Event details

Whether you're actively managing device security or planning your next steps, this AMA is your opportunity to connect directly with Microsoft experts and get clear, actionable guidance on updating Se...
Heather_Poulsen
Updated Jun 04, 2026
AMA
IT_SystemEngineer's avatar
IT_SystemEngineer
Iron Contributor
Jun 01, 2026

Are there any Updates regarding my Question: "Will Microsoft and/or Broadcom provide a solution to automatically update ESXi VMs with missing KEK/PK?"

The last Answer from PrabhakarMSFT was: "...we are coordinating with Broadcom to bring support in Windows to update KEK on the ESXI VMs.   If new VMs are created on latest versions on ESXI, VMs get created with new certificates. For pre-existing VMs, Microsoft is coordinating with Broadcom and will be enabled in the future update."

  • wingmanerik's avatar
    wingmanerik
    Copper Contributor
    Jun 04, 2026

    I posted a question about this as well before seeing this. Definitely interested in everyone's stance on this. Time is running out and I don't want to have to import PK/KEK certificates manually into thousands of VMware VMs. 

  • ClientAdmin's avatar
    ClientAdmin
    Brass Contributor
    Jun 01, 2026

    I'm also very interested in the answer for this question.

    We absolutely need to know when the solution created by Microsoft & Broadcom will be released? Time is running... And if it maybe will require a newer ESXi release (newer than 8.0 U3j (P09)) to be installed beforehand, we'll for sure not be able to do the work before June 24th when the Microsoft Corporation KEK CA 2011 certificate expires.

    Broadcom documents that for Windows VMs with vTPM it's recommended to wait for an automated solution to become available in a future release. But how long do we need to wait...?

    https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html