• Secure Boot is part of the UEFI firmware standard. With Secure Boot enabled, a machine refuses to load any UEFI driver or app unless the operating system boot loader is cryptographically signed. Starting with vSphere 6.5, ESXi supports Secure Boot if it is enabled in the hardware.
• In case of some of the older hardware platform or hardware with older firmware, you will see below errors while attempting to boot latest ESXi stateless with UEFI secure mode enabled. This is due to expiry of iPXE binary certificate "vmware_esx40.der" on 31st December 2019.

 “UEFI0073: Unable to boot PXE device”.

To resolve the issue refer below section.

1. Enroll the VMware certificate in the UEFI firmware allowlist (db variable).
   1. Download the two VMware certificates attached to this KB article as vmware_sb.zip.
   2. Enroll the appropriate VMware certificate(s) in UEFI firmware.

• For ESXi 6.5.x, vmware_esx40.der is required.  
• For ESXi 6.7.x and later,  vmware_sb2017.der is preferred.  
• If needed, you can use both.

3. Enroll the VMware certificate in UEFI firmware.
   The procedure to manually enroll VMware certificates into the UEFI firmware's allowlist (db variable) depends on the machine's hardware vendor. Look for documentation from your hardware vendor on how to do the enrollment.
   For example, you can find the procedure for Dell hardware in Defining a Secure Boot Policy.
4. Use the VMware official key snponly64.efi.vmw-hardwired.officialkey.

Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites