We have a WinServer 21H2, build 20348.4773, VMware virtual servers on VMX21, BIOS Date 2025-01-17.

Ran the CheckCA2023 script and stepped through the check, SET and Start task, rebooted twice, only to find this error in the logs for Event ID 1796:

"The Secure Boot update failed to update KEK 2023 with error Invalid access to memory location.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931"

When we refresh the CheckCA2023, we see:

AvailableUpdates equals 0x4004 "A PK signed KEK from the OEM isn't available"

UEFIACA2023Status is "In Progress - The update is actively in progress"

WindowsUEFICA2023Capable: 0x0002. 

UEFIACA2023ErrorEvent is 1796 and references what I put it quotes above.

We did come across this as well, as it pertains to VMware:

https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html

https://knowledge.broadcom.com/external/article/423919/manual-update-of-the-secure-boot-platfor.html