Wave of panic among computer system administrators. KB5022842 February 2023 update crashes Windows Server 2022 virtual machines in VMware ESXi format. These virtual machines simply no longer start correctly.
According to the feedback, this concerns the following environments:
- VMware ESXi 6.7 U2, ESXi 6.7 U3 and ESXi 7.0.x virtualization server (all sub-versions)
- VM OS: Windows Server 2022 (Standard and Datacenter)
- Secure Boot enabled in the VM
This does not seem to affect VMs running Hyper-V, nor other versions of Windows Server (2019, 2016), nor if Secure Boot is not enabled in the Bios of the WS22 VM.
A common problem between VMware and Microsoft
Chez VMware :
After installing Windows Server 2022 update KB5022842 (OS Build 20348.1547), guest OS can not boot up when virtual machine(s) configured with secure boot enabled running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x.
Currently there is no resolution for virtual machines running on vSphere ESXi 6.7 U2/U3 and vSphere ESXi 7.0.x. However the issue doesn’t exist with virtual machines running on vSphere ESXi 8.0.x.
Chez Microsoft :
After installing this update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. Only Windows Server 2022 VMs with Secure Boot enabled are affected by this issue. Affected versions of VMware ESXi are versions vSphere ESXi 7.0.x and below.
Solutions au KB5022842 et Windows Server 2022
If there is currently no fix for this update, VMware and Microsoft recommend one of the following actions.
1. Disable Secure Boot on VMs in question.
2. Migrate to VMware ESXi 8.0 (it is still necessary that your hardware is compatible and have a license).
3. Restore the operating system / uninstall KB5022842 / do not install KB5022842. Unfortunately, this does not seem sufficient if the update has already been installed.
Now is also not the time to upgrade from Windows Server 2019 or 2016 to 2022 in view of current issues on Microsoft’s newest server OS.
Patch VMware
The virtualization solution vendor has released a patch for its ESXi 7.0 hypervisor. This “Update 3k” should correct the problem encountered with Microsoft’s fix.
The Windows update package delivers a new form of digital signature on the EFI bootloader, which UEFI Secure Boot incorrectly rejects. As a result, virtual machines might fail to locate a bootable operating system and not boot.
The solution proposed by VMware is as follows:
- Patch the host to VMware ESXi 7.0 Update 3k ESXi70U3k – 21313628 (or migrate to 8.0).
- Installer KB5022842.
Windows Server 2022 VMs should boot correctly without any changes to UEFI Bios and Secure Boot.
There is still no patch for ESXi 6.7 which will surely never receive one since their life cycle is over.
Disable Secure Boot on an ESXi VM
1. Open the VMware console and shut down the virtual machine in question.
2. Make a right click on the VM, ” Modify the parameters » / « Edit Settings » :
3. Go to the ” Options VM » / « VM Options » :
4. In “ Boot Option« , uncheck « Secure Boot enabled » and confirm with « OK« .
Leave a Comment