Hello Jan2​ ,

Broadcom is working with Microsoft to bring support to update VM Platform Key via Capsule update mechanism as documented by Broadcom at Secure Boot Certificate Expirations and Update Failures in VMware Virtual Machines .    This will unlock automated deployment of KEK 2023 certificate.

Pasting the Broadcom documentation below

1. Capsule PK update for vTPM-enabled Windows VMs: This method depends on planned Microsoft Windows patches. For supported Windows versions with the required patch installed, the missing Windows OEM Devices PK certificate will be automatically added to the PK database upon a guest reboot following a reboot prompt. This capability will be added to ESXi 8.x and 9.x in future patches. Additionally, a PK update driver is required to trigger the update. This driver will be delivered via Windows Update and also included in a planned VMware Tools release.   

VMware VMs can update Windows UEFI CA 2023, Microsoft UEFI CA 2023 (If VM trusts Microsoft Corporation UEFI CA 2011) to DB today by leveraging one of the deployment methods documented at https://aka.ms/getsecureboot 

Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support 

Windows Configuration System (WinCS) APIs for Secure Boot - Microsoft Support

Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support

Once you have configured the one of the above policies, device will automatically install required KEK 2023 cert soon deployment is unblocked automatically across all virtual machines.