Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Apr 21, 2026
AMA
JamesEpp's avatar
JamesEpp
Iron Contributor
Feb 25, 2026

IMO your question (and it's a good one) is not unique to vSphere. There's no good way (that I'm aware of) via registry or TPM-WMI event IDs to tell whether a machine already installed the latest UEFI/SB keys successfully xor always had the 2023 keys and hence never needed to take any action.

To not risk getting shadowed for posting a link, you may want to look up Broadcom knowledge base article 421593.

Sugmuffen's avatar
Sugmuffen
Copper Contributor
Feb 25, 2026

We have taken exactly that approach (deleting the .nvram file and rebooting, which in Vcenters with version 8.0.2 or higher has provided us with the "true" results mentioned. The registry key and it's associated scheduled task is somewhat doubtful if it is needed at all in the case of our VMs.

  • JamesEpp's avatar
    JamesEpp
    Iron Contributor
    Feb 26, 2026

    "The registry key and it's associated scheduled task is somewhat doubtful if it is needed at all in the case of our VMs."

    I think this just reinforces the same point MS keeps making. Keep your firmware up to date. In the case of virtualization, keep your hypervisor up to date (and in this context, the VM hardware version/take manual steps where required).

    Firmware with all the keys built in (though I admit Broadcom's guidance leaves a bit to be desired in specificity) is the best option if available.