VMware has released VMware ESXi 7.0 U3k patch on 21 February 2023 to address the Secure Boot issue of VMs.
The Impact:
The real world impact of this issue is that a scheduled (or unscheduled) rebooted of a Windows 2022 VM goes from a brief disruption to a full blown outage requiring human trouble shooting and resolution before systems can be brought back online.
Background:
Feb. 14, 2023 Patch day - after installing Windows Server 2022 update KB5022842 (OS Build 20348.1547), guest OS can not boot up when virtual machine(s) configured with secure boot enabled running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x.
See VMware log below:
- 2023-02-15T05:34:31.379Z In(05) vcpu-0 - SECUREBOOT: Signature: 0 in db, 0 in dbx, 1 unrecognized, 0 unsupported alg.
- 2023-02-15T05:34:31.379Z In(05) vcpu-0 - Hash: 0 in db, 0 in dbx.
- 2023-02-15T05:34:31.379Z In(05) vcpu-0 - SECUREBOOT: Image DENIED.
To identify the location of vmware.log files:
- Establish an SSH session to your host. For ESXi hosts
- Log in to the ESXi Host CLI using root account.
- To list the locations of the configuration files for the virtual machines registered on the host, run the below command:
#vim-cmd vmsvc/getallvms | grep -i "VM_Name"
- The vmware.log file is located in virtual machine folder along with the vmx file.
- Record the location of the .vmx configuration file for the virtual machine you are troubleshooting. For example:
/vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vm1.vmx
/vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vmware.log
The Fix: VMware ESXi 7.0 U3k
This issue is resolved in VMware ESXi 7.0 U3k, released on February 21st 2023.
Notes:
- Virtual machines running on any version of vSphere ESXi 8.0.x are not impacted by this issue
- vSphere ESXi 6.7 is End of general Support. For more information, see The End of General Support for vSphere 6.5 and vSphere 6.7 is October 15, 2022.
VMware Workaround:
As per the information above, this is resolved in VMware ESXi 7.0U3k and VMware ESXi 8.x is not impacted. VMware recommends upgrading to resolve or avoid this issue.
If upgrading is not possible at this time, there are two methods to avoid this issue
- Disable "Secure Boot" on the VMs.
- Do not install the KB5022842 patch on any Windows 2022 Server virtual machine until the issue is resolved.
To disable virtual machine "Secure Boot "option, please follow the below steps:
- Power off the VM.
- Right-click the virtual machine and click Edit Settings.
- Click the VM Options tab.
- Under Boot Option, uncheck the "Secure Boot enabled"