Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
IT_SystemEngineer's avatar
IT_SystemEngineer
Brass Contributor
Mar 09, 2026

Will Microsoft and/or Broadcom provide a solution to automatically update ESXi VMs with missing KEK/PK?

The solution from the article https://knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html is unfortunately no longer available (upgrading the hardware version and deleting/renaming the .nvram file).

This article https://knowledge.broadcom.com/external/article?articleNumber=423893 states:
"There is no automated resolution available at this time. In coordination with Microsoft, Broadcom Engineering Team is actively working towards implementing an automated solution in a future release to update the Platform Key (PK) on the affected VMs, which will facilitate the certificate rollout as outlined in the Microsoft Guideline."

  • Prabhakar_MSFT's avatar
    Prabhakar_MSFT
    Icon for Microsoft rankMicrosoft
    Mar 12, 2026

    Hello IT_SystemEngineer​ , As you mentioned, we are coordinating with Broadcom to bring support in Windows to update KEK on the ESXI VMs.   If new VMs are created on latest versions on ESXI, VMs get created with new certificates. For pre-existing VMs, Microsoft is coordinating with Broadcom and will be enabled in the future update.