Manual Update of the Secure Boot Platform Key in Virtual Machines
search cancel

Manual Update of the Secure Boot Platform Key in Virtual Machines

book

Article ID: 423919

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0 VMware vSphere ESXi

Issue/Introduction

Virtual machines that do not have a valid Platform Key (PK) fail to complete automated updates to Secure Boot databases, including DB, DBX, and KEK.

Environment

  • VMware ESXi Server 7.x.
  • VMware ESXi Server 8.x.
  • VMware ESXi Server 9.x.

Cause

The Platform Key (PK) on virtual machines has an invalid signature, which causes updates to the KEK database to fail. As a result, the automated Secure Boot update process fails and reports error events/logs.

Resolution

Update the Platform Key that has an invalid signature by replacing it with the Windows OEM Device Key before performing any automated updates to the Secure Boot databases.

Caution: If a vTPM is present and disk encryption software (such as BitLocker on Windows or LUKS on Linux) is sealed to specific TPM PCR registers, preparatory steps are required before performing the key update. These steps include creating a VM snapshot, saving the recovery key (for BitLocker-type solutions), or temporarily disabling TPM-sealed disk encryption.

Manual Update Process for ESXi Releases.

  1. Shutdown the Virtual Machine.
  2. Take snapshot of the VM.
  3. Attach a disk containing the Microsoft PK (see Disk Preparation section).
  4. Enable Secure Boot variable update without authentication by adding VMX advanced option.

    1. Select the VM from vSphere Client and navigate to:

      VC 7.x: Edit Settings → VM Options → Advanced → Edit Configuration
      VC 8.x and 9.x: Edit Settings → Advanced Parameters

      Refer documentation below:
      Configure Virtual Machine Advanced File Parameters (8.x/9.x)
      Edit Configuration File Parameters (7.x)

    2. Add new option: uefi.allowAuthBypass = "TRUE"

  5. Force the VM to enter Setup Mode:

    1. Edit Settings → VM Options → Boot Options
    2. Enable Force EFI Setup

  6. Power on the VM.
  7. Navigate to Enter Setup → Secure Boot Configuration → PK Options → Enroll PK

    1. Select the PK file from disk.
    2. Review.
    3. Commit changes and exit.

  8. After the update, remove the VMX entry:

    uefi.allowAuthBypass = "TRUE"

  9. Remove the disk added in Step 3 from the VM.
  10. Reboot the Virtual Machine.
  11. After completing the update and rebooting the virtual machine, verify that the Platform Key is updated successfully by executing below commands.

    1. Linux

      mokutil --pk

    2. Windows

      1. Open Windows PowerShell
      2. Execute the commands below:

        $pk = Get-SecureBootUEFI -Name PK
        $bytes = $pk.Bytes
        $cert = $bytes[44..($bytes.Length-1)]
        [IO.File]::WriteAllBytes("PK.der", $cert)
        certutil -dump PK.der

Disk Preparation for Platform Key Update

A temporary FAT32 disk is required to stage the Platform Key (PK) and related certificates for the Secure Boot update process.

Linux (Ubuntu / Debian)

  1. Add and prepare a 128-MB FAT32 Disk

    1. Add a 128-MB virtual disk to the virtual machine.
    2. Identify the newly added disk:

      lsblk

      Note: Assuming the newly added disk is detected as /dev/sdb.

    3. Format the disk as FAT32 and assign a label:

      sudo mkfs.vfat -F 32 -n KEYUPDATE /dev/sdb

    4. Create a mount point and mount the disk:

      sudo mkdir -p /mnt/keys
      sudo       mount /dev/sdb /mnt/keys

    5. Verify that the disk is mounted successfully:

      mount | grep keys

  2. Download Platform Key (PK) Certificate

    1. Download the required certificate from Microsoft - Platform Key (PK) - WindowsOEMDevicesPK.der

  3. Copy Certificates and Unmount the Disk.

    1. Copy the certificate files to the FAT32 disk:

      sudo cp WindowsOEMDevicesPK.der /mnt/keys

    2. Unmount the disk:

      sudo umount /mnt/keys

Windows

  1. Add a 128-MB virtual disk to the virtual machine.
  2. Format the Disk as FAT32

    1. GUI Method

      1. Press Win + R.
      2. Type diskmgmt.msc and press Enter.
      3. Use Disk Management to format the disk as FAT32.

    2. Command Line Method

      format /FS:FAT32 X

      Note: Replace X: with the appropriate drive letter.

  3. Download Platform Key (PK) Certificate

    1. Download the required certificate from Microsoft - Platform Key (PK) - WindowsOEMDevicesPK.der

  4. Copy the certificate to the newly partitioned volume with 128MB size.

Additional Information

Manual process to update KEK.

To manually update the KEK certificate on the virtual machine, follow instructions below:

  1. Download the updated certificate from Microsoft via link https://go.microsoft.com/fwlink/?linkid=2239775.
  2. Convert the Certificate to DER format using openssl command below:

    openssl x509 -inform der -in KEK.cer -outform der -out KEK-2023.der

  3. Copy the converted Certificate in DER format (KEK-2023.der) to the disk mentioned in Disk Preparation for Platform Key Update step under Resolution section above.
  4. Boot the VM into EFI setup again.
  5. Update the KEK by selecting below menu options:
    1. Secure Boot Configuration.
    2. KEK Options.
    3. Enroll KEK.
    4. Select the file "KEK-2023.der".
    5. Commit Changes and Exit.

Additional Issues:

  1. On Windows if an error like the following is reported when applying the PK cert, then try downloading the .der file again as it may have been corrupted in transport:

    Only DER encoded certificate file (*.cer/der/crt) is supported



  2. Alternatively, a pem version of the cert can be downloaded from the link https://go.microsoft.com/fwlink/?linkid=2255361 and then convert into DER format using openssl command below:

    openssl x509 -inform der -in PK.cer -outform der -out PK.der

Change log:

  • 11-Mar-2026: Added steps for manual KEK update under Additional Information section.
Powered by Wolken Software