runtimeterror/content/posts/psa-microsoft-kb5022842-breaks-ws2022-secure-boot/index.md

3.8 KiB

title date lastmod description featured draft toc usePageBundles codeLineNumbers series tags comments
PSA: Microsoft's KB5022842 breaks Windows Server 2022 VMs with Secure Boot 2023-02-17T12:24:48-06:00 2023-02-21 Quick warning about a problematic patch from Microsoft, and a PowerCLI script to expose the potential impact in your vSphere environment. false false true true false Tips
vmware
powershell
windows
powercli
true

{{% notice note "Fix available" %}} VMware has released a fix for this problem in the form of ESXi 7.0 Update 3k:

If you already face the issue, after patching the host to ESXi 7.0 Update 3k, just power on the affected Windows Server 2022 VMs. After you patch a host to ESXi 7.0 Update 3k, you can migrate a running Windows Server 2022 VM from a host of version earlier than ESXi 7.0 Update 3k, install KB5022842, and the VM boots properly without any additional steps required. {{% /notice %}}

Microsoft released a patch this week for Windows Server 2022 that might cause some big problems in VMware environments. Per VMware's KB90947:

After installing Windows Server 2022 update KB5022842 (OS Build 20348.1547), guest OS can not boot up when virtual machine(s) configured with secure boot enabled running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x.

Currently there is no resolution for virtual machines running on vSphere ESXi 6.7 U2/U3 and vSphere ESXi 7.0.x. However the issue doesn't exist with virtual machines running on vSphere ESXi 8.0.x.

So yeah. That's, uh, not great.

If you've got any Windows Server 2022 VMs with Secure Boot enabled on ESXi 6.7/7.x, you'll want to make sure they do not get KB5022842 until this problem is resolved.

I put together a quick PowerCLI query to help identify impacted VMs in my environment:

# torchlight! {"lineNumbers": true}
$secureBoot2022VMs = foreach($datacenter in (Get-Datacenter)) {
  $datacenter | Get-VM |
    Where-Object {$_.Guest.OsFullName -Match 'Microsoft Windows Server 2022' -And $_.ExtensionData.Config.BootOptions.EfiSecureBootEnabled} |
      Select-Object @{N="Datacenter";E={$datacenter.Name}},
        Name,
        @{N="Running OS";E={$_.Guest.OsFullName}},
        @{N="Secure Boot";E={$_.ExtensionData.Config.BootOptions.EfiSecureBootEnabled}},
        PowerState
}
$secureBoot2022VMs | Export-Csv -NoTypeInformation -Path ./secureBoot2022VMs.csv

Be careful out there!