Event details
Hello.
For Virtual Machines running with Windows Server 2012 R2, 2016, 2019, 2022 with all the Windows updates applied until April 2026, this VMs are in Vmware 8.0.3.0, if the update process for the CA2023 certificate is not executing automatically, do I need to update some kind of Bios in Vmware or in the VM itself to get enough confidence and get the updates of CA2023 run automatically? Or if I force the process with the key in registry, schedule the update and restart several times the server, do I need some kind of update in Vmware or in the VM itself?
Thanks.
Yesterday I had a test in a similar scenario. Windows 2025 fully up to date and VMware 8.0.2.
Setting the AvailableUpdates registry value to 0x5944 and running manually the Secure-Boot-Update scheduled task, after two run and two reboots I could see the DB updated with the new 2023 certificates. After these reboots I had AvailableUpdates=0x4004 and running the scheduled task again and rebooting the VM again did not change it anymore, the KEK could not be updated (I can see only event id 1801 in the registry, no other errors).
So I guess that if the VM finds the PK null, as is common in VMware environments today, the automatic process could not be completed (https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html). PK and KEK must be updated manually as described in the Broadcom KB https://knowledge.broadcom.com/external/article/423919. Only after PK and KEK are up to date the automatic process can be completed and DB and Bootloader can be updated by the Microsoft scheduled task.
Prabhakar_MSFTMicrosoft
Hello iokdeda We are coordinating with Broadcom to introduce support in Windows for updating the PK if the Windows OEM Devices PK is missing on Secure Boot- and vTPM-enabled vSphere VMs, thereby facilitating KEK updates.
For VMs created on ESX 9.x hosts, the Windows OEM Devices PK is already present. However, for VMs created on earlier ESX versions, this PK is missing. We are actively working with Broadcom on a solution, which will be enabled through future Windows updates and corresponding Broadcom patches.
This is really good news!
Do you have any idea when we'll be able to get this support? It absolutely must arrive before the 2011 certificates expire, otherwise the automatic update process will fail, right?
- Prabhakar_MSFT
Hello iokdeda We are coordinating with Broadcom to introduce support in Windows for updating the PK if the Windows OEM Devices PK is missing on Secure Boot- and vTPM-enabled vSphere VMs, thereby facilitating KEK updates.
For VMs created on ESX 9.x hosts, the Windows OEM Devices PK is already present. However, for VMs created on earlier ESX versions, this PK is missing. We are actively working with Broadcom on a solution, which will be enabled through future Windows updates and corresponding Broadcom patches.
Hello Prabhakar_MSFT,
In Broadcom documentation, it stated that it is possible to manually replace the PK with Windows OEM Devices PK in UEFI menu. Is it supported to update KEK and DB in Windows for the VMs with Windows OEM Devices PK?
I have the exact same scenario with Parallels VMs. KEK can't update, then I find the PK isn't valid. Parallels have made changes so that newly minted VMs get the new PK and KEK, but no information about fixing up existing VMs.
