I’m looking a little advise regarding what is required for the Secure Boot 2023 transition
ESXI Host Version: 7.0.3
VM Version 19
Pre Reg Entries:
WindowsUEFICA2023Capable - 0
UEFICA2023Status – NotStarted
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023' - FALSE
I have carried out the update on our WIN11 Master (23H2) – Citrix MCS – Non persistent VDI environment
Added uefi.allowAuthBypass = TRUE to boot config
- Set the 2023 Opt-in - reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot" /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
2) Force Capability to 1 and trigger the update task $Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" Set-ItemProperty -Path $Path -Name "WindowsUEFICA2023Capable" -Value 1 - Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Following a couple of reboots the following reg entries have been updated:
Post Reg Entries:
WindowsUEFICA2023Capable - 2
UEFICA2023Status – InProgress
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023' now returns - TRUE
I recorded the following events from the System Log during the process:
Info - TPM-WMI - 1036
Secure Boot Db update applied successfully
Info - TPM-WMI - 1044
Secure Boot DB to install Microsoft Option ROM UEFI CA 2023 certificate applied successfully
Info - TPM-WMI - 1045
Secure Boot DB Update to install Microsoft UEFI CA 2023 certificate applied successfully
Error - TPM-WMI - 1803
A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning
Warning - TPM-WMI - 1800
A reboot is required before installing the Secure Boot update. Reason: Boot Manager (2023)
Error - TPM-WMI - 1801
Update Secure Boot certificates are available on this device but have not yet been applied to the firmware
Gemini suggests the following: For ESXi 7.x, VMware creates VMs with a NULL (empty) Platform Key (PK).
The Microsoft Script: When the Windows update task runs, it tries to update the KEK. It checks the PK to get "permission."
The Error: The script sees that the PK is empty and says, "I don't have an owner to talk to, so I can't update the KEK." It then logs the Event 1803 error you saw.
"The KEK failure (Event 1803) is a cosmetic artefact caused by a known limitation in ESXi 7.x, where the virtual BIOS lacks a default 'Master Key.' However, by using a VMware-approved bypass, we successfully injected the required 2023 Certificate directly into the firmware's signature database. The 'failure' is in the update process reporting, not in the actual security state of the VM."
Is this enough? At present, there is no immediate plan to update the Hosts