Broadcom KB 423893 remains the single source of truth for the Microsoft certificate expiration topic in UEFI Secure Boot VMs.
Important: even if the Microsoft KEK certificate expires, affected VMs will continue to boot. The impact is mainly that the VM may not be able to update Microsoft KEK, DB and DBX certificates, which can block future Secure Boot related security updates. Guest OS updates not relying on these Secure Boot databases should continue to work.
This topic only concerns VMs with UEFI Secure Boot enabled. The KB also includes PowerShell scripts to identify Secure Boot / vTPM VM status and to reboot VMs.
| Scenario | Secure Boot | vTPM | Remediation Action | ||
| ESXi 8.0 U3i (P08) and lower builds & ESX 7.x | ESXi 8.0 U3j (P09) | ESX 9.x | |||
| 1 | Disabled | Disabled | No Action | SilentPK Update Note: This is optional as Secureboot & vTPM are disabled | No Action |
| 2 | Enabled | Disabled | Manual Update from vUEFI interface | SilentPK Update | Manual Update from vUEFI interface |
| 3 | Enabled | Enabled | Manual Update from vUEFI interface | Manual Update from VMX Configuration(preferred for Non Windows VMs) For Windows VMs, wait for the automated PK update solution (to be available in an upcoming 8.x patch release) | Manual Update from VMX Configuration(preferred for Non Windows VMs) For Windows VMs, wait for the automated PK update solution (to be available in an upcoming 9.1.x patch release) |
| 4 | Disabled | Enabled | No Action | No Action | No Action |
Summary:
- Secure Boot enabled without vTPM: patch ESXi hosts to 8.0 U3j and reboot the VMs to remediate PK automatically.
- Secure Boot enabled with vTPM: follow the KB carefully. For Windows VMs, Broadcom recommends waiting for the automated remediation in a future ESXi patch.
- After PK remediation, follow the guest OS vendor guidance to update KEK, DB and DBX certificates.
