Symptoms

After installing Windows Server 2022 update KB5022842 (OS Build 20348.1547), guest OS can not boot up when virtual machine(s) configured with secure boot enabled running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x.

In VM vmware.log, there is ‘Image DENIED’ info like the below:
2023-02-15T05:34:31.379Z In(05) vcpu-0 - SECUREBOOT: Signature: 0 in db, 0 in dbx, 1 unrecognized, 0 unsupported alg.
2023-02-15T05:34:31.379Z In(05) vcpu-0 - Hash: 0 in db, 0 in dbx.
2023-02-15T05:34:31.379Z In(05) vcpu-0 - SECUREBOOT: Image DENIED.

To identify the location of vmware.log files:

1. Establish an SSH session to your host. For ESXi hosts
2. Log in to the ESXi Host CLI using root account.
3. To list the locations of the configuration files for the virtual machines registered on the host, run the below command:

#vim-cmd vmsvc/getallvms | grep -i "VM_Name"

1. The vmware.log file is located in virtual machine folder along with the vmx file.
2. Record the location of the .vmx configuration file for the virtual machine you are troubleshooting. For example:

/vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vm1.vmx
/vmfs/volumes/xxxxxxxx-xxxxxxx-c1d2-111122223333/vm1/vmware.log

Resolution

This issue is resolved in VMware ESXi 7.0 U3k, released on February 21st 2023.

Notes:

• Virtual machines running on any version of vSphere ESXi 8.0.x are not impacted by this issue
• vSphere ESXi 6.7 is End of general Support. For more information, see The End of General Support for vSphere 6.5 and vSphere 6.7 is October 15, 2022.
• If you already face the issue, after patching the host to ESXi 7.0 Update 3k, just power on the affected Windows Server 2022 VMs. After you patch a host to ESXi 7.0 Update 3k, you can migrate a running Windows Server 2022 VM from a host of version earlier than ESXi 7.0 Update 3k, install KB5022842, and the VM boots properly without any additional steps required.

Workaround

As per the information above, this is resolved in VMware ESXi 7.0U3k and VMware ESXi 8.x is not impacted
VMware recommends upgrading to resolve or avoid this issue

If upgrading is not possible at this time, there are two methods to avoid this issue

1. Disable "Secure Boot" on the VMs.
2. Do not install the KB5022842 patch on any Windows 2022 Server virtual machine until the issue is resolved.

See the Microsoft article for details on the updates within the patch release

To disable virtual machine "Secure Boot "option, please follow the below steps:

1. Power off the VM.
2. Right-click the virtual machine and click Edit Settings.
3. Click the VM Options tab.
4. Under Boot Option, uncheck the "Secure Boot enabled"

Related Information

Uninstalling the KB5022842 patch will not resolve the issue. If the Virtual machine has already been updated, then the only available options are
 

1. Upgrade the ESXi Host where the virtual machine in question is running to vSphere ESXi 8.0 or ESXi 7.0 U3k
2. Disable "Secure Boot" on the VMs.

VMware Workstation versions older then 16.2.0 and VMware Fusion version less then 12.2.0 are impacted by this. Please ensure that you upgrade to the version listed above or later to avoid this problem.

Please ensure that you upgrade to the version listed above or later to avoid this problem.