I'm working on deploying the new Secure Boot CA 2023 certificates for my Windows Server VMs running on VMware, as the old 2011 CAs are set to expire in June 2026. However, the deployment process keeps getting stuck at 'InProgress' and I encountered Event ID 1801 along with error code 0x80070013 (WRITE_PROTECT). It seems that the issue stems from an invalid Platform Key (PK) in the VM's virtual UEFI NVRAM, preventing any writes to the Secure Boot variables, which means just tweaking Group Policy Objects or registry keys won't cut it.
The proposed solution involves upgrading ESXi to version 8.0 Update 2 or higher, updating the VM hardware version to 21 or newer, and renaming the NVRAM file via SSH so ESXi can recreate it with the correct 2023 certificates.
I have a few questions: 1) Has anyone gone through this process? Any tips or lessons learned? 2) Is renaming the NVRAM file safe for VMs with vTPM enabled? 3) Is there a way to manage this rollout for multiple VMs at once without having to adjust each one manually? Thanks for any help!
4 Answers
I managed the whole upgrade process on ESXi 8U3 without any hiccups:
1. Shut down the VM and take a snapshot.
2. Upgrade the hardware version to vmx-21.
3. Use the datastore browser to rename the NVRAM file.
4. Boot up the VM and check everything works.
5. Use the registry method to update Secure Boot, then remove the snapshot if all goes well.
This approach worked seamlessly, including for VMs with vTPM, though remember that it may trigger BitLocker if you have it enabled. Have your recovery key handy. Also, if time-sensitive, you can manage the clock reset by setting a specific parameter before the first boot.
According to our Technical Account Manager, this is a wait-and-see situation that should be resolved with an update. You might want to clarify if they mean a VMware patch or a Microsoft update for the OS itself. It’d be helpful to get a specific KB article or release number to keep track of, given the deadline approaching.
I followed the instructions from Broadcom’s documentation and manually updated a small batch of VMs without issues. Here's the process I used:
1. Create an HDD and attach it to the VM.
2. Copy the required certificate to that HDD.
3. Detach the HDD and power down your target VM.
4. Re-attach the HDD, make some configuration changes, boot into UEFI, select the new certificate, then disconnect the HDD again before booting normally. It’s a bit like using a USB drive for file transfers.
Check out this GitHub tool: it automates most of the verification process for you (though it won't upgrade you to ESXi 8.0.2+). I’ve mainly used the -Assess switch so far, but it seems promising for remediation. Also, Broadcom is collaborating with Microsoft to streamline this process, so keep an eye out for potential updates that may make it easier soon!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures