Virtual-Based security enabled but not running

Dear Ritesh Sharma,

Based on your observations, the discrepancy appears to be linked to the Virtualization-Based Security (VBS) status. While VBS is marked as "enabled" on all devices, only those where VBS is actively running are successfully receiving and applying Hotpatch updates. This behavior is expected, as Hotpatching relies on VBS to maintain memory integrity and isolate patch operations without requiring a reboot.

Here are a few steps to help ensure VBS is fully operational and Hotpatch services are correctly initialized:

Verify VBS Runtime Status Use System Information or PowerShell (Get-CimInstance -ClassName Win32_DeviceGuard) to confirm that VBS is not only enabled but actively running. Devices upgraded from earlier Windows versions may retain legacy configurations that prevent VBS from initializing properly.

Review Group Policy and Registry Settings Ensure that VBS is explicitly enabled via Group Policy (Turn on Virtualization Based Security) and that required registry keys (e.g., EnableVirtualizationBasedSecurity) are correctly set. You can find configuration guidance on this technical guide.

Check Hardware Compatibility and BIOS Settings Confirm that virtualization features (e.g., Intel VT-x or AMD-V) are enabled in BIOS/UEFI and that Secure Boot is active. These are prerequisites for VBS to run.

Validate Hotpatch Service Configuration The Hotpatch service (HotpatchManager) should be running and set to automatic. If it's not present or inactive, ensure the device meets licensing and edition requirements (e.g., Windows 11 Enterprise E3/E5).

Apply Latest Updates Microsoft has released updates such as KB5059442 to address VBS-related issues in Windows 11 24H2. Installing these may resolve underlying compatibility problems.

I hope this helps. Just kindly tick Accept Answer that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Best regards,

Domic Vo