๐ Secure Bits ๐ก
๐จ๐ฝ๐ฑ๐ฎ๐๐ถ๐ป๐ด ๐ฆ๐ฒ๐ฐ๐๐ฟ๐ฒ ๐๐ผ๐ผ๐ ๐ฐ๐ฒ๐ฟ๐๐ถ๐ณ๐ถ๐ฐ๐ฎ๐๐ฒ๐ ๐ผ๐ป ๐ช๐ถ๐ป๐ฑ๐ผ๐๐ ๐ฆ๐ฒ๐ฟ๐๐ฒ๐ฟ ๐ฐ๐ผ๐ป๐๐ถ๐ป๐๐ฒ๐ (๐ฑ๐ต. 2)
I believe I had to go through the worst-case scenario after all:
โ GPO trigger โ KEK failure
โ Broadcom idea (upgrade compatibility + delete/rename NVRAM) โ VM fails to boot
โ Fixed the VM โ tried again โ KEK failure again
โ Ended up enrolling the missing KEK manually in UEFI
On the other hand Iโm glad it went this way, because I can show the โugly pathโ too. You might be lucky and stop at part 1. But if you run into VMware + KEK trouble, this is what it can look like.
โธป
๐งฉ ๐ช๐ต๐ฎ๐ ๐ต๐ฎ๐ฝ๐ฝ๐ฒ๐ป๐ฒ๐ฑ ๐ป๐ฒ๐ ๐
After the KEK error from part 1, I found Broadcom guidance and community comments suggesting that on some older VMs you can solve missing 2023 Secure Boot variables by upgrading VM compatibility and regenerating the VMโs NVRAM (.nvram).
My demo environment is ESXi 8.0.2 and the VM was already at the highest compatible hardware version, but I tried removing the NVRAM anyway. Bad idea: the VM stopped booting.
โ ๏ธ Test everything first (donโt delete but rename) and proceed carefully โ versions and VM history matter.
โธป
๐ ๏ธ ๐ฅ๐ฒ๐ฐ๐ผ๐๐ฒ๐ฟ๐ถ๐ป๐ด ๐๐ต๐ฒ ๐ฉ๐ (๐ฏ๐ผ๐ผ๐ ๐ณ๐ถ๐ )
I didnโt give up. I booted into UEFI and used:
UEFI โ Boot from a file โ (select volume) โ EFI โ Microsoft โ Boot โ SecureBootRecovery.efi
That checked and repaired the UEFI boot configuration and let the VM boot again. Once back in Windows, I was basically in the same situation: Secure Boot was enabled, DB updates looked fine, but the KEK step was still failing.
At that point I accepted the reality: manual time.
โธป
๐ง ๐ ๐ฎ๐ป๐๐ฎ๐น ๐ฒ๐ป๐ฟ๐ผ๐น๐น๐บ๐ฒ๐ป๐
I followed Broadcomโs manual enrollment approach (link in comments), with one important adjustment: their examples focus on PK, but my problem was KEK.
๐ฆ๐๐ฒ๐ฝ๐ (๐ต๐ถ๐ด๐ต ๐น๐ฒ๐๐ฒ๐น):
1๏ธโฃ Download the required Microsoft certificates (DER files)
2๏ธโฃ Attach a small disk to the VM and copy the certs there
3๏ธโฃ Power off the VM and add advanced parameter:
uefi.allowAuthBypass = “TRUE”
4๏ธโฃ Boot into UEFI โ Secure Boot Configuration becomes available
5๏ธโฃ Choose what you need to fix (PK / KEK / DB / DBX) and enroll the correct certificate from the attached disk โ Save/commit
6๏ธโฃ Remove uefi.allowAuthBypass afterwards and boot back into Windows
7๏ธโฃ Re-run the Secure Boot update task / let Windows finish remaining steps
โธป
๐ ย ๐ฅ๐ฒ๐ฎ๐น๐ถ๐๐ ๐ฐ๐ต๐ฒ๐ฐ๐ธ
Honestly, I spent far more time on this than I expected. Too many overlapping guides and โstatus/errorโ breadcrumbs that donโt always lead anywhere, especially in virtualized environments.
If this were always simple, it would really be just: patch โ gpupdate & maybe reboot.
โธป
๐๐ป ๐ฝ๐ฎ๐ฟ๐ ๐ฏย Iโll focus on how to tell youโre fine, how to detect โstuck in progress,โ and how to collect the right event IDs / registry status into something you can report on.
To be continuedโฆ
