VMware has released a vSphere ESXi update to address a known issue causing some Windows Server 2022 virtual machines to no longer boot after installing this month’s KB5022842 update.
Microsoft first acknowledged the issue on Thursday when the company said it only impacts VMs with Secure Boot enabled and running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x.
Although Redmond says that only VMware ESXi VMs are affected, some Windows admin reports hint at other hypervisor platforms (including bare metal) being impacted by similar boot problems after deploying this month’s updates.
“The Windows update package delivers a new form of digital signature on the EFI bootloader, which UEFI Secure Boot incorrectly rejects. As a result, virtual machines might fail to locate a bootable operating system and not boot,” VMware explained today.
VMware released ESXi 7.0 Update 3к, which resolves this known issue and will allow admins to revive affected VMs that were no longer booting.
“If you already face the issue, after patching the host to ESXi 7.0 Update 3k, just power on the affected Windows Server 2022 VMs,” VMware says.
“After you patch a host to ESXi 7.0 Update 3k, you can migrate a running Windows Server 2022 VM from a host of version earlier than ESXi 7.0 Update 3k, install KB5022842, and the VM boots properly without any additional steps required.”
Workaround also available
VMware also provides multiple temporary workarounds for admins with affected hosts who can’t immediately deploy today’s update.
To do that, admins can take one of the following measures:
- Upgrade the ESXi Host where the virtual machine in question is running to vSphere ESXi 8.0
- Disable “Secure Boot” on the VMs.
- Do not install the KB5022842 patch on any Windows 2022 Server virtual machine until the issue is resolved.
The Secure Boot option can also be disabled for each VM as a temporary fix using the following procedure:
- Power off the VM.
- Right-click the virtual machine and click Edit Settings.
- Click the VM Options tab.
- Under Boot Option, uncheck the “Secure Boot enabled“
Unfortunately, if you’ve already installed the KB5022842 Windows Server 2022 cumulative update, uninstalling it will not resolve the issue. The only solution is to upgrade to ESXi 7.0 Update 3k or disable Secure Boot.
Microsoft is also working on addressing a known issue causing WSUS servers upgraded to Windows Server 2022 to fail to push February 2022 Windows 11 22H2 updates to clients.