After the Windows Server 2022 update KB5022842 (OS Build 20348.1547) has been installed, virtual machines running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x that have secure boot enabled may experience difficulty in booting up the guest operating system.

The vmware.log of the virtual machine contains the following errors:

2023-02-15T05:34:31.379Z In(05) vcpu-0 - SECUREBOOT: Signature: 0 in db, 0 in dbx, 1 unrecognized, 0 unsupported alg.
2023-02-15T05:34:31.379Z In(05) vcpu-0 - Hash: 0 in db, 0 in dbx.
2023-02-15T05:34:31.379Z In(05) vcpu-0 - SECUREBOOT: Image DENIED.

To identify the location of vmware.log files, begin by establishing an SSH session to your host, then:

1. Log in to the ESXi Host CLI using the root account.

2. Then, run the following command to list the locations of the configuration files for the virtual machines registered on the host:

   # vim-cmd vmsvc/getallvms | grep -i "VM_Name"

3. The vmware.log file can be found in the virtual machine folder along with the vmx file.

4. Record the location of the .vmx configuration file for the virtual machine you are troubleshooting. For example:

   /vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vm1.vmx
   /vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vmware.log

Microsoft released an update, KB5023705, on March 14, 2023 that resolves this issue. Alternatively, to fix this issue, upgrade to VMware ESXi 7.0 U3k, which was released on February 21, 2023.
 

Notes:

• Virtual machines running on any version of vSphere ESXi 8.0.x are not affected by this issue.

• vSphere ESXi 6.7 has reached End of General Support. For more information, please refer to The End of General Support for vSphere 6.5 and vSphere 6.7 , which is set for October 15, 2022.

• If you are already facing the issue, you can power on the affected Windows Server 2022 VMs after patching the host to ESXi 7.0 Update 3k. After patching the host to ESXi 7.0 Update 3k, you can migrate a running Windows Server 2022 VM from a host of version earlier than ESXi 7.0 Update 3k and install KB5022842. The VM will boot properly without any additional steps being required.

• If your Windows Server 2022 VM has Secure Boot disabled after installing the update as per KB5022842, you can re-enable Secure Boot after applying the March Windows update KB5023705.

This issue has been resolved in VMware ESXi 7.0U3k and is not present in VMware ESXi 8.x. To ensure this issue does not occur, it is recommended that you upgrade to the latest version of VMware ESXi.

If it is not feasible to upgrade at the moment, there are two ways to prevent this problem.

1. Disable Secure Boot for the affected virtual machines.

2. Refrain from installing the KB5022842 patch on any Windows 2022 Server virtual machine until the issue has been resolved.

For more information on the patch release updates, refer to the Microsoft article.

To disable Secure Boot on Virtual Machines (VMs), follow the steps below:

1. Open the VM Settings window.

2. Select the "Security" tab.

3. Uncheck the box labeled "Enable Secure Boot".

4. Click "OK" to save the changes.

Uninstalling the KB5022842 patch will not fix the issue. If the Virtual machine has already been updated, the only options that remain are:

1. Upgrade the ESXi Host on which the virtual machine is located to vSphere ESXi 8.0 or the most recent version of ESXi 7.0 U3k.

2. Disable Secure Boot for the affected VMs.

If you are using VMware Workstation versions earlier than 16.2.0 or VMware Fusion versions earlier than 12.2.0, you could be affected by this issue. To prevent any problems, we recommend that you upgrade to the latest versions of these programs, 16.2.0 and 12.2.0 respectively.

It is essential that you upgrade to the latest version or a version above the one listed above in order to prevent this issue from occurring.