VMware vSphere

I would like to clarify what actions, if any, we need to take on our ESXi 8 hosts regarding Secure Boot certificate updates. Specifically, with the Microsoft Secure Boot certificate update (2011 → 2023), do we need to update anything on ESXi itself, or is it sufficient to update the host BIOS/UEFI firmware? Any guidance on the proper steps to ensure our hosts and VMs are using the latest certificates would be greatly appreciated.

-------------------------------------------

This is a moving beast.

see this article: 423893

There is a post on this in the forums here

There is likely going to be updates for this soon. thing will continue to boot so it's not all doom and gloom.
recommend a minimum version of 8 Update 3.

Original Message:
Sent: Mar 02, 2026 10:08 AM
From: azuser
Subject: UEFI and Secure boot cert update

I would like to clarify what actions, if any, we need to take on our ESXi 8 hosts regarding Secure Boot certificate updates. Specifically, with the Microsoft Secure Boot certificate update (2011 → 2023), do we need to update anything on ESXi itself, or is it sufficient to update the host BIOS/UEFI firmware? Any guidance on the proper steps to ensure our hosts and VMs are using the latest certificates would be greatly appreciated.

-------------------------------------------

Thank you for the KB article.

Even though we have updated the firmware, BIOS, and applied the ESXi patches, do we still need to  manual update? 

Original Message:
Sent: Mar 03, 2026 01:41 AM
From: notCloud
Subject: UEFI and Secure boot cert update

This is a moving beast.

see this article: 423893

There is a post on this in the forums here

There is likely going to be updates for this soon. thing will continue to boot so it's not all doom and gloom.
recommend a minimum version of 8 Update 3.

Original Message:
Sent: Mar 02, 2026 10:08 AM
From: azuser
Subject: UEFI and Secure boot cert update

I would like to clarify what actions, if any, we need to take on our ESXi 8 hosts regarding Secure Boot certificate updates. Specifically, with the Microsoft Secure Boot certificate update (2011 → 2023), do we need to update anything on ESXi itself, or is it sufficient to update the host BIOS/UEFI firmware? Any guidance on the proper steps to ensure our hosts and VMs are using the latest certificates would be greatly appreciated.

-------------------------------------------

ok, I have been digging into this. this is a dumpster fire train wreck.

There are many levels to this,

Hardware - right now you should be updating the hardware BIOS, vendors like Dell, HPe are still updating BIOS to support the 2023 chain. if you have BIOS that supports the secure boot updates and you are secure booting ESXi then keep your BIOS up to date.

Then these will be the VM BIOS, this is being worked on, so Hold here, make no changes yet, but gather the list of VMs that are using Secure Boot, use VCF Ops for this, you need to enable this option.

Do you have a VMware TAM? if so speak to them.

Original Message:
Sent: Mar 03, 2026 04:41 PM
From: azuser
Subject: UEFI and Secure boot cert update

Thank you for the KB article.

Even though we have updated the firmware, BIOS, and applied the ESXi patches, do we still need to  manual update? 

Original Message:
Sent: Mar 03, 2026 01:41 AM
From: notCloud
Subject: UEFI and Secure boot cert update

This is a moving beast.

see this article: 423893

There is a post on this in the forums here

There is likely going to be updates for this soon. thing will continue to boot so it's not all doom and gloom.
recommend a minimum version of 8 Update 3.

Original Message:
Sent: Mar 02, 2026 10:08 AM
From: azuser
Subject: UEFI and Secure boot cert update

I would like to clarify what actions, if any, we need to take on our ESXi 8 hosts regarding Secure Boot certificate updates. Specifically, with the Microsoft Secure Boot certificate update (2011 → 2023), do we need to update anything on ESXi itself, or is it sufficient to update the host BIOS/UEFI firmware? Any guidance on the proper steps to ensure our hosts and VMs are using the latest certificates would be greatly appreciated.

