VMware vSphere

Hi all.

Regarding the UEFI 2023 deadline in June, I guess a lot of you are looking to fully automate this  procedure.

If it only were the KEK certificate to change, this looks like it easily can be done by renaming the .nvram file.

And that works as far as we have testet.

But also to change the Plattform Key fully automated, have anyone successfully automated this step?

There is another thread on this here: https://community.broadcom.com/vmware-cloud-foundation/discussion/uefi-and-secure-boot-cert-update

please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported, there are solutions currently under development and you should not panic for a resolution.

There is NOT a deadline on this certificate expiry, everything will continue to boot post the certificate expiry date as stated by Microsoft. as the certificate  remains trusted.

Hi all.

Regarding the UEFI 2023 deadline in June, I guess a lot of you are looking to fully automate this  procedure.

If it only were the KEK certificate to change, this looks like it easily can be done by renaming the .nvram file.

And that works as far as we have testet.

But also to change the Plattform Key fully automated, have anyone successfully automated this step?

Interesting. You said: "please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported" but a reaally close solution was mentioned in https://knowledge.broadcom.com/external/article?articleId=421593 that disappeard since then... (but still available here: https://web.archive.org/web/20260212085158/https:/knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html) 

It's great if Broadcom is working on something more efficient but maybe not smart to mention strongly that something is not supported as it was officially the solution to apply a few days ago 😏 maybe just say that it was the primary solution but you're working on something more efficient, so people should just avoid to delete the NVRAM for now 😇

There is another thread on this here: https://community.broadcom.com/vmware-cloud-foundation/discussion/uefi-and-secure-boot-cert-update

please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported, there are solutions currently under development and you should not panic for a resolution.

There is NOT a deadline on this certificate expiry, everything will continue to boot post the certificate expiry date as stated by Microsoft. as the certificate  remains trusted.

Hi all.

Regarding the UEFI 2023 deadline in June, I guess a lot of you are looking to fully automate this  procedure.

If it only were the KEK certificate to change, this looks like it easily can be done by renaming the .nvram file.

And that works as far as we have testet.

But also to change the Plattform Key fully automated, have anyone successfully automated this step?

Yes I did say that, and this is the correct response.
the article you refer to was pulled, it's been pulled for a reason, if you with to follow an article that has been withdrawn this is your choice.

It was also more than a few days ago, it is now in the weeks ago/over one month time frame of being pulled. take from that what you will.

Yes Broadcom is working on a solution, I do not have full details of it, I expect that it will be automated and be far less disruptive than nvram file deletions.

Again this is not a deadline, everything will continue to secure boot post cert expiry, these are not like web page certs, there is no CRL to look up. the only time it will impact is if someone comes along and thinks it'll be a great idea to add the 2011 cert to the dbx, this is a brave person.

At this time, update your host BIOS to include firmware from your vendors that uses the 2023 certificate. this should then contain both the 2011 and 2023 cert. Dell and HPe have released updates, I'm sure just about every other vendor out there has done this.

Hold tight for the solution from VMware/Broadcom, there is no panic.

Interesting. You said: "please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported" but a reaally close solution was mentioned in https://knowledge.broadcom.com/external/article?articleId=421593 that disappeard since then... (but still available here: https://web.archive.org/web/20260212085158/https:/knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html) 

It's great if Broadcom is working on something more efficient but maybe not smart to mention strongly that something is not supported as it was officially the solution to apply a few days ago 😏 maybe just say that it was the primary solution but you're working on something more efficient, so people should just avoid to delete the NVRAM for now 😇

There is another thread on this here: https://community.broadcom.com/vmware-cloud-foundation/discussion/uefi-and-secure-boot-cert-update

please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported, there are solutions currently under development and you should not panic for a resolution.

There is NOT a deadline on this certificate expiry, everything will continue to boot post the certificate expiry date as stated by Microsoft. as the certificate  remains trusted.

Hi all.

Regarding the UEFI 2023 deadline in June, I guess a lot of you are looking to fully automate this  procedure.

