virtuallypotato/content/posts/psa-microsoft-kb5022842-breaks-ws2022-secure-boot/index.md

2.8 KiB

title date description featured draft toc usePageBundles codeLineNumbers series tags comment
PSA: Microsoft's KB5022842 breaks Windows Server 2022 VMs with Secure Boot 2023-02-17T12:24:48-06:00 Quick warning about a problematic patch from Microsoft, and a PowerCLI script to expose the potential impact in your vSphere environment. false false true true false Tips
vmware
powershell
windows
powercli
true

Microsoft released a patch this week for Windows Server 2022 that might cause some big problems in VMware environments. Per VMware's KB90947:

After installing Windows Server 2022 update KB5022842 (OS Build 20348.1547), guest OS can not boot up when virtual machine(s) configured with secure boot enabled running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x.

Currently there is no resolution for virtual machines running on vSphere ESXi 6.7 U2/U3 and vSphere ESXi 7.0.x. However the issue doesn't exist with virtual machines running on vSphere ESXi 8.0.x.

So yeah. That's, uh, not great.

If you've got any Windows Server 2022 VMs with Secure Boot enabled on ESXi 6.7/7.x, you'll want to make sure they do not get KB5022842 until this problem is resolved.

I put together a quick PowerCLI query to help identify impacted VMs in my environment:

$secureBoot2022VMs = foreach($datacenter in (Get-Datacenter)) {
  $datacenter | Get-VM |
    Where {$_.Guest.OsFullName -Match 'Microsoft Windows Server 2022' -And $_.ExtensionData.Config.BootOptions.EfiSecureBootEnabled} |
      Select @{N="Datacenter";E={$datacenter.Name}},
        Name, @{N="Running OS";E={$_.Guest.OsFullName}},
        @{N="Secure Boot";E={$_.ExtensionData.Config.BootOptions.EfiSecureBootEnabled}},
        PowerState
}
$secureBoot2022VMs | Export-Csv -NoTypeInformation -Path ./secureBoot2022VMs.csv

Be careful out there!