February 2023 Windows 2022 update prevents Secure Boot enabled VMs from booting on ESXi 7 and below

~ Chris

UPDATE: VMware has issued a patch for ESX 7.0. This will address the issue and the MS patch can be safely deployed to VMs on updated hosts.

I’ve kept the information below to help you assess impact to your environment and provide mitigation information if upgrading hosts is not immediately possible.

Solution:

Install ESXi 7.0U3k on hosts – https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3k-release-notes.html

If you already have VMs that will not boot you can migrate them to a host running 7.0 U3k and then boot them up.

Conditions where this will impact you (all must be true):

  1. VM OS is Windows 2022
  2. Secure Boot is enabled
  3. ESXi host is running a version prior to 7.0U3k
    1. Note ESX v6.x and prior versions are no longer supported. v6.7 is now listed in the VMware KB as being impacted by this. I do not expect a patch for 6.x

Current workarounds (choose one):

  1. Disable SecureBoot on impacted VMs
  2. Upgrade ESXi host to v8 or v7.0U3k
  3. Prevent the installation of February 14 2023 Patch (MS KB5022842).
    1. This is not recommended long term. Only a temporary delay is prudent.

NOTE: Uninstalling KB50252842 will NOT resolve the boot issue. You must disable secure boot, or upgrade the host to return the VM to an operational state.

Links:

MS KB (KB5022842): https://support.microsoft.com/en-gb/topic/february-14-2023-kb5022842-os-build-20348-1547-be155955-29f7-47c4-855c-34bd43895940

VMware KB (90947): https://kb.vmware.com/s/article/90947

VMware 7.0 U3k release notes: https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3k-release-notes.html

Code Samples:

William Lam – Get & Set SecureBoot functions: https://github.com/vmware/PowerCLI-Example-Scripts/blob/master/Scripts/SecureBoot.ps1

As shown in William Lam’s code secure boot is exposed on a PowerCLI VM object within the ExtensionData property

$testVM = Get-VM <VMNAME>

$testVM.extensiondata.config.bootoptions.EfiSecureBootEnabled

This will return true if SecureBoot is enabled. Use this information as a starting point if you would like to scan your environment with powershell. You can further limit your search using the Guest.OSFullName property of the VM for 2022, or if you have hardware version <18 the OS value for Win2022 might be “…2016 or later…” refine your search terms as necessary

Changelog:

2/21/23

  • Added Solution section.
  • Updated header synopsis.
  • Updated conditions and workarounds to include 7.0U3k and 6.7 information.
  • Added 7.0 U3k release notes to links section
Unknown's avatar

Published by Chris

just a guy 'ya know... I lift weights, ride my bicycle, & talk virtualization.

Leave a comment