Patch Tuesday Issues with Server 2022 on VMware

VMware and Microsoft are investigating the issue and will provide more information as soon as it's available.

While currently, there is no fix for impacted VMs, VMware provides admins with affected hosts with multiple temporary workarounds until a permanent solution is available.

To address the issue and work around the boot issues, you can take one of the following measures:

1. Disable "Secure Boot" on the VMs.
2. Do not install the KB5022842 patch on any Windows 2022 Server virtual machine until the issue is resolved.

The Secure Boot option can be disabled for each VM using the following procedure:

1. Power off the VM.
2. Right-click the virtual machine and click Edit Settings.
3. Click the VM Options tab.
4. Under Boot Option, uncheck the "Secure Boot enabled"

We are recommending that you do not install patch KB5022842 until an updated version has been released.

Unfortunately, if you have already installed this month's KB5022842 Windows Server 2022 cumulative update, uninstalling it will not resolve the issue.

This does not appear to cause every VM (Server 2022 with Secure Boot enabled) to not boot, but there is certainly a reasonable percentage of servers that we have tried this on that are impacted.

VMware KB article: Virtual Machine with Windows Server 2022 KB5022842 (OS Build 20348.1547) configured with secure boot enabled not booting up (90947)

You can find potentially impacted VMs on your VMware platform with PowerCLI

# $vc is the name of your vCenter 
Connect-VIServer -Server $vc   | Out-null

$vms = Get-VM

foreach ($vm in $vms) {
    $name = $vm.name
    $win = $vm.Guest.OSFullName
    $secureBootSetting = if ($vm.ExtensionData.Config.BootOptions.EfiSecureBootEnabled) { "enabled" } else { "disabled" }
    if ($win -match '2022' -and $secureBootSetting -match 'enabled' ) {
        Write-Host ( "VM: "+ $name + ". Win: " + $win  +". SecureBoot: " + $secureBootSetting + ".")
    }
}
Disconnect-VIServer -Server $vc -confirm:$false