Security

Nice to Know – Secure Boot in VMware

By on ( Leave a comment )


Secure Boot is one of those foundational security features that most of us expect to “just work”. And for the most part, it does—until it doesn’t.

With the upcoming Secure Boot certificate expirations, many organizations have started to notice warnings and failed compliance checks. This applies to both physical devices and virtual machines, but the remediation story looks very different depending on where the workload is running.



Secure Boot on Physical Devices – Usually Straightforward

On physical hardware, Secure Boot remediation is relatively simple:

  • Make sure Secure Boot is enabled in UEFI

  • Ensure the scheduled task responsible for updating Secure Boot certificates is present and running

  • Verify the device is running an up-to-date BIOS/UEFI firmware

If those prerequisites are met, Windows can typically update the Secure Boot certificates by itself. In most environments, the issue resolves automatically once the platform is properly maintained. In the latest update for Windows 11, there are scripts inside to help you deploy, control and manage secure boot certificates https://support.microsoft.com/en-us/topic/sample-secure-boot-e2e-automation-guide-f850b329-9a6e-40d1-823a-0925c965b8a0



Virtual Machines: A Very Different Story

Once you move into a virtualized environment, things get more complicated.

In a virtual machine, Windows does not own the Secure Boot Platform Key (PK). The virtualization platform does. That means Windows cannot update or replace the Secure Boot certificate on its own, even if everything inside the guest OS is correctly configured. This is where many admins get stuck.



VMware Secure Boot: The Long‑Awaited Update

For VMware environments, the only real fix is a platform update. Until very recently, there was no such update available—leaving many organizations in a “wait and see” situation. That has now changed :-)

Broadcom has finally released updated guidance and remediation related to Secure Boot certificate expirations for VMware ESXi 8.0.

Broadcom KB: https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html

This is an important step forward—but there are still limitations you need to be aware of!



vTPM + Secure Boot: Still a Challenge

If your virtual machines are using vTPM (which you absolutely should if you want BitLocker, Credential Guard, and modern Windows security features), the situation is not fully solved yet.

As of now, Broadcom states:

“There are no automated remediation methods available at this time for vTPM-enabled Virtual Machines (Windows & Linux).”

Broadcom is working closely with Microsoft on this, but there is currently no automated way to update the Platform Key (PK) for vTPM-enabled VMs. The official recommendation is to wait for a future release that introduces an automated solution. This upcoming solution is expected to align with Microsoft’s guidance here:

Microsoft Secure Boot guidance (KB 5062713):
https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f



Important Limitations to Keep in Mind

  • The current update applies to VMware ESXi 8.0

  • It does not automatically remediate vTPM-enabled VMs

  • Broadcom and Microsoft are actively working on a future automated solution

  • Manual workarounds for vTPM VMs are not recommended

In other words: progress has been made, but we’re not at the finish line yet.



How to Check Your Environment

If you want to understand where you stand today, I strongly recommend starting with visibility.

You can use the updated Secure Boot PowerShell script here:
https://deploymentbunny.com/2026/05/07/check-secureboot-ps1-script-updated/

For the full background story—including timelines, risks, and why this matters—read:
https://deploymentbunny.com/2026/04/07/secure-boot-2026-essential-updates-and-fixes/

And if you prefer video format, there’s a full webinar available here:
https://event.truesec.com/all_webinar_ps_secure-boot_19_may_2026_registration



A VMware Perspective

This time, I also want to give a special shout‑out to a good friend and colleague, Anders Olsson, who is our true VMware expert. If you want to understand the VMware side of this in depth—architecture, constraints, and what’s likely coming next—he’s the person to talk to. When ever there is something important in the VMware world, I always get a ping, thank you!
https://www.truesec.com/experts/anders-olsson
https://www.linkedin.com/in/andersolsson/
Check this post from Anders regarding more details around the update itself
https://www.linkedin.com/feed/update/urn:li:activity:7465700194131816448/



Final Thoughts

Secure Boot certificate updates are one of those “silent” security dependencies that suddenly become very loud when they break.

  • Physical devices? Mostly manageable.

  • Virtual machines? Entirely dependent on the platform.

  • VMware? Progress at last—but with important caveats.

If you’re running ESXi 8.0, now is the time to review your Secure Boot and vTPM strategy, validate your current state, and prepare for upcoming platform updates.

This is definitely a nice thing to know—before it becomes a critical incident.

Until next time
/DeploymentBunny

Categories: Security, VMware, Windows 10, windows 11, Windows Server

Tagged as: , , ,

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.