VMware VM Issue with February Microsoft Patch Updates
more information under LINK >> https://www.techzine.eu/news/infrastructure/102100/problems-with-windows-server-vms-on-vmware-after-patch-tuesday-updates/
VMware is now aware of an issue with ESXi <= 7 and Microsoft’s latest Server 2022 patch (released February 14th) that prevents VMs with Secure Boot enabled from booting. Once the OS has been updated, you only have two choices to get the VM to boot again – you can either update the host to ESXi 8 or you can disable Secure Boot on the VM. Uninstalling the Microsoft patch *does not* resolve the problem. This does not impact ESXi 8 or VMs with Secure Boot disabled. A public KB is available here – please take a moment to read it and familiarize yourself with the situation. The appropriate VMware engineering team is actively investigating the issue and working towards a resolution.
Below is a PowerCLI One-Liner that you can use to determine if you are at risk. Please note that this code does not check the exact Windows build called out in the KB but it gets as close as possible with the data easily exposed.
Get-VM | ?{$_.extensionData.Config.BootOptions.EfiSecureBootEnabled -AND $_.Guest.OSFullName -match ‘2022’ -AND $_.PowerState -eq ‘PoweredOn’} | Sort-Object Name
This is an example output – any VMs listed have the potential to be impacted.
What you need to do ?
If you are running Server 2022 with Secure Boot on ESXi 7 or lower
· Please review all the publicly-available resources, so you can make an informed decision about your security posture.
· Until VMware releases a patch (or Microsoft re-releases the update), you will need to decide if the Secure Boot configuration setting is more important than being on the latest Server 2022 patch.
· VMware Engineering is actively working on a resolution but there is no ETA on a patch at this time.
· If you intend to disable Secure Boot across a significant number of workloads, you may be interested in leveraging William Lam’s script available in GitHub to assist in automating the process.
· Subscribe to the VMware KB Article so you can be immediately notified of any changes, as this is a developing issue.