Event details
So we have 2500 VMware VMs, where we have checked with this code:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
We also have a similar line of code that checks the KEK, they both are returning true.
But we have NOT flipped the registry key specified by Microsoft to 0x5944 and hence the status says NotStarted. In our case above, with the VMware VMs, do we need to actually flip that registry key, that iniates the process or are we good to go as it is?
/Patrick
IMO your question (and it's a good one) is not unique to vSphere. There's no good way (that I'm aware of) via registry or TPM-WMI event IDs to tell whether a machine already installed the latest UEFI/SB keys successfully xor always had the 2023 keys and hence never needed to take any action.
To not risk getting shadowed for posting a link, you may want to look up Broadcom knowledge base article 421593.
We have taken exactly that approach (deleting the .nvram file and rebooting, which in Vcenters with version 8.0.2 or higher has provided us with the "true" results mentioned. The registry key and it's associated scheduled task is somewhat doubtful if it is needed at all in the case of our VMs.
"The registry key and it's associated scheduled task is somewhat doubtful if it is needed at all in the case of our VMs."
I think this just reinforces the same point MS keeps making. Keep your firmware up to date. In the case of virtualization, keep your hypervisor up to date (and in this context, the VM hardware version/take manual steps where required).
Firmware with all the keys built in (though I admit Broadcom's guidance leaves a bit to be desired in specificity) is the best option if available.
