Event details
We have Windows Server VMs running on ESXi that are stuck in progressl available updates registry value is 4004.
VMs are fully patched, we've run through the Broadcom documented process to update the Platform Key which allows the KEK db to be updated, and the Dell host server has had the latest BIOS applied, which specifically references the secure boot certificate firmware update.
The VM event logs state Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware; we've confirmed the hosts are running the latest BIOS/firmware version.
2023 certificates are showing in the active DB but not in the default DB. How do we get this process to complete?
The default DB will not change at all by actions done by the Secure Boot updates. If there is a firmware update, it may include them (or provide an option to enable them). If not, live with the fact you will need to run securebootrecovery whenever you reset your firmware variables.
With "Broadcom documented process" you refer to article 423919 in their knowledge base, specifically to use UEFI setup to manually change PK to the one with Thumbprint 3d86...48b5? There should be a signed update available for that one (according to secureboot_objects), but when you went that far and took precautions like about TPM before, why not just repeat the process and enroll KEK available in the same way?
https://github.com/microsoft/secureboot_objects/blob/main/PreSignedObjects/KEK/Certificates/microsoft%20corporation%20kek%202k%20ca%202023.der
Yes, although the Broadcom documentation indicate KEK update as an optional step, but it is recommended to enroll KEK also. At least two VM encountered similar secure boot update failure when KEK update is not enrolled. And the registry key may need to reset to the original 0x5944 to restart the entire progress if it still stucks at 0x4004 after the KEK update.