-------------------------------------------

I would like to clarify what actions, if any, we need to take on our ESXi 8 hosts regarding Secure Boot certificate updates. Specifically, with the Microsoft Secure Boot certificate update (2011 → 2023), do we need to update anything on ESXi itself, or is it sufficient to update the host BIOS/UEFI firmware? Any guidance on the proper steps to ensure our hosts and VMs are using the latest certificates would be greatly appreciated.

Good Topic to discuss in this forum

As per I read about Secure Boot Certificate.

First thing, BIOS firmware needs to be updated. Once BIOS firmware is updated then Microsoft article will help you to fix the issue.

As per my understanding, VMware BIOS is .nvram file. Below is the article for VMware Hardware version history which describes about VM nature & you need to find your VM hardware version. It will show as below as sample in your vCenter Server -> Compatibility section

ESXi 6.7 U2 and later (VM version 15)
ESXi 7.0 U2 and later (VM version 19)
vmx-21

VMware Hardware Version Article -> https://knowledge.broadcom.com/external/article/315655
VMware Hardware Version Upgrade Article -> https://knowledge.broadcom.com/external/article?legacyId=1010675

So, it might a requirement to upgrade the BIOS or VMware Hardware version to the latest but It is not mentioned in any VMware article that we need to upgrade to the latest which I didn't find till date. It might be there but I missed to find it out.
VMware provided below article which is more about troubleshooting steps
-> https://knowledge.broadcom.com/external/article/423893
-> https://knowledge.broadcom.com/external/article/423919
-> https://knowledge.broadcom.com/external/article/424429

There are many Microsoft article among them I found below article useful & one already mentioned by someone in this thread
-> https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856/
-> https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---february-2026/4486023

I would like to clarify what actions, if any, we need to take on our ESXi 8 hosts regarding Secure Boot certificate updates. Specifically, with the Microsoft Secure Boot certificate update (2011 → 2023), do we need to update anything on ESXi itself, or is it sufficient to update the host BIOS/UEFI firmware? Any guidance on the proper steps to ensure our hosts and VMs are using the latest certificates would be greatly appreciated.

If I understand correctly, Broadcom is responsible for updating the UEFI firmware, while we must perform tasks within the Windows OS to ensure the boot loader is up to date (specifically the 2023 DBX updates). At a high level, the following steps are required for Windows Server VMs on VMware ESXi:

Phase 1: VMware / Broadcom

• Ensure the VM's Secure Boot databases (DB/DBX) are updated to support the new Microsoft certificates.

Phase 2: Microsoft / Windows

• Install Windows Updates: Apply the latest cumulative updates.

• Trigger Revocation: Manually apply the Secure Boot update via the registry or the automated scheduled task.

Only after both phases are complete will the system be fully prepared for the 2026 Secure Boot certificate transition.

Am I correct?

Good Topic to discuss in this forum

As per I read about Secure Boot Certificate.

First thing, BIOS firmware needs to be updated. Once BIOS firmware is updated then Microsoft article will help you to fix the issue.

As per my understanding, VMware BIOS is .nvram file. Below is the article for VMware Hardware version history which describes about VM nature & you need to find your VM hardware version. It will show as below as sample in your vCenter Server -> Compatibility section

ESXi 6.7 U2 and later (VM version 15)
ESXi 7.0 U2 and later (VM version 19)
vmx-21

VMware Hardware Version Article -> https://knowledge.broadcom.com/external/article/315655
VMware Hardware Version Upgrade Article -> https://knowledge.broadcom.com/external/article?legacyId=1010675

So, it might a requirement to upgrade the BIOS or VMware Hardware version to the latest but It is not mentioned in any VMware article that we need to upgrade to the latest which I didn't find till date. It might be there but I missed to find it out.
VMware provided below article which is more about troubleshooting steps
-> https://knowledge.broadcom.com/external/article/423893
-> https://knowledge.broadcom.com/external/article/423919
-> https://knowledge.broadcom.com/external/article/424429

There are many Microsoft article among them I found below article useful & one already mentioned by someone in this thread
-> https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856/
-> https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---february-2026/4486023

I would like to clarify what actions, if any, we need to take on our ESXi 8 hosts regarding Secure Boot certificate updates. Specifically, with the Microsoft Secure Boot certificate update (2011 → 2023), do we need to update anything on ESXi itself, or is it sufficient to update the host BIOS/UEFI firmware? Any guidance on the proper steps to ensure our hosts and VMs are using the latest certificates would be greatly appreciated.

