Event details
275 Comments
So we have 2500 VMware VMs, where we have checked with this code:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
We also have a similar line of code that checks the KEK, they both are returning true.
But we have NOT flipped the registry key specified by Microsoft to 0x5944 and hence the status says NotStarted. In our case above, with the VMware VMs, do we need to actually flip that registry key, that iniates the process or are we good to go as it is?
/Patrick
Prabhakar_MSFTMicrosoft
If devices have both Windows UEFI CA 2023 and KEK CA 2023, then certificates are already updated. Likely the VM was created on latest version of VSphere software that creates VMs with updated certificates. UEFICAStatus shows Not Started because Boot manager is not yet updated. To update Windows Boot manager to new 2023 certificate signed version, Set AvailableUpdtes registry key to 0x5944 and execute "Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update". This should change the status to either updated or In Progress. If status shows "InProgress", reboot the server and rerun the task to get the update completed.
IMO your question (and it's a good one) is not unique to vSphere. There's no good way (that I'm aware of) via registry or TPM-WMI event IDs to tell whether a machine already installed the latest UEFI/SB keys successfully xor always had the 2023 keys and hence never needed to take any action.
To not risk getting shadowed for posting a link, you may want to look up Broadcom knowledge base article 421593.
We have taken exactly that approach (deleting the .nvram file and rebooting, which in Vcenters with version 8.0.2 or higher has provided us with the "true" results mentioned. The registry key and it's associated scheduled task is somewhat doubtful if it is needed at all in the case of our VMs.
