In a vmware 8.x environment we can see null PKs and empty DBX from guest VMs with secure boot enabled. KEK and DB contain 2011 MS CA certificates. 

What should I expect in this scenario?

Is the empty DBX correct?

Will this VMs automatically update the certificates?

When does Windows Boot Manager get swapped from 2011‑signed to 2023‑signed

We have very large Windows server environment and most of them are VM's running on vmWare platform. does this applicable to vm's also?

Are there any updates regarding ESXi VMs failing to install the KEK certificate? From research Broadcom and Microsoft were looking into this

Would there be any changes required in the WDAC policies since we have policy updated with anything to be allowed signed by the cert Microsoft Windows Production PCA 2011. So when this is going to be replaced with new PCA 2023 cert, should we update our WDAC policy with the new cert?

If the devices don't have updated certificates after June 2026, will there be need to disable secure boot, so they to be able to boot?

Our devices are shipped with OEM Windows Pro and are later upgraded to Windows Enterprise via Intune policy. On a large subset of these devices, the Intune configuration profile used to opt devices into Microsoft‑managed Secure Boot certificate updates is failing with Intune error 65000, and corresponding event logs indicate the policy is being rejected by licensing rather than by Secure Boot or firmware state.

My question is:

• Is this a known and acknowledged issue when Secure Boot certificate updates are applied to devices that have undergone OEM Pro → Enterprise conversion via Intune? and what what is the workaround?

To kick off Secure Boot cert updates, do we have to set the registry value (or Intune policy that sets it)?

If the Boot Cert is not updated, and an attempt to install a CU that contains updates to the Secure Boot - will the entire CU KB fail to install?

Any particular attention point or difference on the process for Azure Confidential Compute virtual machines?