Administrators may observe that the Key Exchange Key (KEK) for a Windows Virtual Machine only lists the default certificate as "Microsoft Corporation KEK CA 2011". The expected "Microsoft Corporation KEK CA 2023" certificate is missing from the allowed list.

VMware ESXi

This issue occurs because the Virtual Machine's .nvram file was generated when the VM was originally created on an ESXi host version earlier than 8.0.2.

Windows VMs created on these lower ESXi versions do not automatically include the Windows 2023 certificate in the allowed list within the NVRAM. Even if the host is upgraded, the existing .nvram file retains the legacy certificate configuration.

To resolve this issue and regenerate the NVRAM with the correct certificates, follow the steps below:

1. Power Off the virtual machine.

2. Upgrade the Virtual Machine Compatibility (Hardware Version) to the latest version supported by your host.

   • Right-click the VM > Compatibility > Upgrade VM Compatibility.

3. Navigate to the Datastore where the VM files are located.

4. Locate the existing .nvram file and rename it (e.g., vmname.nvram to vmname.nvram_old).

5. Power On the virtual machine.

   • Note: During the boot process, ESXi will detect the missing NVRAM file and automatically generate a new one containing the updated certificate list, including the 2023 certificate.

Secure Boot Custom Certificates