Upgrading a VM to certain versions of VMware Tools (12.5.0–12.5.3 and 13.0.0–13.0.1) may cause the EFI Firmware from Host driver to fail, when the VM is configured with a vTPM device and Secure Boot is disabled.

In this state, Windows Device Manager reports the device with a Code 10 error and a digital signature verification failure.

VMware Tools versions

• 13.0.1
• 13.0.0
• 12.5.3
• 12.5.2
• 12.5.1
• 12.5.0

The EFIFW driver in the affected VMware Tools versions is signed with SHA-1, instead of the previous dual signature (SHA-256 + SHA-1).
As Windows no longer trusts SHA-1–only signatures, the driver is blocked. This causes the EFI Firmware in the Host device to fail to start.

The issue will be permanently addressed in upcoming VMware Tools releases.

As a temporary workaround,

• Shut down the affected VM
• Enable Secure Boot
• Power on the VM

The EFI Firmware From Host device in Windows Device Manager should function normally after secure boot is enabled.