For VMware virtual machines, you can use a method similar to what is currently proposed in the official VMware guielines, but without the need for external disks or manual UEFI UI interaction. The approach involves adding the Microsoft provided Windows OEM Devices PK certificate directly to the UEFI from within the guest OS, which unblocks the automatic certificate update process and allows it to complete successfully.

The process in brief involves shutting down the VM, adding a vSphere advanced parameter to put the machine into UEFI SetupMode on next power-on, then once booted, verifying SetupMode is active and enrolling the Windows OEM Devices PK certificate using built-in PowerShell cmdlets. After enrollment, setting the AvailableUpdates registry key to trigger the Windows certificate update task and rebooting is all that is needed for the automated process to complete.

For the detailed commands, a Google search for "Secure Boot 2023 Certificate Remediation - Manual Procedure (No Scripts)" will lead you to a community published article on GitHub that covers this. You only need Step 12 from that guide and nothing else. The preceding steps handle NVRAM regeneration and manual KEK enrollment which are not necessary here — once the PK is corrected, the Windows automated update process takes care of the KEK, DB and boot manager updates by itself.