[German]VMware released VMware ESXi 7.0 U3k on Feb. 21, 2023, to address the Secure Boot issue of VMs. The background was that with the Feb. 14, 2023 patchday, an installed security update (KB5022842) for Windows Server 2022 prevented virtual machines under certain ESXi versions from Secure Boot. The workaround was to disable Secure Boot. A fix is now available for VMware ESXi 7.x – other scenarios with this flaw continue to wait for a patch and must continue to operate without Secure Boot.
Review: The ESXi Feb. 2023 Patchday Bug
Security update KB5022842 released on February 14, 2023 for Windows Server 2022 resulted in virtual machines under various ESXi versions subsequently failing to boot after a reboot. Either the system drives were no longer found or the VMs triggered a Secure Boot error when booting.
Disabling Secure Boot helps – Microsoft and VMware have confirmed this error. In the VMware support article Virtual Machine with Windows Server 2022 KB5022842 (OS Build 20348.1547) configured with secure boot enabled not booting up (90947) the error is confirmed:
Currently there is no resolution for virtual machines running on vSphere ESXi 6.7 U2/U3 and vSphere ESXi 7.0.x.
However the issue doesn't exist with virtual machines running on vSphere ESXi 8.0.x. vSphere ESXi 6.7 is End of general Support.
Uninstalling the KB5022842 update no longer helps because a DBX entry is corrupted. If the virtual machine has been updated, the only option is to move to vSphere ESXi 8.0.x. or disable Secure Boot. I had addressed the issue in the blog post Windows Server 2022: February 2023 Patchday and the ESXi VM Secure Boot Issue.
Fix by VMware ESXi 7.0 U3k
As of February 21, 2023, VMware has released ESXi 7.0 U3k to fix the issue on this platform. There is nothing on Microsoft yet, but in the VMware support article Virtual Machine with Windows Server 2022 KB5022842 (OS Build 20348.1547) configured with secure boot enabled not booting up (90947) there is the entry:
This issue is resolved in VMware ESXi 7.0 U3k, released on February 21st 2023.
At this point many thanks to blog readers Christoph von Wittich for this comment, to Simon for the link in the comment and to Roman W. for his mail "ESXi 7 Patch for Windows Server 2022 UEFI Secure Boot Problem KB5022842" – would have slipped through my fingers otherwise. The release notes for VMware ESXi 7.0 U3k state:
This patch updates the following issue:
After you install Windows update KB5022842 in Windows Server 2022 virtual machines that use UEFI Secure Boot, such VMs might fail to boot. The Windows update package delivers a new form of digital signature on the EFI bootloader, which UEFI Secure Boot incorrectly rejects. As a result, virtual machines might fail to locate a bootable operating system and not boot.
This issue is resolved in this release. If you already face the issue, after patching the host to ESXi 7.0 Update 3k, just power on the affected Windows Server 2022 VMs. After you patch a host to ESXi 7.0 Update 3k, you can migrate a running Windows Server 2022 VM from a host of version earlier than ESXi 7.0 Update 3k, install KB5022842, and the VM boots properly without any additional steps required.
So at least some affected people are out of trouble with a patch and can enable Secure Boot again in the VMs after the patch.
Where the fix does not help
At this point, a brief side note that the fix by VMware unfortunately only brings some of those affected "back to the start". As VMware says:
vSphere ESXi 6.7 is End of general Support
In addition, I pointed out cases in the blog post Windows Server 2022 Feb. 2023 Patchday: Secure Boot issues also on bare metal systems! where the Secure Boot error caused by the security update KB5022842 also occurs. Secure Boot must remain disabled here.
Microsoft Security Update Summary (February 14, 2023)
Patchday: Windows 10 Updates (February 14, 2023)
Patchday: Windows 11/Server 2022 Updates (February 14, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (February 14, 2023)
Exchange Server Security Updates (February 14, 2023)
Confirmed: Secure Boot DBX Update KB5012170 causes installation trouble (Error 0x800F0922)
Microsoft's February 2023 Patchday: Incorrect updates in WSUS, Exchange and Windows
Windows Server 2022: February 2023 Patchday and the ESXi VM Secure Boot Issue
Windows Server 2022 Feb. 2023 Patchday: Secure Boot issues also on bare metal systems!
Cookies helps to fund this blog: Cookie settings