• Secure Boot is part of the UEFI firmware standard. With Secure Boot enabled, a machine refuses to load any UEFI driver or app unless the operating system boot loader is cryptographically signed. Starting with vSphere 6.5, ESXi supports Secure Boot if it is enabled in the hardware.
• In case of some of the older hardware platform or hardware with older firmware, you will see below errors while attempting to boot latest ESXi stateless with UEFI secure mode enabled. This is due to expiry of iPXE binary certificate "vmware_esx40.der" on 31st December 2019.

 “UEFI0073: Unable to boot PXE device”.

• To use UEFI Secure Boot with vSphere Auto Deploy, you have to Enroll the VMware certificate in the UEFI firmware allowlist(db variable).

1. 1. Download the two VMware certificates attached to this KB article as vmware_sb2017.zip.
   2. Enroll the appropriate VMware certificate(s) in UEFI firmware.
      • For ESXi 6.7.x and later,  vmware_sb2017.der to be used.
   3. Enroll the VMware certificate in UEFI firmware.
      • The procedure to manually enroll VMware certificates into the UEFI firmware's allowlist (db variable) depends on the machine's hardware vendor. Look for documentation from your hardware vendor on how to do the enrollment.
   4. Use the VMware official key snponly64.efi.vmw-hardwired.officialkey instead of snponly64.efi.vmw-hardwired in DHCP option boot file name.

Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.