If it only were the KEK certificate to change, this looks like it easily can be done by renaming the .nvram file.

And that works as far as we have testet.

But also to change the Plattform Key fully automated, have anyone successfully automated this step?

Yes I did say that, and this is the correct response.
the article you refer to was pulled, it's been pulled for a reason, if you with to follow an article that has been withdrawn this is your choice.

It was also more than a few days ago, it is now in the weeks ago/over one month time frame of being pulled. take from that what you will.

Yes Broadcom is working on a solution, I do not have full details of it, I expect that it will be automated and be far less disruptive than nvram file deletions.

Again this is not a deadline, everything will continue to secure boot post cert expiry, these are not like web page certs, there is no CRL to look up. the only time it will impact is if someone comes along and thinks it'll be a great idea to add the 2011 cert to the dbx, this is a brave person.

At this time, update your host BIOS to include firmware from your vendors that uses the 2023 certificate. this should then contain both the 2011 and 2023 cert. Dell and HPe have released updates, I'm sure just about every other vendor out there has done this.

Hold tight for the solution from VMware/Broadcom, there is no panic.

Interesting. You said: "please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported" but a reaally close solution was mentioned in https://knowledge.broadcom.com/external/article?articleId=421593 that disappeard since then... (but still available here: https://web.archive.org/web/20260212085158/https:/knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html) 

It's great if Broadcom is working on something more efficient but maybe not smart to mention strongly that something is not supported as it was officially the solution to apply a few days ago 😏 maybe just say that it was the primary solution but you're working on something more efficient, so people should just avoid to delete the NVRAM for now 😇

There is another thread on this here: https://community.broadcom.com/vmware-cloud-foundation/discussion/uefi-and-secure-boot-cert-update

please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported, there are solutions currently under development and you should not panic for a resolution.

There is NOT a deadline on this certificate expiry, everything will continue to boot post the certificate expiry date as stated by Microsoft. as the certificate  remains trusted.

Hi all.

Regarding the UEFI 2023 deadline in June, I guess a lot of you are looking to fully automate this  procedure.

If it only were the KEK certificate to change, this looks like it easily can be done by renaming the .nvram file.

And that works as far as we have testet.

But also to change the Plattform Key fully automated, have anyone successfully automated this step?

Yes I did say that, and this is the correct response.
the article you refer to was pulled, it's been pulled for a reason, if you with to follow an article that has been withdrawn this is your choice.

It was also more than a few days ago, it is now in the weeks ago/over one month time frame of being pulled. take from that what you will.

Yes Broadcom is working on a solution, I do not have full details of it, I expect that it will be automated and be far less disruptive than nvram file deletions.

Again this is not a deadline, everything will continue to secure boot post cert expiry, these are not like web page certs, there is no CRL to look up. the only time it will impact is if someone comes along and thinks it'll be a great idea to add the 2011 cert to the dbx, this is a brave person.

At this time, update your host BIOS to include firmware from your vendors that uses the 2023 certificate. this should then contain both the 2011 and 2023 cert. Dell and HPe have released updates, I'm sure just about every other vendor out there has done this.

Hold tight for the solution from VMware/Broadcom, there is no panic.

Interesting. You said: "please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported" but a reaally close solution was mentioned in https://knowledge.broadcom.com/external/article?articleId=421593 that disappeard since then... (but still available here: https://web.archive.org/web/20260212085158/https:/knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html) 

It's great if Broadcom is working on something more efficient but maybe not smart to mention strongly that something is not supported as it was officially the solution to apply a few days ago 😏 maybe just say that it was the primary solution but you're working on something more efficient, so people should just avoid to delete the NVRAM for now 😇

There is another thread on this here: https://community.broadcom.com/vmware-cloud-foundation/discussion/uefi-and-secure-boot-cert-update

please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported, there are solutions currently under development and you should not panic for a resolution.

There is NOT a deadline on this certificate expiry, everything will continue to boot post the certificate expiry date as stated by Microsoft. as the certificate  remains trusted.

