Blog Post

Explore Secure Boot certificate update guidance for Windows client devices

Windows IT Pro Blog

9 MIN READ

Secure Boot playbook for certificates expiring in 2026

Ashis_Chatterjee

Microsoft

Nov 13, 2025

Save the date: 📅 March 12 - Ask Microsoft Anything (AMA) about Secure Boot The first set of tools and steps are now available to help you proactively update your Secure Boot certificates befo...

Updated Mar 02, 2026

Version 18.0

Secure Boot AMA - February 5 2026.ics4 KB

security

servicing and updates

Ashis_Chatterjee

Microsoft

Joined June 20, 2025

View Profile

Windows IT Pro Blog

Follow this blog board to get notified when there's new activity

IT_SystemEngineer

Brass Contributor

Mar 09, 2026

Will Microsoft and/or Broadcom provide a solution to automatically update ESXi VMs with missing KEK/PK?

The solution from the article https://knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html is unfortunately no longer available (upgrading the hardware version and deleting/renaming the .nvram file).

This article https://knowledge.broadcom.com/external/article?articleNumber=423893 states:
"There is no automated resolution available at this time. In coordination with Microsoft, Broadcom Engineering Team is actively working towards implementing an automated solution in a future release to update the Platform Key (PK) on the affected VMs, which will facilitate the certificate rollout as outlined in the Microsoft Guideline."