Forum Discussion

DavidYorkshire's avatar
DavidYorkshire
Steel Contributor
Mar 03, 2023

Windows Server 2022 - devices not booting when Secure Boot enabled (KB5022842)

The most recent patch Tuesday update for Server 2022 - KB5022842 - causes some devices with Secure Boot enabled to fail to boot - it reboots after the update, then fails at the next reboot. The Microsoft documentation claims that it's only causing issues with VMs running on ESXi 7.0 and below:

 

https://support.microsoft.com/en-gb/topic/february-14-2023-kb5022842-os-build-20348-1547-be155955-29f7-47c4-855c-34bd43895940

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022#3017msgdesc

 

The second of the articles linked above states:

Resolution: This issue is resolved in VMware ESXi 7.0 U3k, released on February 21st 2023. No update from Microsoft is needed for this issue.

 

The VMWare patch (https://kb.vmware.com/s/article/90947) does resolve the issue in VMWare VMs, but what Microsoft appears to be ignoring is that a number of bare-metal installs of Server 2022 are also affected. See here, inc;uding comments at the bottom.

 

https://borncity.com/win/2023/02/20/windows-server-2022-feb-2023-patchday-secure-boot-issues-also-on-bare-metal-systems/

 

From my own testing and corresponding with others, it appears that most (possibly all) Poweredge 13G servers are affected - certainly aware that the Poweredge T430, R530 and R730 are, with the latest firmware installed. I have a support case open with Dell but it is unclear whether they will fix it as Server 2022 is not officially supported on 13G servers (although it has given no issues up until now).

 

Given that Microsoft caused the issue with a poorly-tested update, I would hope that they would issue a patch to fix it - but given that they don't appear to be acknowledging that the issue even exists on bare-metal installs that's not currently looking hopeful.

 

Have others experienced this issue? Might be useful to post the make/model of server here if so. Perhaps a thread with a list of affected machines might bring this to Microsoft's attention! The comments in the article above indicate that other brands are affected as well as Dell.

  • McThePro's avatar
    McThePro
    Copper Contributor
    Same issue with a HP ProLiant DL380 Gen9 . Disabling Secure Boot in the BIOS allows the server to boot.
      • McThePro's avatar
        McThePro
        Copper Contributor
        Yes. After the update I got "no boot device found" on the HP ProLiant DL380 Gen9 server. Then I disabled Secure Boot and the server works again.
  • Kenji McXntosh's avatar
    Kenji McXntosh
    Copper Contributor
    As always, I am a little late to the party, but here goes nothing. Running into the boot failure issue with Server 22 STD bare metal and Hyper-V installation boot failure when KB5022842 is present at the time Hyper-V is loaded or when the KB is loaded after Hyper-V is already present. Yes, I understand that Server OSs are not meant to run on certain hardware platforms. In my case the ASUS Prime B760M-A D4 (Bios 0807) and Prime B660M-A D4 (BIOS 2212). Both with (2) 2TB SATA III HDD in a RAID 1 using Intel VMD. These are for small businesses that want server class functionality on a budget. I have a long history of building "servers" with Hyper-V on non-server platforms without significant problems. I have done the dance with Intel and ASUS and they have both come back with, we don't test things that are not in the recommended build parameters. OK, I get that. I am not blaming MS for floating a bad update - yet. So, Alban1998, you can kindly leave your unhelpful comments at your keyboard. For the rest of us who live and work in the real world of servicing budget-minded clients, we need these non-standard builds, that have worked in the past, to continue to work going forward. That is why we have these discussions. When I started experiencing this issue, I thought it had something to do with the new Intel VMD RAID (Sub-set of Intel Virtual Raid on Chip - VRoC) for non-Xeon systems because I saw it first on the B760 chipset. Then, I saw it on the B660 chipset and have heard others comment about it on the 500 series chipset. Further testing and reading lead me to MS updates, specifically KB5022842. I still have a lingering suspicion that something in KB5022842 is glitchy with the IRSTe and VMD drivers as they relate to Hyper-V, but I cannot put my finger on anything. I suspect that because of where the boot failure happens. My system will POST, hand-off to the OS and then hang at the blue window splash screen like it is hanging on a driver. From the article I have read though, it seems that secure boot and this KB are the oil and water we are dealing with. I suspect that MS is waiting to see how much neg press is generated by this issue and the technical feed back from various event logs being posted before they do anything. This is going to affect a lot of small business operations that recently dropped thousands of $s to upgrade their 12R2 systems only to have their "server" crash due to an MS update. The March updates are out, So I will see if there is a fix in the mix.
    • DavidYorkshire's avatar
      DavidYorkshire
      Steel Contributor

      Kenji McXntosh 

       

      Update

       

      Patch Tuesday today. I checked the Microsoft report on the issue (M365 console, Health, Windows Release Health, Server 2022). It appears that Microsoft is still claiming that this issue only affects VMs on VMware 7.x and below, and that as VMWare have patched it Microsoft doesn't need to do anything:

       

      "Resolution: This issue is resolved in VMware ESXi 7.0 U3k, released on February 21st 2023 [link]. No update from Microsoft is needed for this issue."

       

      However, I decided to actually check in case they had quietly resolved the issue. I have two affected PowerEdge servers - a T430 and an R730. I patched them both with the latest Windows updates, rebooted, then rebooted again and went into the BIOS settings and tried turning Secure Boot back on.

