Jump to content
  • More Patch Tuesday troubles ensue as Secure Boot breaks on VMware leading to boot fails


    Karlston

    • 817 views
    • 3 minutes
     Share


    • 817 views
    • 3 minutes

    While Patch Tuesdays are meant to provide security updates for various Windows SKUs, they often bring trouble with them. Hot on the heels of of the WSUS upgrade botch that has led to failed Patch Tuesday update delivery on Windows 11 22H2 devices, a new issue has hit Windows Server 2022 wherein virtual machines with the KB5022842 Patch Tuesday update are failing to boot up. The issue has been identified to be associated with Secure Boot.

     

    In an advisory published earlier today, VMware has explained the symptoms of the issue so you can identify it.

     

    Symptoms

     

    After installing Windows Server 2022 update KB5022842 (OS Build 20348.1547), guest OS can not boot up when virtual machine(s) configured with secure boot enabled running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x.

    In VM vmware.log, there is ‘Image DENIED’ info like the below:

    2023-02-15T05:34:31.379Z In(05) vcpu-0 - SECUREBOOT: Signature: 0 in db, 0 in dbx, 1 unrecognized, 0 unsupported alg.
    2023-02-15T05:34:31.379Z In(05) vcpu-0 - Hash: 0 in db, 0 in dbx.
    2023-02-15T05:34:31.379Z In(05) vcpu-0 - SECUREBOOT: Image DENIED.

    To identify the location of vmware.log files:

     

    1. Establish an SSH session to your host. For ESXi hosts
    2. Log in to the ESXi Host CLI using root account.
    3. To list the locations of the configuration files for the virtual machines registered on the host, run the below command:
      #vim-cmd vmsvc/getallvms | grep -i "VM_Name"

       

    4. The vmware.log file is located in virtual machine folder along with the vmx file.
    5. Record the location of the .vmx configuration file for the virtual machine you are troubleshooting. For example:
      /vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vm1.vmx
      /vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vmware.log

     

    Unfortunately, the issue has no fix at the moment though a workaround does exist which involves upgrading to the vSphere ESXi version 8.0:

     

    Resolution

     

    Currently there is no resolution for virtual machines running on vSphere ESXi 6.7 U2/U3 and vSphere ESXi 7.0.x. However the issue doesn't exist with virtual machines running on vSphere ESXi 8.0.x.

     

    Workaround

     

    There are three methods to avoid this issue

     

    1. Upgrade the ESXi Host where the virtual machine in question is running to vSphere ESXi 8.0
    2. Disable "Secure Boot" on the VMs.
    3. Do not install the KB5022842 patch on any Windows 2022 Server virtual machine until the issue is resolved.

     

    You may find more details about the issue on the VMware's support article here.

     


     

    Many thanks for the tip Squuiid!

     

     

    More Patch Tuesday troubles ensue as Secure Boot breaks on VMware leading to boot fails


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...