[German]With the security update KB5022842 released on February 14, 2023 for Windows Server 2022, a problem can occur during the second restart. Machines can subsequently no longer start after a reboot and either can no longer find their system drives, or they trigger a Secure Boot error. I had already described this effect for virtual machines running VMware ESXi. Now I have a report that refers to a Windows Server 2022 system directly (bare metal). A search revealed that other users are affected. Disabling Secure Boot helps – Microsoft and VMware have now partially confirmed this bug (for VMware ESXi).
Advertising
Confirmed: Secure Boot error on ESXi
After the release of the February 14, 2023 security update KB5022842 for Windows Server 2022, a number of administrators came forward complaining of boot issues with virtual machines. I had already addressed the issue in the blog post Windows Server 2022: February 2023 Patchday and the ESXi VM Secure Boot Issue.
User #1: My template Win 2022 VM does not boot up after the update once you turn it off.
User #2: Windows Server 2022 with Secure Boot / VBS enabled in the VMware are having problems after the Feb. update and will not boot.
Windows Boot Manager reported a "Security Violation" or Secure Boot error as shown in the following screenshot. Only with Secure Boot turned off can the virtual machine boot again.
Microsoft has confirmed this bug in the support article Windows Server 2022 might not start up in the Windows Server 2022 Health Status section under Known Issues. VMware has also published a support article Virtual Machine with Windows Server 2022 KB5022842 (OS Build 20348.1547) configured with secure boot enabled not booting up (90947). The support article was last updated on Feb 19, 2022.
The cause is said to be an outdated ESXi version (vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x) and VMware provides updated versions of the respective ESXi builds as updates. I see from VMware's support post that there is a bug in the DBX files for Secure Boot, which reminds me of the 2022 DBX update (see Confirmed: Secure Boot DBX Update KB5012170 causes installation trouble (Error 0x800F0922)).
Advertising
Secure Boot error on bare metal machines
Actually, I had ticked off the topic with the above article. But on the weekend Lutz S. contacted me in a private message on Facebook and reported his special experiences with a Windows server without virtualization.
Hello Günter,
small info splinter to Sunday noon. Is about your blog post "Windows Server 2022: Februar 2023-Patchday und das ESXi VM-Secure Boot-Problem" from Feb 16.
I am running a Server 2022, version 21H2, on bare metal, a DELL Precision WorkStation 5810 – so not virtualized.
I had applied the February updates in the evening of 16. Feb. 2023. The necessary reboot of the server went without a hitch. Earlier I upgraded SSMS (SQL Server Management Studio) on the server to the latest version, which required a reboot of the server.
And, now I also stepped into the "Secure Boot trap" (see screenshot). Again, disabling Secure Boot in the bios helped temporarily.
Maybe you can ask the readers if others on "pure metal" also have the problem?
Then MS would have a much bigger issue than only with the VMs.
Many greetings
Lutz
Thanks to Lutz for the information in question – and with this blog post, I'm passing the question along to the readership: are there any others affected who ran into Secure Boot issues after installing the Feb. 2023 security update KB5022842 after the second or more restarts?
More reports
I have found at least on reddit.com a thread titled Careful! Server 2022 Secure Boot problems NOT restricted to just VMware. An administrator wrote:
Just a heads-up: Contrary to chatter on the Internet and Microsoft's own patch notes, I have now confirmed the Secure Boot problem caused by KB5022842 (the February 2023 update for Windows Server 2022) also affects installations other than on VMware.
I have two machines that are running Server 2022 on bare metal, and that are now refusing to boot due to Secure Boot failure. Other machines appear to be unaffected. The two in question boot after Secure Boot is disabled. Both happen to be older desktop-class computers used for software testing purposes, but I wouldn't put money on this problem only affecting non-server class hardware. (HP EliteDesk 800 G2 Mini, Lenovo M93p Tiny; confirmed that both have the latest firmware available.)
As others have noted, the problem only shows itself on the second reboot after KB5022842 is installed.
Be careful! I'd be willing to bet that this problem affects a lot more machines than is currently being reported. Might be worth pre-emptive testing to ensure a panic doesn't ensue if Server 2022 machines need to be restarted in the course of business before this problem is fixed.
So Lutz is not an isolated case and the problem can affect every Windows Server 2022, which is also confirmed by several posters on reddit.com.
The boundary conditions are still unclear – my guess is a problem with DBX entries, where a signature is no longer correct (compare also the articles about DBX problems in the following link list).
The thread starter wrote, that older server hardware for tests (HP EliteDesk 800 G2 Mini, Lenovo M93p Tiny), but with current firmware version, are affected. I saw also a report about a HPE DL580 Gen9 without support. One of the affected users writes that one of three Dells, but all HPE servers were affected.
Similar articles:
Microsoft Security Update Summary (February 14, 2023)
Patchday: Windows 10 Updates (February 14, 2023)
Patchday: Windows 11/Server 2022 Updates (February 14, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (February 14, 2023)
Patchday: Microsoft Office Updates (February 14, 2023)
Exchange Server Security Updates (February 14, 2023)
Windows Server 2022: February 2023 Patchday and the ESXi VM Secure Boot Issue
Windows Server 2022: VMware ESXi 7.0 U3k Patch for Secure Boot Issue (Update KB5022842, Feb. 2023)
Confirmed: Secure Boot DBX Update KB5012170 causes installation trouble (Error 0x800F0922)
Advertising
I have also encountered the issue – Poweredge T430. Turning off secure boot in the BIOS, as with the VMs, seems to resolve it.
Our other Poweredge with 2022 installed on bare metal isn't affected, so it's clearly not all machines.
HPE DL20 Gen9 bare metal, had to disable secure boot.
We have also encountered this issue with multiple Lenovo systems and disabling secure boot appears to be a valid solution. This is a mild annoyance and hopefully Microsoft and the OEMs will come up with a fix.
Also hit this on bare metal Dell R430. Super.
T630 also affected… The March update that fixes the issue was the second reboot after the Feb update that caused the issue… and it didn't "fix" until after the reboot… so Feb update rebooted fine but put the time-bomb in that the next reboot wouldn't work, March update rebooted and blew up 9 servers. I disabled Secure boot and windows booted and finished the install of the March patch, rebooted and re-enabled secure boot… now all is good. What a mess.
R730 affected