Event details

It's time for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Pearl-Angeles
Updated Apr 15, 2026
AMA
iokdeda's avatar
iokdeda
Occasional Reader
Apr 23, 2026

In a vmware 8.x environment we can see null PKs and empty DBX from guest VMs with secure boot enabled. KEK and DB contain 2011 MS CA certificates. 

What should I expect in this scenario?

Is the empty DBX correct?

Will this VMs automatically update the certificates?

  • mihi's avatar
    mihi
    Brass Contributor
    Apr 23, 2026

    With a null PK, the certificates cannot be automatically updated by the guest OS. If TPM is used, the certificates cannot be automatically updated by the firmware / virtualization solution.

    For the empty DBX, you can push the DBX update via AvailableUpdates 0x0002 and check event log if it sticks.

    In general, ask VmWare not Microsoft :)