Hi all.

Regarding the UEFI 2023 deadline in June, I guess a lot of you are looking to fully automate this  procedure.

If it only were the KEK certificate to change, this looks like it easily can be done by renaming the .nvram file.

And that works as far as we have testet.

But also to change the Plattform Key fully automated, have anyone successfully automated this step?

Hi Nathan.

And thank you for your answer.
I think many of us are eager for a Broadcom solution but are also in the making of creating scripts on our own.

With thousands of VMs waiting to be handled, and with under 3 month left we are keen to get going.

Yes, we know the VMs won't stop, but there are some concerns if there can be Malware waiting to exploit this somehow.

I think many are look at this as a start :
https://github.com/haz-ard-9/Windows-vSphere-VMs-Bulk-Secure-Boot-2023-Certificate-Remediation


I would be great if Broadcom could make a better statement/information and set up a Broadcom Uefi2023 page (or something like that) to subscribe at.

Regards, Tore

Yes I did say that, and this is the correct response.
the article you refer to was pulled, it's been pulled for a reason, if you with to follow an article that has been withdrawn this is your choice.

It was also more than a few days ago, it is now in the weeks ago/over one month time frame of being pulled. take from that what you will.

Yes Broadcom is working on a solution, I do not have full details of it, I expect that it will be automated and be far less disruptive than nvram file deletions.

Again this is not a deadline, everything will continue to secure boot post cert expiry, these are not like web page certs, there is no CRL to look up. the only time it will impact is if someone comes along and thinks it'll be a great idea to add the 2011 cert to the dbx, this is a brave person.

At this time, update your host BIOS to include firmware from your vendors that uses the 2023 certificate. this should then contain both the 2011 and 2023 cert. Dell and HPe have released updates, I'm sure just about every other vendor out there has done this.

Hold tight for the solution from VMware/Broadcom, there is no panic.

Interesting. You said: "please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported" but a reaally close solution was mentioned in https://knowledge.broadcom.com/external/article?articleId=421593 that disappeard since then... (but still available here: https://web.archive.org/web/20260212085158/https:/knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html) 

It's great if Broadcom is working on something more efficient but maybe not smart to mention strongly that something is not supported as it was officially the solution to apply a few days ago 😏 maybe just say that it was the primary solution but you're working on something more efficient, so people should just avoid to delete the NVRAM for now 😇

There is another thread on this here: https://community.broadcom.com/vmware-cloud-foundation/discussion/uefi-and-secure-boot-cert-update

please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported, there are solutions currently under development and you should not panic for a resolution.

There is NOT a deadline on this certificate expiry, everything will continue to boot post the certificate expiry date as stated by Microsoft. as the certificate  remains trusted.

Hi all.

Regarding the UEFI 2023 deadline in June, I guess a lot of you are looking to fully automate this  procedure.

If it only were the KEK certificate to change, this looks like it easily can be done by renaming the .nvram file.

And that works as far as we have testet.

But also to change the Plattform Key fully automated, have anyone successfully automated this step?

Yes I did say that, and this is the correct response.
the article you refer to was pulled, it's been pulled for a reason, if you with to follow an article that has been withdrawn this is your choice.

It was also more than a few days ago, it is now in the weeks ago/over one month time frame of being pulled. take from that what you will.

Yes Broadcom is working on a solution, I do not have full details of it, I expect that it will be automated and be far less disruptive than nvram file deletions.

Again this is not a deadline, everything will continue to secure boot post cert expiry, these are not like web page certs, there is no CRL to look up. the only time it will impact is if someone comes along and thinks it'll be a great idea to add the 2011 cert to the dbx, this is a brave person.

At this time, update your host BIOS to include firmware from your vendors that uses the 2023 certificate. this should then contain both the 2011 and 2023 cert. Dell and HPe have released updates, I'm sure just about every other vendor out there has done this.

Hold tight for the solution from VMware/Broadcom, there is no panic.

