I'm trying to clarify whether it's necessary to update the server BIOS if I'm running VMware as a hypervisor with Windows servers as VMs. Specifically, do I need to update before June this year? Is it true that if I don't enable secure boot in my VMs, it's not an issue? Also, will VMware take care of any necessary patches since we're not on support with them? I'd appreciate some straightforward advice on this.
3 Answers
Yes, you definitely should be using secure boot for both your VMs and the host. It’s important to update the secure boot certificates for both your host and the VMs to ensure security traits are maintained.
I really need to know if it’s a must or just a recommendation!
Using secure boot for your VMs is crucial. Without it, there’s a risk that the hypervisor may not boot the expected system. If you’re thinking about waiting until June to see what happens, keep in mind the worst case is that your VMs won't boot at all. Even if they do boot without secure boot, there's a risk that attackers could disable your security measures, making it hard to detect threats. It's best to sort this out sooner rather than later.
I found a way to update the secure boot certificates on a VMware VM that worked for me. First, check if the certificates are installed through PowerShell. If they need updating, there's a series of commands you can run to initiate the update. Essentially, power down your VM, upgrade its virtual hardware, and follow specific steps to ensure the process goes smoothly, which allows the VM to function securely afterwards. It’s a little complex, but worth it for your security posturing!
Does the Windows update manage that for us?