Windows Secure Boot certificates expiring in 2026.

The Secure Boot certificate expiration and CA updates primarily affect the Windows boot components and Secure Boot databases (DB, DBX, KEK) within the Windows VM environment itself. 
Since Windows introduced Secure Boot support, all Windows-based devices have carried the same set of Microsoft certificates in the KEK and DB. These original certificates are nearing their expiration date, and your device is affected if it has any of the listed certificate versions.

There is no need to take any manual action at this time. The ESXi host UEFI is managed by the vendor's BIOS firmware. Systems will continue to boot even if the UEFI certificates expire. This is not a cause for concern at the moment.

Find the resolution as described in the Microsoft article: Windows Secure Boot certificate expiration and CA updates