Interesting. You said: "please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported" but a reaally close solution was mentioned in https://knowledge.broadcom.com/external/article?articleId=421593 that disappeard since then... (but still available here: https://web.archive.org/web/20260212085158/https:/knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html) 

It's great if Broadcom is working on something more efficient but maybe not smart to mention strongly that something is not supported as it was officially the solution to apply a few days ago 😏 maybe just say that it was the primary solution but you're working on something more efficient, so people should just avoid to delete the NVRAM for now 😇

There is another thread on this here: https://community.broadcom.com/vmware-cloud-foundation/discussion/uefi-and-secure-boot-cert-update

please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported, there are solutions currently under development and you should not panic for a resolution.

There is NOT a deadline on this certificate expiry, everything will continue to boot post the certificate expiry date as stated by Microsoft. as the certificate  remains trusted.

Hi all.

Regarding the UEFI 2023 deadline in June, I guess a lot of you are looking to fully automate this  procedure.

If it only were the KEK certificate to change, this looks like it easily can be done by renaming the .nvram file.

And that works as far as we have testet.

But also to change the Plattform Key fully automated, have anyone successfully automated this step?

Hi Nathan.

Do you have any more information on the automated progress from VMware?
Are the intentions to have this in place before June or not

Yes I did say that, and this is the correct response.
the article you refer to was pulled, it's been pulled for a reason, if you with to follow an article that has been withdrawn this is your choice.

It was also more than a few days ago, it is now in the weeks ago/over one month time frame of being pulled. take from that what you will.

Yes Broadcom is working on a solution, I do not have full details of it, I expect that it will be automated and be far less disruptive than nvram file deletions.

Again this is not a deadline, everything will continue to secure boot post cert expiry, these are not like web page certs, there is no CRL to look up. the only time it will impact is if someone comes along and thinks it'll be a great idea to add the 2011 cert to the dbx, this is a brave person.

At this time, update your host BIOS to include firmware from your vendors that uses the 2023 certificate. this should then contain both the 2011 and 2023 cert. Dell and HPe have released updates, I'm sure just about every other vendor out there has done this.

Hold tight for the solution from VMware/Broadcom, there is no panic.

Interesting. You said: "please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported" but a reaally close solution was mentioned in https://knowledge.broadcom.com/external/article?articleId=421593 that disappeard since then... (but still available here: https://web.archive.org/web/20260212085158/https:/knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html) 

It's great if Broadcom is working on something more efficient but maybe not smart to mention strongly that something is not supported as it was officially the solution to apply a few days ago 😏 maybe just say that it was the primary solution but you're working on something more efficient, so people should just avoid to delete the NVRAM for now 😇

There is another thread on this here: https://community.broadcom.com/vmware-cloud-foundation/discussion/uefi-and-secure-boot-cert-update

please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported, there are solutions currently under development and you should not panic for a resolution.

There is NOT a deadline on this certificate expiry, everything will continue to boot post the certificate expiry date as stated by Microsoft. as the certificate  remains trusted.

Hi all.

Regarding the UEFI 2023 deadline in June, I guess a lot of you are looking to fully automate this  procedure.

If it only were the KEK certificate to change, this looks like it easily can be done by renaming the .nvram file.

And that works as far as we have testet.

But also to change the Plattform Key fully automated, have anyone successfully automated this step?

Additional question: will it be available for Linux VMs also ? (because I think we kind of only mentioned Windows VMs)

Hi Nathan.

Do you have any more information on the automated progress from VMware?
Are the intentions to have this in place before June or not

Yes I did say that, and this is the correct response.
the article you refer to was pulled, it's been pulled for a reason, if you with to follow an article that has been withdrawn this is your choice.

It was also more than a few days ago, it is now in the weeks ago/over one month time frame of being pulled. take from that what you will.

Yes Broadcom is working on a solution, I do not have full details of it, I expect that it will be automated and be far less disruptive than nvram file deletions.

Again this is not a deadline, everything will continue to secure boot post cert expiry, these are not like web page certs, there is no CRL to look up. the only time it will impact is if someone comes along and thinks it'll be a great idea to add the 2011 cert to the dbx, this is a brave person.

