Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Feb 12, 2026
AMA
Matthew_Stevenson's avatar
Matthew_Stevenson
Brass Contributor
Feb 03, 2026

Hello!

We are currently testing the cert update in our VMWare ESXi 8 environment for server OS. Testing 2016, 2019, 2022, and 2025. All VMs are fully patched and have latest VMWare tools installed.

After setting the GPO "Enable Secure Boot Certificate Deployment":

2016 updates all certs, EventID 1808 is written.

2019 and 2022, most certs are updated however the KEK is not, giving the Event error 1796.

2025 does not update any certs, nor does it start the update process at all.

 

  1. Anyone else having issues with VMWare guests and KEK update for 2019 and 2022?
  2. Any clue as to why 2025 is not even starting the update process?

Thanks!

Googol's avatar
Googol
Brass Contributor
Feb 04, 2026

I am not sure why on my Server 2022 testing, but you can just update the KEK the same way you did the PK via EFI and broadcom instructions. they had it on their KB before, then was removed.

you just select enroll PK, then enroll KEK and select the cert on your drive you added to the VM.

now the PK and KEK is updated, start the reg key and updating process, goes to Updated status. you can verify the certs are there after