More Patch Tuesday troubles ensue as Secure Boot breaks on VMware leading to boot fails

While Patch Tuesdays are meant to provide security updates for various Windows SKUs, they often bring trouble with them. Hot on the heels of of the WSUS upgrade botch that has led to failed Patch Tuesday update delivery on Windows 11 22H2 devices, a new issue has hit Windows Server 2022 wherein virtual machines with the KB5022842 Patch Tuesday update are failing to boot up. The issue has been identified to be associated with Secure Boot.

In an advisory published earlier today, VMware has explained the symptoms of the issue so you can identify it.

Symptoms

After installing Windows Server 2022 update KB5022842 (OS Build 20348.1547), guest OS can not boot up when virtual machine(s) configured with secure boot enabled running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x.

In VM vmware.log, there is ‘Image DENIED’ info like the below:

 2023-02-15T05:34:31.379Z In(05) vcpu-0 - SECUREBOOT: Signature: 0 in db, 0 in dbx, 1 unrecognized, 0 unsupported alg. 2023-02-15T05:34:31.379Z In(05) vcpu-0 - Hash: 0 in db, 0 in dbx. 2023-02-15T05:34:31.379Z In(05) vcpu-0 - SECUREBOOT: Image DENIED.

To identify the location of vmware.log files:

  1. Establish an SSH session to your host. For ESXi hosts
  2. Log in to the ESXi Host CLI using root account.
  3. To list the locations of the configuration files for the virtual machines registered on the host, run the below command:
     #vim-cmd vmsvc/getallvms | grep -i "VM_Name"

  4. The vmware.log file is located in virtual machine folder along with the vmx file.
  5. Record the location of the .vmx configuration file for the virtual machine you are troubleshooting. For example:
     /vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vm1.vmx /vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vmware.log

Unfortunately, the issue has no fix at the moment though a workaround does exist which involves upgrading to the vSphere ESXi version 8.0:

Resolution

Currently there is no resolution for virtual machines running on vSphere ESXi 6.7 U2/U3 and vSphere ESXi 7.0.x. However the issue doesn"t exist with virtual machines running on vSphere ESXi 8.0.x.

Workaround

There are three methods to avoid this issue

  1. Upgrade the ESXi Host where the virtual machine in question is running to vSphere ESXi 8.0
  2. Disable "Secure Boot" on the VMs.
  3. Do not install the KB5022842 patch on any Windows 2022 Server virtual machine until the issue is resolved.

You may find more details about the issue on the VMware"s support article here.


Many thanks for the tip Squuiid!

Report a problem with article
Next Article

WindowsBlinds 11 can give Windows a classic XP or macOS look, now available on Steam

Previous Article

71% users upvoted AI-powered responses by the new Bing in its first week, here's what's next