines (VMs) with Trusted Launch disabled and Virtualization-Based Security (VBS) enforced via registry key might be unable to boot after installing this update.
91
+
92
+
To check if your virtual machine might be impacted:
93
+
94
+
1. Check if your VM is created as "Standard".
95
+
96
+
1. Check the VM version by checking the registry key **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization**, and confirming the **CurrentVmVersion** value is listed as **8.0**.
83
97
84
-
### Symptom
98
+
1. Check if VBS is enabled. Open **System Information** (msinfo32.exe) and confirm that Virtualization-based security is running and that the Hyper-V role is not installed in the VM.
99
+
100
+
**Workaround**
101
+
102
+
To mitigate this issue, enable Trusted Launch. Trusted Launch is [required for VMs running Windows 11](/windows/whats-new/windows-11-requirements).
103
+
104
+
Microsoft is working to release an out-of-band update via the [Microsoft Update Catalog](https://catalog.update.microsoft.com/home.aspx) to resolve this issue in the coming days. If your VM configuration is impacted by this issue, we recommend installing the upcoming out-of-band update instead of this update. More information will be provided when it is available.
105
+
106
+
### Windows Secure Boot certificate expiration and CA updates
107
+
108
+
**Symptom**
85
109
86
110
Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time.
87
111
88
-
### Workaround
112
+
**Workaround**
89
113
90
114
To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance. For details and preparation steps, see [Windows Secure Boot certificate expiration and CA updates](https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e).
0 commit comments