Manual Update of the Secure Boot Platform Key in Virtual Machines

Products

VMware vSphere ESXi 8.0 VMware vSphere ESXi

Issue/Introduction

Virtual machines that do not have a valid Platform Key (PK) fail to complete automated updates to Secure Boot databases, including DB, DBX, and KEK.

Refer to KB Secure Boot Certificate Expirations and Update Failures in VMware Virtual Machines for more details on this issue.

Environment

VMware ESXi Server 7.x.
VMware ESXi Server 8.x.
VMware ESXi Server 9.x.

Cause

The Platform Key (PK) on virtual machines has an invalid signature, which causes updates to the Key Exchange Key (KEK) database to fail. As a result, the automated Secure Boot update process fails and reports error events or logs.

Note: This knowledge article replaces a previous article (KB 421593) to avoid suggestions of deleting NVRAM, as that behavior can lead to unexpected corruptions of the associated VM.

Resolution

Update the Platform Key that has an invalid signature by replacing it with the Windows OEM Device Key before performing any automated updates to the Secure Boot databases.

Caution: If a vTPM is present and disk encryption software (such as BitLocker on Windows or LUKS on Linux) is sealed to specific TPM PCR registers, preparatory steps are required before performing the key update. These steps include creating a VM snapshot, saving the recovery key (for BitLocker-type solutions), or temporarily disabling TPM-sealed disk encryption.

Manual Update Process for ESXi Releases

Shutdown the Virtual Machine.
Take snapshot of the VM.
Attach a disk containing the Microsoft PK (see Disk Preparation for Platform Key Update section below).
Enable Secure Boot variable update without authentication by adding VMX advanced option.
- Select the VM from vSphere Client and navigate to:
  - VC 7.x: Edit Settings > VM Options > Advanced > Edit Configuration
  - VC 8.x and 9.x: Edit Settings > Advanced Parameters
  Refer documentation below:
  Configure Virtual Machine Advanced File Parameters (8.x/9.x)
  Edit Configuration File Parameters (7.x)
- Add new option: uefi.allowAuthBypass = "TRUE"
Force the VM to enter Setup Mode:
- Edit Settings > VM Options > Boot Options
- Enable Force EFI Setup
Power on the VM.
Navigate to Enter Setup > Secure Boot Configuration > PK Options > Enroll PK
- Select the PK file from disk.
- Review.
- Commit changes and exit.
After the update, remove the VMX entry: uefi.allowAuthBypass = "TRUE"
Remove the disk added in Step 3 from the VM.
Reboot the Virtual Machine.
After completing the update and rebooting the virtual machine, verify that the Platform Key is updated successfully by executing the commands below.
- Linux
  mokutil --pk
- Windows
  - Open Windows PowerShell
  - Execute the commands below:
```
$pk = Get-SecureBootUEFI -Name PK
$bytes = $pk.Bytes
$cert = $bytes[44..($bytes.Length-1)]
[IO.File]::WriteAllBytes("PK.der", $cert)
certutil -dump PK.der
```

Disk Preparation for Platform Key Update

A temporary FAT32 disk is required to stage the Platform Key (PK) and related certificates for the Secure Boot update process.

Linux (Ubuntu / Debian)

Add and prepare a 128-MB FAT32 Disk
- Add a 128-MB virtual disk to the virtual machine.
- Identify the newly added disk: lsblk
  Note: Assuming the newly added disk is detected as /dev/sdb.
- Format the disk as FAT32 and assign a label: sudo mkfs.vfat -F 32 -n KEYUPDATE /dev/sdb
- Create a mount point and mount the disk:
```
sudo mkdir -p /mnt/keys
sudo mount /dev/sdb /mnt/keys
```
- Verify that the disk is mounted successfully: mount | grep keys
Download Platform Key (PK) Certificate
- Download the required certificate from Microsoft - Platform Key (PK) - WindowsOEMDevicesPK.der
Copy Certificates and Unmount the Disk.
- Copy the certificate files to the FAT32 disk: sudo cp WindowsOEMDevicesPK.der /mnt/keys
- Unmount the disk: sudo umount /mnt/keys

Windows

Add a 128-MB virtual disk to the virtual machine.
Format the Disk as FAT32
- GUI Method
  - Press Win + R.
  - Type diskmgmt.msc and press Enter.
  - Use Disk Management to format the disk as FAT32.
- Command Line Method: format /FS:FAT32 X:
  Note: Replace X: with the appropriate drive letter.
Download Platform Key (PK) Certificate
- Download the required certificate from Microsoft - Platform Key (PK) - WindowsOEMDevicesPK.der
Copy the certificate to the newly partitioned volume with 128MB size.

Additional Information

Manual Process to Update KEK

To manually update the KEK certificate on the virtual machine, follow the instructions below:

Download the certificate from Microsoft via the link https://go.microsoft.com/fwlink/?linkid=2239775.
Copy the certificate to the disk mentioned in the Disk Preparation for Platform Key Update step under the Resolution section above.
Boot the VM into EFI setup again.
Update the KEK by selecting the below menu options:
1. Secure Boot Configuration
2. KEK Options
3. Enroll KEK
4. Select the file KEK-2023.der
5. Commit Changes and Exit

Additional Issues

On Windows, if an error like the following is reported when applying the PK cert, try downloading the .der file again as it may have been corrupted in transport. Use the direct URL https://go.microsoft.com/fwlink/?linkid=2255361 to download the PK in DER format.
```
Only DER encoded certificate file (*.cer/der/crt) is supported
```

Change Log:

01-May-2026: Corrected an error in the openssl command mentioned in the Additional information section and added link to the KB 423893 in Issue/Introduction section.