If you have VMs with older Hardware version & Secure boot enabled then test it on your devices or virtual machines. 
It is found that older VMware Hardware version also having below command as output as "True"

Command -> :
Type, in PowerShell -> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

So, VMware Hardware version to the latest is not required in above scenarios. Below is the new article or in Microsoft community page with AI assisted Answers 
https://learn.microsoft.com/en-my/answers/questions/5804878/how-to-manually-force-apply-updated-secure-boot-ce

But it is good to test in with your environment on test servers where you can play with that machines. Make sure that you have full backup & Snapshot taken in advance. 

I will suggest to have above steps mentioned by you is still relevant & to make your environment with stable & latest VMware Hardware Version as the priority. You have a chance to make this upgrade during this crucial time as well.

One more thing, Windows Secure Boot Certificate expiry is only applied to Secure Boot enabled machines. So, if you have disabled machines the read about it as well.
Many things are going on internet but having latest update or action item is necessity. So, it needs to be explored & tested in your environment & make the solution worked as expected. 

If I understand correctly, Broadcom is responsible for updating the UEFI firmware, while we must perform tasks within the Windows OS to ensure the boot loader is up to date (specifically the 2023 DBX updates). At a high level, the following steps are required for Windows Server VMs on VMware ESXi:

Phase 1: VMware / Broadcom

• Ensure the VM's Secure Boot databases (DB/DBX) are updated to support the new Microsoft certificates.

Phase 2: Microsoft / Windows

• Install Windows Updates: Apply the latest cumulative updates.

• Trigger Revocation: Manually apply the Secure Boot update via the registry or the automated scheduled task.

Only after both phases are complete will the system be fully prepared for the 2026 Secure Boot certificate transition.

Am I correct?

Good Topic to discuss in this forum

As per I read about Secure Boot Certificate.

First thing, BIOS firmware needs to be updated. Once BIOS firmware is updated then Microsoft article will help you to fix the issue.

As per my understanding, VMware BIOS is .nvram file. Below is the article for VMware Hardware version history which describes about VM nature & you need to find your VM hardware version. It will show as below as sample in your vCenter Server -> Compatibility section

ESXi 6.7 U2 and later (VM version 15)
ESXi 7.0 U2 and later (VM version 19)
vmx-21

VMware Hardware Version Article -> https://knowledge.broadcom.com/external/article/315655
VMware Hardware Version Upgrade Article -> https://knowledge.broadcom.com/external/article?legacyId=1010675

So, it might a requirement to upgrade the BIOS or VMware Hardware version to the latest but It is not mentioned in any VMware article that we need to upgrade to the latest which I didn't find till date. It might be there but I missed to find it out.
VMware provided below article which is more about troubleshooting steps
-> https://knowledge.broadcom.com/external/article/423893
-> https://knowledge.broadcom.com/external/article/423919
-> https://knowledge.broadcom.com/external/article/424429

There are many Microsoft article among them I found below article useful & one already mentioned by someone in this thread
-> https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856/
-> https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---february-2026/4486023

I would like to clarify what actions, if any, we need to take on our ESXi 8 hosts regarding Secure Boot certificate updates. Specifically, with the Microsoft Secure Boot certificate update (2011 → 2023), do we need to update anything on ESXi itself, or is it sufficient to update the host BIOS/UEFI firmware? Any guidance on the proper steps to ensure our hosts and VMs are using the latest certificates would be greatly appreciated.

