Fusion

View Only

Windows 11 Secure Boot Certificate updates

Erik Maaloe posted May 28, 2026 07:06 AM

I understand that Microsoft is rolling out updates to the Windows 11 Secure Boot certificates from 2011 which will be outdated from end of June 2026. I know it is a phased rollout, but even after applying the latest May updates from Microsoft, the status for my Windows (11 25H2 26200.8457) is:

"Secure Boot is on, but your device is using an older boot trust configuration that should be updated. There is not yet enough data to classify your device for automatic update."

As cited from Windows Security --> Device security --> Secure boot.

Are we waiting for updates to Fusion?

I can find information on the issue on Broadcom's web related to ESXi, but not to Fusion.

I am still on an Intel-based MacBook, with Fusion 26H1.

Is there anything I could or should do?

External Moderator Technogeezer posted Jun 03, 2026 01:50 PM

What version of Fusion are you currently running?

What is the hardware compatibility (virtual machine hardware version) that your Windows 11 VM is set to?

I don't have an Intel Mac to check against, but I do have a Windows 11 VM running under Linux with VMware Workstation 26H1. Given the similarities between the products, I'll check what Windows Security says on that VM.

External Moderator Technogeezer posted Jun 03, 2026 03:01 PM

Duh.... Never mind the question on Fusion version -- helps if I read everything you posted. Apologies.

Still would like to know the virtual hardware version, though.

Erik Maaloe posted Jun 03, 2026 05:18 PM

I am using hardware version 22 - and VMware Tools 13.1.0, as installed with Fusion 26H1.

Erik Maaloe posted Jun 05, 2026 12:15 PM

I have digged into the Windows event log and found out that ever since I upgraded my Windows 11 VM to 25H2 I have got the following error at boot time:

Level Date and Time Source Event ID Task Category

Error 2026-06-05 13:05:38 Microsoft-Windows-TPM-WMI 1801 None "Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full protection. This device signature information is included here.

DeviceAttributes: BaseBoardManufacturer:Intel Corporation;FirmwareManufacturer:VMware, Inc.;FirmwareVersion:VMW201.00V.25275966.B64.2603102050;OEMModelNumber:VMware20,1;OEMModelBaseBoard:440BX Desktop Reference Platform;OEMModelSystemFamily:;OEMManufacturerName:VMware, Inc.;OEMModelSKU:;OSArchitecture:amd64;

BucketId: 66799fab018bfbf888fc44045f3b50a8cb592512ee51729515594cb4bebbacc9

BucketConfidenceLevel: Under Observation - More Data Needed

UpdateType:

For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018."

So the issue is about a missing VMware firmware update. How is this done? The Microsoft link is not useful in this context.

External Moderator Technogeezer posted Jun 05, 2026 01:27 PM

Some research that I've found as well suggests that these message are due to Microsoft holding back installation of the Secure Boot certificates. The certs updated certs have been downloadec, but Microsoft refuses to apply them. They say that they are using cloud-based resources to validate your configuration against "compatible" configurations to see if they should actually apply the update. (that's where the "there is not enough data to classify your device" reportedly comes from.)

Evidently Microsoft doesn't think they should apply the certs to VMware virtual machines.

The standard guidance from Microsoft says to contact your "system vendor" So we really need Broadcom to weigh in here...

As a side note, it looks like Broadcom has somewhat similar issues on ESXi (https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html). I wonder if the null signature issue for the PK that the article references is what's causing the issues. I've seen Fusion and Workstation VMs that have this same null signature PK.