VMware vSphere

 View Only

  • 1.  Manual Update of the Secure Boot Platform Key in Virtual Machines KB 423919

    Posted 30 days ago
    Edited by big_vern 30 days ago


    I don't think this article is clear or at least I don't understand it.
    Assume the VM has vTPM, and the KEK 2023 certs. (created on 8.0 U3)

    I know the article yellow boxes bitlocker - clear enough but;

    Enrolling an new PK changes the PCR, so regardless of the bitlocker prep steps this breaks other vTPM features;

    Main concern is Credential Guard (eg service accounts running with stored passwords)

    Am I wrong?, also concerned that other future issues may be stored that are not immediately surfaced

    Can engineering confirm the method is sound (given they withdrew the nvram rename)



    -------------------------------------------



  • 2.  RE: Manual Update of the Secure Boot Platform Key in Virtual Machines KB 423919

    Posted 18 days ago

    Hello

    Your questions are well addressed in the VMware KB article mentioned below. I would recommend subscribing to this KB to stay updated with the latest information and changes.

    Secure Boot Certificate Expirations and Update Failures in VMware Virtual Machines

    I would suggest testing your scenario by first taking a snapshot of the test VM along with a full backup. You can then proceed with testing the steps. If the test is successful and works as expected, you can move ahead with your action items.
    The referenced article has been tested in my environment and worked without any issues, with the server status successfully reflecting as "Updated."

    Manual Update of the Secure Boot Platform Key in Virtual Machines

    VMware Community discussion on the same topic can be found at the link below.

    UEFI and Secure boot cert update

    -------------------------------------------



  • 3.  RE: Manual Update of the Secure Boot Platform Key in Virtual Machines KB 423919

    Posted 17 days ago
    Edited by big_vern 17 days ago

    They aren't - Im not in the habit of posting questions if the answers are in the KB, you link an article thats in the post title..

    I was hoping someone with knowledge from VMware engineering would reply. 

    A test on a handful of VMs does not scale out to an enterprise environment with confidence, especially considering there are multiple vTPM features aside from the ones in the article that may be affected and they have withdrawn a previous 'fix' KB for the same issue. You fill your boots if thats the way you manage.

    -------------------------------------------

    Original Message


  • 4.  RE: Manual Update of the Secure Boot Platform Key in Virtual Machines KB 423919

    Posted 16 days ago

    Hello,

    A new / updated VMware Knowledge Base article has been published that directly addresses this exact scenario: Secure Boot Certificate Expirations and Update Failures in VMware Virtual Machines (KB 423893).

    This documentation specifically details the necessary remediation steps for vTPM-enabled virtual machines as well.

    I highly recommend subscribing to this VMware KB to receive real-time updates on automated patches and future compatibility releases. This is also the same article previously highlighted earlier in this thread.

    Secure Boot Certificate Expirations and Update Failures in VMware Virtual Machines

     

    https://knowledge.broadcom.com/external/article?articleNumber=423893

    -------------------------------------------

    Original Message