2 min read

VMware ESXi 7.0 U3k Patch for Secure Boot Issue (KB5022842, Feb. 2023 update)

ait-admin : Mar 1, 2023 1:33:23 PM

IT vmware virtualization machine boot windows server virtual secure

VMware ESXi 7.0 U3k Patch for Secure Boot Issue (KB5022842, Feb. 2023 update)

VMware has released VMware ESXi 7.0 U3k patch on 21 February 2023 to address the Secure Boot issue of VMs.

The Impact:

The real world impact of this issue is that a scheduled (or unscheduled) rebooted of a Windows 2022 VM goes from a brief disruption to a full blown outage requiring human trouble shooting and resolution before systems can be brought back online.

Background:

Feb. 14, 2023 Patch day - after installing Windows Server 2022 update KB5022842 (OS Build 20348.1547), guest OS can not boot up when virtual machine(s) configured with secure boot enabled running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x.

See VMware log below:

2023-02-15T05:34:31.379Z In(05) vcpu-0 - SECUREBOOT: Signature: 0 in db, 0 in dbx, 1 unrecognized, 0 unsupported alg.
2023-02-15T05:34:31.379Z In(05) vcpu-0 - Hash: 0 in db, 0 in dbx.
2023-02-15T05:34:31.379Z In(05) vcpu-0 - SECUREBOOT: Image DENIED.

To identify the location of vmware.log files:

Establish an SSH session to your host. For ESXi hosts
Log in to the ESXi Host CLI using root account.
To list the locations of the configuration files for the virtual machines registered on the host, run the below command:

#vim-cmd vmsvc/getallvms | grep -i "VM_Name"

The vmware.log file is located in virtual machine folder along with the vmx file.
Record the location of the .vmx configuration file for the virtual machine you are troubleshooting. For example:

/vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vm1.vmx
/vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vmware.log

The Fix: VMware ESXi 7.0 U3k

This issue is resolved in VMware ESXi 7.0 U3k, released on February 21st 2023.

Notes:

Virtual machines running on any version of vSphere ESXi 8.0.x are not impacted by this issue
vSphere ESXi 6.7 is End of general Support. For more information, see The End of General Support for vSphere 6.5 and vSphere 6.7 is October 15, 2022.

If you already face the issue, after patching the host to ESXi 7.0 Update 3k, just power on the affected Windows Server 2022 VMs. After you patch a host to ESXi 7.0 Update 3k, you can migrate a running Windows Server 2022 VM from a host of version earlier than ESXi 7.0 Update 3k, install KB5022842, and the VM boots properly without any additional steps required

VMware Workaround:

As per the information above, this is resolved in VMware ESXi 7.0U3k and VMware ESXi 8.x is not impacted. VMware recommends upgrading to resolve or avoid this issue.

If upgrading is not possible at this time, there are two methods to avoid this issue

Disable "Secure Boot" on the VMs.
Do not install the KB5022842 patch on any Windows 2022 Server virtual machine until the issue is resolved.

See the Microsoft article for details on the updates within the patch release

To disable virtual machine "Secure Boot "option, please follow the below steps:

Power off the VM.
Right-click the virtual machine and click Edit Settings.
Click the VM Options tab.
Under Boot Option, uncheck the "Secure Boot enabled"

Additional Support:

If you are having problems fixing this issue or other VMware issues, the first 5 responders who fill out the form below will receive their first hour of consultation free. andersenIT, a certified VMware Partner, helps organisations in managing their VMware environment and addressing critical issues like the one cited above.

Source: https://kb.vmware.com/s/article/90947