Act now: Secure Boot certificates expire in June 2026

Just tested on VM Windows Server 2022 created before ESXi was 8.0.2. (Old Certs)  Currently on ESXi 8.0.3, 25067014.

 The certificates are from 2011.  Additional vmdk disk 64MB. Placed the “microsoft corporation kek 2k ca 2023” and  ‘WindowsOEMDevicesPK’  Set on vm  Vm Options "Force EFI setup

During the next boot, force entry into the EFI setup screen“ and under Advanced Parameters new Value ”uefi.allowAuthBypass" Set to TRUE.  After this boot and change in BIOS Secureboot menu KEK and PK file from the 64MB Disk. 

 Reboot vm and  set regkey “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot”  AvailableUpdates to 0x5944  Reboot Twice.  

Under “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing,” UefiCA2023Status => Updated.   

Check with mountvol S: /S S:\EFI\Microsoft\Boot\bootmgfw.efi and S:\EFI\Microsoft\Boot\bootmgfw.efi I have copied this to C:\temp because it is not displayed in Explorer as it is hidden. Both here with the following certs / cert chains   

Also old Cert to DBX  Reboot 2 times no Problem so far.  Think this is ok now.

Problem on Customers which are unfortunately still on esxi7  no solution so far:

We testes it on one customer which have unfortunately still  esxi7   we could added  the KEK and PK like this a 

1. A) ESXi 7.x to < 8.0 – Manual Update via UEFI Menu (Auth Bypass)

This method uses the UEFI Setup Screen and allows enrolling PK/KEK files directly from the firmware. It’s ideal when using Set-SecureBootUEFI inside the guest OS is not possible.

Step A1 – Prepare FAT32 Disk for PK/KEK

• Create an additional virtual disk (e.g., 64 MB) and attach it to the target VM.
• Format the disk as FAT32 and label it (e.g., UEFIKEYS).
• Copy the required PK and KEK files to this disk, for example:
• PK\WindowsOEMDevicesPK.der
• KEK\microsoft corporation kek 2k ca 2023.der

Step A2 – Configure vSphere for Auth Bypass and Setup Mode

• Power off the VM.
• In VM Options → Advanced → Edit Configuration, add: uefi.allowAuthBypass = "TRUE"
• In VM Options → Boot Options, enable Force BIOS/UEFI Setup.
• Power on the VM. It will boot into the UEFI firmware setup screen.

Step A3 – Enroll PK and KEK in UEFI Setup

• Navigate to Secure Boot Configuration in the UEFI menu.
• Under PK Options, select Enroll PK and choose the PK file from the FAT32 disk. Confirm and save.
• (Optional) Under KEK Options, select Enroll/Append KEK and choose the KEK file.
• Exit the setup and shut down the VM.

Step A4 – Remove Auth Bypass

• In VM Options → Advanced → Edit Configuration, remove the entry: uefi.allowAuthBypass = "TRUE"

Step A5 – Validate in Windows

• Boot the VM and check that the Secure Boot certificates (PK and KEK) are correctly enrolled.
• Ensure the output shows the current certificates with valid issuer and expiration details.

But Windows cannot change all parameter think problem is there the KEK.

With mountvol S: /S  we see under S:\EFI\Microsoft\Boot  bootmgfw.efi  the 2023 cert but under   S:\Efi\Boot bootx64.efi we see the old PCA2011. 

In registry UEFICA2023Staus is in Progress but will not finished.   

eventlog:

Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here.
DeviceAttributes: BaseBoardManufacturer:Intel Corporation;FirmwareManufacturer:VMware, Inc.;FirmwareVersion:OEMModelNumber:VMware7,1;OEMModelBaseBoard:440BX Desktop Reference Platform;OEMModelSystemFamily:;OEMManufacturerName:VMware, Inc.;OEMModelSKU:;OSArchitecture:amd64;
BucketId: 780863cfxxxxx

Dont know if this is a Problem that esxi7 is EOL and KEK cannot be updatedThere was a new Link from Broadcom from 02.01.2026  https://knowledge.broadcom.com/external/article/423919/manual-update-of-secure-boot-variables-i.html    

 I would be interested to know how other administrators do this in a VMWARE ESXi environment.   BR Johannes