       

      And they work again! Boot fine, with Secure Boot turned on. So it would appear that Microsoft has done something with today's update to fix the problem.

      • Kenji McXntosh's avatar
        Kenji McXntosh
        Copper Contributor

        DavidYorkshire  I concur. My B660 system with Hyper-V already loaded that failed to boot when KB5022842 was applied, now boots fine with that KB rolled back and KB5023705 loaded. In addition, my B760 system that would not boot if I attempted to install Hyper-V because KB5022842 had already been applied, booted fine once KB5023705 was applied and then Hyper-V installed.
        For those that want to really geek-out. I compiled a short list of what I think are the relevant changes between the Feb and Mar CU:
        "stornvme.sys","10.0.20348.1547","03-Feb-2023","02:17","233,504"
        "stornvme.sys","10.0.20348.1607","08-Mar-2023","23:58","230,768"
        "VmComputeAgent.exe","10.0.20348.1366","03-Feb-2023","13:53","1,492,352"
        "VmComputeAgent.exe","10.0.20348.1607","09-Mar-2023","07:23","1,492,352"
        "vmcompute.exe","10.0.20348.1547","03-Feb-2023","07:41","4,026,384"
        "vmcompute.exe","10.0.20348.1607","09-Mar-2023","05:03","4,023,664"
        "vmchipset.dll","10.0.20348.1547","03-Feb-2023","07:41","1,025,360"
        "vmchipset.dll","10.0.20348.1607","09-Mar-2023","05:03","1,025,408"
        "hvservice.sys","10.0.20348.1311","03-Feb-2023","13:53","136,536"
        "hvservice.sys","10.0.20348.1607","09-Mar-2023","05:03","136,576"
        "hvloader.dll","10.0.20348.1311","03-Feb-2023","13:53","148,832"
        "hvloader.dll","10.0.20348.1607","09-Mar-2023","05:03","148,864"
        "hvax64.exe","10.0.20348.1547","03-Feb-2023","07:42","1,630,232"
        "hvax64.exe","10.0.20348.1607","09-Mar-2023","05:03","1,627,472"
        "hvix64.exe","10.0.20348.1547","03-Feb-2023","07:42","1,732,624"
        "hvix64.exe","10.0.20348.1607","09-Mar-2023","05:03","1,729,864"
        "kdhvcom.dll","10.0.20348.1311","03-Feb-2023","13:53","58,704"
        "kdhvcom.dll","10.0.20348.1607","09-Mar-2023","05:03","58,704"
        "vmms.exe","10.0.20348.1547","03-Feb-2023","07:41","14,792,064"
        "vmms.exe","10.0.20348.1607","09-Mar-2023","05:03","14,787,920"
        Hope this helps. 🙂

  • Kasper Elsborg's avatar
    Kasper Elsborg
    Copper Contributor
    I had same problem. On My lab Dell R730 with esxi 7.0.3 I applied patch VMware-ESXi-7.0U3k-21313628-depot.zip and then I was able to boot win 2022 with KB5022842
    • DavidYorkshire's avatar
      DavidYorkshire
      Steel Contributor
      Yeah, that works for VMWare - seems to affect all VMWare 7.x (and potentially below) on any hardware - I've got ESXi 7.0.3 running on a couple of R650s and the patch did fix the issue on them.

      The issue with bare-metal installs of 2022 on 13G servers is not resolved, though.
      • Wes808's avatar
        Wes808
        Brass Contributor

        We just installed a TPM on an r530 running win2022 and while we were at it we enabled secure boot.  But it won't boot throwing error uefi0073.  I assume this has to do with the feb CU which was also just installed.  What timing lol.  Will disable secure boot for now and follow for updates.

  • Alban1998's avatar
    Alban1998
    Iron Contributor
    Well, if the issue comes from a driver/firmware bug, Microsoft can't do much to begin with - it's up to the OEM to fix it.
    And if you install Windows Server 2022 on unsupported hardware, it's likely the OEM won't help you about it - that's why you should avoid unsupported configurations at all costs : if something goes wrong, you're on your own.
    Not sure why you're blaming Microsoft about this - it's not like Microsoft forced you to install Windows Server 2022 on those servers...
    • DavidYorkshire's avatar
      DavidYorkshire
      Steel Contributor

      The point is that Microsoft broke it with the last Patch Tuesday update - it worked fine up until that point. It's quite normal to run server OSs on older hardware on which it's technically not supported, and it rarely gives any issues at all. And indeed the same applied with client versions up until W11.

       

      And just to note - the servers I have tested it on only don't support it in the sense that Dell don't support running Server 2022 on them - they do meet the Microsoft requirements for Server 2022 as set out here: https://learn.microsoft.com/en-us/windows-server/get-started/hardware-requirements.

      • Alban1998's avatar
        Alban1998
        Iron Contributor
        It broke because there is something wrong with those specific drivers/firmware, not because of Microsoft (otherwise, Microsoft would have provided a fix).
        And no it's not normal to run OS on unsupported hardware in a production environment. It doesn't matter if there are not many issues - one is enough. And if you cannot rely on OEM support to fix it, you're toasted.
        It's called risk management. Gambling is not a way to manage a production environment.

        Maybe Dell will be kind enough to update those drivers/firmware for free. If not, you can replace Windows Server 2022 by an older, supported OS on this hardware, or you can upgrade your hardware, one supported by Dell for WS 2022.


Resources