At this time, update your host BIOS to include firmware from your vendors that uses the 2023 certificate. this should then contain both the 2011 and 2023 cert. Dell and HPe have released updates, I'm sure just about every other vendor out there has done this.

Hold tight for the solution from VMware/Broadcom, there is no panic.

Interesting. You said: "please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported" but a reaally close solution was mentioned in https://knowledge.broadcom.com/external/article?articleId=421593 that disappeard since then... (but still available here: https://web.archive.org/web/20260212085158/https:/knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html) 

It's great if Broadcom is working on something more efficient but maybe not smart to mention strongly that something is not supported as it was officially the solution to apply a few days ago 😏 maybe just say that it was the primary solution but you're working on something more efficient, so people should just avoid to delete the NVRAM for now 😇

There is another thread on this here: https://community.broadcom.com/vmware-cloud-foundation/discussion/uefi-and-secure-boot-cert-update

please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported, there are solutions currently under development and you should not panic for a resolution.

There is NOT a deadline on this certificate expiry, everything will continue to boot post the certificate expiry date as stated by Microsoft. as the certificate  remains trusted.

Hi all.

Regarding the UEFI 2023 deadline in June, I guess a lot of you are looking to fully automate this  procedure.

If it only were the KEK certificate to change, this looks like it easily can be done by renaming the .nvram file.

And that works as far as we have testet.

But also to change the Plattform Key fully automated, have anyone successfully automated this step?

Any update on this topic regarding an automated process or at least a less disruptive one? Or is this the currect state of this whole topic?
Secure Boot Certificate Expirations and Update Failures in VMware Virtual Machines
Thanks!

Additional question: will it be available for Linux VMs also ? (because I think we kind of only mentioned Windows VMs)

Hi Nathan.

Do you have any more information on the automated progress from VMware?
Are the intentions to have this in place before June or not

Yes I did say that, and this is the correct response.
the article you refer to was pulled, it's been pulled for a reason, if you with to follow an article that has been withdrawn this is your choice.

It was also more than a few days ago, it is now in the weeks ago/over one month time frame of being pulled. take from that what you will.

Yes Broadcom is working on a solution, I do not have full details of it, I expect that it will be automated and be far less disruptive than nvram file deletions.

Again this is not a deadline, everything will continue to secure boot post cert expiry, these are not like web page certs, there is no CRL to look up. the only time it will impact is if someone comes along and thinks it'll be a great idea to add the 2011 cert to the dbx, this is a brave person.

At this time, update your host BIOS to include firmware from your vendors that uses the 2023 certificate. this should then contain both the 2011 and 2023 cert. Dell and HPe have released updates, I'm sure just about every other vendor out there has done this.

Hold tight for the solution from VMware/Broadcom, there is no panic.

Interesting. You said: "please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported" but a reaally close solution was mentioned in https://knowledge.broadcom.com/external/article?articleId=421593 that disappeard since then... (but still available here: https://web.archive.org/web/20260212085158/https:/knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html) 

It's great if Broadcom is working on something more efficient but maybe not smart to mention strongly that something is not supported as it was officially the solution to apply a few days ago 😏 maybe just say that it was the primary solution but you're working on something more efficient, so people should just avoid to delete the NVRAM for now 😇

There is another thread on this here: https://community.broadcom.com/vmware-cloud-foundation/discussion/uefi-and-secure-boot-cert-update

please be aware that deleting the nvram file is not endorsed by VMware engineering and not supported, there are solutions currently under development and you should not panic for a resolution.

There is NOT a deadline on this certificate expiry, everything will continue to boot post the certificate expiry date as stated by Microsoft. as the certificate  remains trusted.

Hi all.

Regarding the UEFI 2023 deadline in June, I guess a lot of you are looking to fully automate this  procedure.

If it only were the KEK certificate to change, this looks like it easily can be done by renaming the .nvram file.

And that works as far as we have testet.

But also to change the Plattform Key fully automated, have anyone successfully automated this step?