I tested on my test machine where VMware hardware version is on older version & below command shows value as "True"
Type, in PowerShell -> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

My value is "True" on Older VMware hardware version (vmx-19 -> ESXi 7.0 U2 (7.0.2)) & then Microsoft steps performed as mentioned below

• reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
• Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
• Manually reboot the system when the AvailableUpdates becomes 0x4100
• Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

It makes Secure Boot Certificate as updated with event code "1799" & message as "Boot Manager signed with Windows UEFI CA 2023 was installed successfully" in Windows SYSTEM events.

You can test it in your environment & test the scenario.

If you have VMs with older Hardware version & Secure boot enabled then test it on your devices or virtual machines. 
It is found that older VMware Hardware version also having below command as output as "True"

Command -> :
Type, in PowerShell -> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

So, VMware Hardware version to the latest is not required in above scenarios. Below is the new article or in Microsoft community page with AI assisted Answers 
https://learn.microsoft.com/en-my/answers/questions/5804878/how-to-manually-force-apply-updated-secure-boot-ce

But it is good to test in with your environment on test servers where you can play with that machines. Make sure that you have full backup & Snapshot taken in advance. 

I will suggest to have above steps mentioned by you is still relevant & to make your environment with stable & latest VMware Hardware Version as the priority. You have a chance to make this upgrade during this crucial time as well.

One more thing, Windows Secure Boot Certificate expiry is only applied to Secure Boot enabled machines. So, if you have disabled machines the read about it as well.
Many things are going on internet but having latest update or action item is necessity. So, it needs to be explored & tested in your environment & make the solution worked as expected. 

If I understand correctly, Broadcom is responsible for updating the UEFI firmware, while we must perform tasks within the Windows OS to ensure the boot loader is up to date (specifically the 2023 DBX updates). At a high level, the following steps are required for Windows Server VMs on VMware ESXi:

Phase 1: VMware / Broadcom

• Ensure the VM's Secure Boot databases (DB/DBX) are updated to support the new Microsoft certificates.

Phase 2: Microsoft / Windows

• Install Windows Updates: Apply the latest cumulative updates.

• Trigger Revocation: Manually apply the Secure Boot update via the registry or the automated scheduled task.

Only after both phases are complete will the system be fully prepared for the 2026 Secure Boot certificate transition.

Am I correct?

Good Topic to discuss in this forum

As per I read about Secure Boot Certificate.

First thing, BIOS firmware needs to be updated. Once BIOS firmware is updated then Microsoft article will help you to fix the issue.

As per my understanding, VMware BIOS is .nvram file. Below is the article for VMware Hardware version history which describes about VM nature & you need to find your VM hardware version. It will show as below as sample in your vCenter Server -> Compatibility section

ESXi 6.7 U2 and later (VM version 15)
ESXi 7.0 U2 and later (VM version 19)
vmx-21

VMware Hardware Version Article -> https://knowledge.broadcom.com/external/article/315655
VMware Hardware Version Upgrade Article -> https://knowledge.broadcom.com/external/article?legacyId=1010675

So, it might a requirement to upgrade the BIOS or VMware Hardware version to the latest but It is not mentioned in any VMware article that we need to upgrade to the latest which I didn't find till date. It might be there but I missed to find it out.
VMware provided below article which is more about troubleshooting steps
-> https://knowledge.broadcom.com/external/article/423893
-> https://knowledge.broadcom.com/external/article/423919
-> https://knowledge.broadcom.com/external/article/424429

There are many Microsoft article among them I found below article useful & one already mentioned by someone in this thread
-> https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856/
-> https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---february-2026/4486023

I would like to clarify what actions, if any, we need to take on our ESXi 8 hosts regarding Secure Boot certificate updates. Specifically, with the Microsoft Secure Boot certificate update (2011 → 2023), do we need to update anything on ESXi itself, or is it sufficient to update the host BIOS/UEFI firmware? Any guidance on the proper steps to ensure our hosts and VMs are using the latest certificates would be greatly appreciated.