Event details
Hello.
For Virtual Machines running with Windows Server 2012 R2, 2016, 2019, 2022 with all the Windows updates applied until April 2026, this VMs are in Vmware 8.0.3.0, if the update process for the CA2023 certificate is not executing automatically, do I need to update some kind of Bios in Vmware or in the VM itself to get enough confidence and get the updates of CA2023 run automatically? Or if I force the process with the key in registry, schedule the update and restart several times the server, do I need some kind of update in Vmware or in the VM itself?
Thanks.
Yesterday I had a test in a similar scenario. Windows 2025 fully up to date and VMware 8.0.2.
Setting the AvailableUpdates registry value to 0x5944 and running manually the Secure-Boot-Update scheduled task, after two run and two reboots I could see the DB updated with the new 2023 certificates. After these reboots I had AvailableUpdates=0x4004 and running the scheduled task again and rebooting the VM again did not change it anymore, the KEK could not be updated (I can see only event id 1801 in the registry, no other errors).
So I guess that if the VM finds the PK null, as is common in VMware environments today, the automatic process could not be completed (https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html). PK and KEK must be updated manually as described in the Broadcom KB https://knowledge.broadcom.com/external/article/423919. Only after PK and KEK are up to date the automatic process can be completed and DB and Bootloader can be updated by the Microsoft scheduled task.