MicrosoftFor VMware ESXi 8.0.2 or newer, we also encounter the same issue, we cannot update KEK under VM OS.
We have tested the following parameter to update the KEK outside the VM OS. After booting into the VM OS, we can confirm that the KEK updated. But we are not sure whether it will has any other impact on the OS.
By adding custom advanced VM option:
"uefi.allowAuthBypass"=TRUE
it will make a special menu available in BIOS/UEFI. You can manage KEK / DB / DBX and you can add certificate from files on boot drive.
Hi RayC15: at vms which are newley created in Version ESXi 8.0.2 Microsoft can make all Updates because they have already the 2023 Certs and with registry we could Update the VM and Status Uefi is completed.
We testes it on one customer which have unfortunately still esxi7 we could added the KEK and PK like this a
This method uses the UEFI Setup Screen and allows enrolling PK/KEK files directly from the firmware. It’s ideal when using Set-SecureBootUEFI inside the guest OS is not possible.
But Windows cannot change all parameter think problem is there the KEK.
With mountvol S: /S we see under S:\EFI\Microsoft\Boot bootmgfw.efi the 2023 cert but under S:\Efi\Boot bootx64.efi we see the old PCA2011. In registry UEFICA2023Staus is in Progress but will not finished. eventlog: Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here.
DeviceAttributes: BaseBoardManufacturer:Intel Corporation;FirmwareManufacturer:VMware, Inc.;FirmwareVersion:OEMModelNumber:VMware7,1;OEMModelBaseBoard:440BX Desktop Reference Platform;OEMModelSystemFamily:;OEMManufacturerName:VMware, Inc.;OEMModelSKU:;OSArchitecture:amd64;
BucketId: 780863cf2dd4d4a9144cd3e14efeda4c02b8542acf606ed4b2eba0d7215edd56
Dont know if this is a Problem that esxi7 is EOL and KEK cannot be updated. Next try will be at other cusomters where VMs are created longer which have old Certs but ESXi host is already on 8.0.3. Hope there it will work. There was a new Link from Broadcom from 02.01.2026 https://knowledge.broadcom.com/external/article/423919/manual-update-of-secure-boot-variables-i.html I would be interested to know how other administrators do this in a VMWARE ESXi environment. 🙃 BR Johannes
Just tested on VM Windows Server 2022 created before ESXi was 8.0.2. (Old Certs) Currently on ESXi 8.0.3, 25067014.
The certificates are from 2011. Additional vmdk disk 64MB. Placed the “microsoft corporation kek 2k ca 2023” and ‘WindowsOEMDevicesPK’ Set on vm Vm Options "Force EFI setup
During the next boot, force entry into the EFI setup screen“ and under Advanced Parameters new Value ”uefi.allowAuthBypass" Set to TRUE. After this boot and change in BIOS Secureboot menu KEK and PK file from the 64MB Disk. Reboot vm and set regkey “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot” AvailableUpdates to 0x5944 Reboot Twice. Under “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing,” UefiCA2023Status => Updated. Check with mountvol S: /S S:\EFI\Microsoft\Boot\bootmgfw.efi and S:\EFI\Microsoft\Boot\bootmgfw.efi I have copied this to C:\temp because it is not displayed in Explorer as it is hidden. Both here with the following certs / cert chains
Also old Cert to DBX Reboot 2 times no Problem so far.
In my testing, enroll PK does not help, you must enroll KEK also.
Error message will be found in event viewer when no PK and no KEK is enrolled. Error will also be found when only PK is enrolled. But the message is different.
Hi RayC15 2 Blogs :-) see my tests here
https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856/replies/4485343
