Hyper-V Guest VMs Freezing or Restarting Unexpectedly — 2025 Emergency Update Required

Indicators

• Hyper-V guest VM freezes without any user action, administrator-initiated maintenance, or scheduled event
• Hyper-V guest VM restarts unexpectedly — no shutdown event in guest System log initiated by user or admin
• Event ID 41 (Kernel-Power) — unexpected/dirty shutdown — appears in guest VM System event log
• Event ID 1074 — unexpected restart — visible in guest VM System event log around the time of the incident
• BugCheck events visible in guest VM System event log around the time of freeze or restart
• Hyper-V Manager shows guest VMs in 'Saved', 'Paused', or error/unknown state with no operator action
• Hyper-V-Worker or Hyper-V-VMMS logs on the host contain error or critical events coinciding with guest freeze/restart timestamps
• Issue is reproducible or more frequent in Azure confidential VM configurations

Likely causes

• A defect introduced in Hyper-V or its guest integration components prior to the 2025 emergency update causes VM instability — particularly under confidential VM configurations — leading to freeze or unexpected restart conditions
• Interaction between the Hyper-V hypervisor and Windows 10/11 or Windows Server guest OS components in confidential compute environments triggers abnormal termination or hang states in affected guest VMs

Diagnostic steps

1. On the affected guest VM, open Event Viewer and navigate to Windows Logs > System. Filter for Event ID 41 (Kernel-Power), Event ID 1074, and BugCheck events. Note the timestamps of each occurrence and correlate with reported freeze or restart times.
   Confirms the VM is experiencing unplanned restarts or freeze-induced crashes and establishes timestamps for correlation with host-side logs. BugCheck entries may indicate crash-induced restarts distinct from a clean reboot.
2. On the Hyper-V host, open Hyper-V Manager or run the following in an elevated PowerShell session: `Get-VM | Select Name, State, Status` — identify any VMs listed in a Saved, Paused, or error/unknown state that were not placed there by an operator.
   Determines which guest VMs are currently affected and whether the host is reporting error conditions against them.
3. On the Hyper-V host, open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Hyper-V-Worker and Hyper-V-VMMS. Filter for Error and Critical level events. Cross-reference timestamps with the guest VM freeze/restart events identified in Step 1.
   Provides host-side evidence of Hyper-V component failures causing guest instability and confirms the root cause is hypervisor-layer rather than guest OS-layer.
4. Check whether the 2025 Microsoft emergency update for the Hyper-V VM freeze/restart issue has been applied on both the host and each affected guest VM. Run on each system: `Get-HotFix | Sort-Object InstalledOn -Descending | Select -First 20` — cross-reference the KB number from the Microsoft advisory against Windows Update history or the Microsoft Update Catalog.
   Confirms whether the emergency patch is missing — this is the known and documented remediation for this issue.
5. Determine whether any affected guest VMs are configured as Azure confidential VMs. Check the VM configuration in Hyper-V Manager (Security tab for shielded/confidential settings) or the Azure portal under the VM's configuration blade for confidential compute settings.
   Assesses risk level — Microsoft's advisory specifically identifies confidential VM configurations as elevated-impact and these must be prioritised for immediate patching.
6. If the emergency update has been applied and issues persist, attempt uninstall via Settings > Windows Update > Update History > Uninstall Updates, or run from an elevated prompt: `wusa /uninstall /kb:<KB_NUMBER>` — then reboot. Re-engage Microsoft support or monitor for a superseding update if the freeze/restart issue returns post-rollback.
   Provides a structured rollback path if the emergency update itself causes instability, minimising downtime while awaiting a superseding fix.
7. After patching, confirm the emergency update shows status 'Successfully installed' in Windows Update history on each guest VM (Settings > Windows Update > Update History or `Get-HotFix`).
   Verifies patch installation completed successfully before closing the incident.

Resolution path

• 1. If any guest VMs are currently frozen or unresponsive: force-reset them from the Hyper-V host using PowerShell — `Stop-VM -Name '<VMName>' -Force; Start-VM -Name '<VMName>'` — or via Hyper-V Manager (right-click VM > Reset) to restore immediate availability. This is a temporary measure only.
• 2. Obtain the 2025 Microsoft emergency update via Windows Update, Microsoft Update Catalog, or WSUS. Apply the patch to the Hyper-V host first, then to all affected Windows 10/11 and Windows Server guest VMs.
• 3. Schedule a maintenance window and restart all patched guest VMs to ensure the fix takes full effect. Prioritise Azure confidential VMs as the highest-risk group per Microsoft's advisory.
• 4. For Azure confidential VM configurations, review the specific Microsoft security advisory for any additional remediation steps or configuration changes required beyond applying the base emergency update.
• 5. After all hosts and guests are patched and restarted, monitor the Hyper-V-Worker and Hyper-V-VMMS event logs on the host and the System event log on guests for a minimum of 24–48 hours to confirm resolution.

Prevention

• Maintain a consistent and prompt Windows Update patching cadence for both Hyper-V hosts and all guest VMs — emergency updates for Hyper-V components must not be deferred, as deferral directly prolongs exposure to this class of instability.
• Enable automatic Windows Updates on all Hyper-V guest VMs to ensure emergency and critical patches are applied promptly without manual intervention.
• Configure proactive alerting on Hyper-V-Worker and Hyper-V-VMMS event logs (Error and Critical level) using Windows Admin Center, SCOM, or a SIEM — early detection of host-side Hyper-V errors allows intervention before guest VMs experience full freeze or restart.
• Subscribe to Microsoft Security Update Guide notifications and Azure Service Health alerts for Hyper-V and confidential compute to receive early warning of known VM stability issues before they impact production workloads.
• Before deploying Azure confidential VM configurations, verify that all relevant host and guest patches are fully current — Microsoft has identified confidential compute environments as an elevated-risk scenario for this class of Hyper-V defect.

Tools

• Hyper-V Manager (GUI management of Hyper-V hosts and VMs — checking VM state, forcing reset)
• Windows Update / Microsoft Update Catalog / WSUS (obtaining and applying the 2025 emergency patch)
• PowerShell Get-VM (listing current state of all guest VMs on host)
• PowerShell Get-HotFix (verifying which hotfixes are installed on host and guests)
• PowerShell Stop-VM / Start-VM (forcing a reset of a frozen guest VM)
• Windows Event Viewer — Hyper-V-Worker and Hyper-V-VMMS logs (host-side diagnostics)
• Windows Event Viewer — System log on guest VM (Event ID 41 / 1074 / BugCheck — guest-side freeze/restart diagnostics)
• wusa.exe (Windows Update Standalone Installer — manual KB install and rollback via /uninstall /kb:<KB_NUMBER>)
• wmic qfe (enumerate installed hotfixes/patches as an alternative to Get-HotFix)

References

• BleepingComputer: Microsoft releases emergency update for Hyper-V VM freeze and restart issues (2025)