Event details
Navigating Secure Boot certificate updates in virtualized environments? Drop in to Secure Boot Office Hours and ask your questions live in the comments. For one hour, experts will be available to discuss Hyper-V, Azure offerings, Windows 365, VMware, and other virtualization scenarios. Whether you're still planning for certificate updates, validating your rollout, or troubleshooting an issue, come get the answers you need from the people closest to the technology.
There is no on-camera or meeting component to this event. All Q&A will take place in the comments on this page.
How do I participate?
Select Add to Calendar to save the date, then click the Attend button to save your spot, receive event reminders, and participate in the Q&A. Feel free to submit your questions ahead of time, and we encourage you to post early to help ensure they're seen by our experts. The Q&A will wrap up at 9:00 AM PDT, after which comments and replies will be closed.
Post your questions now for tomorrow's Office Hours. We'll have members of the Windows 365 and Azure Virtual Desktop teams "in the office" as well as members of Broadcom to answer your questions about updating Secure Boot certificates for Cloud PCs and virtual machines, including VMware environments.
Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation.
38 Comments
- wrootSilver Contributor
I see comments here to follow the Broadcom KB to update KEK and so on. But in the previous AMA i have posted that i already get 1808 event that my certs and boot manager are updated and MS confirmed there i should be all setup. So, i am a bit puzzled. I didn't do anything special. Just updated VMs compatibility to latest and updated the registry/run the scheduled task. My VM is not with vTPM or Bitlocker. It is a Windows Server 2025. Our ESXi is also 8.0.3 U3b, not U3j yet.
- Grace_VMWCopper Contributor
VMs created on ESXi 8.0U2+ hosts already have the 2023 KEK and the 2023 DB certificates (though the PK is NULL if ESXi version is not 9.x).
The "Impacted VMs"https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html#remediation_impacted_vmssection in https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html has more details.
- Heather_Poulsen
Community Manager
Thank you to everyone who has posted questions so far. We will leave the comments open through 9:00 AM PDT July 9 to accommodate time zones.
- Hans_H415Copper Contributor
We performed our Secure Boot cert update for our VMs that had it enabled following this article from Broadcom and all of our VMs seemed to have taken it:
https://knowledge.broadcom.com/external/article/423919/manual-update-of-secure-boot-variables-i.html
- RamakumarCopper Contributor
Great to hear. Any challenges or questions related to it?
- Hans_H415Copper Contributor
No issues-just took a bit of time to manually run through each VM after performing an inventory of the VMs that had Secure Boot enabled (we skipped the ones that did not). ProxMox was much easier to update the certificate with two mouse clicks for each VM.
- TechdawgsOccasional Reader
I found this page useful for updating the KEK certificate:
https://knowledge.broadcom.com/external/article/423919#disk_preparation
I did have issues creating the disk, but I created a virtual floppy, and it worked.- Grace_VMWCopper Contributor
This method can update the KEK from the firmware. However, our recommendation is to update the KEK within the OS using Microsoft's official guidance once the Windows OEM Devices PK is in place.
- RamakumarCopper Contributor
Its manual method of updating PK,KEK , usually we recommend this method for older releases like vSphere 6.7 and 7.x
For vSphere 8.x we recommend to use 803j and refer below KB
https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html
- FredericlemieuxBrass Contributor
i have information for Proxmox VM ?
- Jayodele1234Occasional Reader
i never got a link to the meeting, is there anyway to attend this ?
- Cliff_HughesTin Contributor
there is no meeting, this is just open forum to ask questions and get feedback apparently.
- Heather_Poulsen
Community Manager
Jayodele1234 - There is no meeting component. Simply post your questions here in the comments. We have folks monitoring to answer your Windows 365, Azure Virtual Desktop, and VMware questions.
- ando1Occasional Reader
Hello!
On some Servers we are seeing "True" and a registry status of "InProgress". Are these machines updated?
(vSphere 8 - Hardware version 21)
Thanks in advance- Prabhakar_MSFT
Microsoft
Hello ando1 , Are you referring to True output for Windows UEFI CA 2023 or Microsoft UEFI CA 2023 certs? on VMWare based VMs, KEK certificate installation currently fails and Broadcom is collaborating with Microsoft to bring support for KEK certificate update in the future update. Please follow the KB article https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html From Broadcom for guidance and updates
- RamakumarCopper Contributor
If i understand correctly, you are saying KEK2023 true and registry status IN progress. Please elaborate if that's not the case
- ando1Occasional Reader
Yes, exactly. I couldn't post the commands, it was blocked.
- MuyekiOccasional Reader
How do I enable secure boot in Vmware? Noticed it is not supported, how do I go about it
- RamakumarCopper Contributor
Please refer to this article for enable and disable secure boot
https://knowledge.broadcom.com/external/article/377377/enable-or-disable-uefi-secure-boot-for-a.html
If secure boot is not enabled no need to worry on certificate expiry of KEK or DB AFAIK
- Rupesh_VMWCopper Contributor
The complete documentation can be found here:
- https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/9-1/vsphere-security/securing-esxi-hosts/uefi-secure-boot-for-esxi-hosts.html
- https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/9-1/vsphere-virtual-machine-administration/configuring-virtual-machine-options/configuring-virtual-machine-boot-options/enable-or-disable-uefi-secure-boot-for-a-virtual-machine.html
- https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/9-1/esx-upgrade/after-upgrading-or-migrating-hosts/enable-secure-boot-on-an-upgraded-esxi-host.html
- IvanVelevskiOccasional Reader
Secure Boot is supported for VMware VMs. There is a "VM Options" tab on the VM Settings. You can select "Boot Options" and there should be a Secure Boot check box available when UEFI firmware is selected and the HW version of the machine is greater than 13.
It is usually enabled by default when a Windows is selected as the VM OS.
- Heather_Poulsen
Community Manager
Welcome to our Secure Boot Office Hours session for virtualized environments. Post your questions here in the comments. If you have multiple questions, please post each one as a separate comment to make it easier for our panel to see and answer. Thank you!
- cedricbradyCopper Contributor
Do we have guidance for applying the Secure Boot certificate update to VMware vSphere virtual machines, especially VDI-style VMs that use vTPM and BitLocker encryption?
- Grace_VMWCopper Contributor
Follow Microsoft's guidance to update the DB and KEK. If the PK is NULL, use VMware's Capsule PK update method to update it first prior to applying the KEK update.
https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html
- RamakumarCopper Contributor
Please subscribe to Broadcom KB specified below, upcoming release has a solution for Secure Boot certificate that use vTPM and BitLocker encryption VMs
https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html
- sandeepbyreddyCopper Contributor
Yes. When we provide the patch, we will release the detailed documentation for the same.
As of now, vSphere team has published a KB article with a detailed overview. Please refer to the KB article.